LONDON 2015Join the conversation #devseccon

Continuous Security Testing

Stephen de Vries

About Me

Founder and CTO Continuum Security 70% Developer / 20% Security Analyst Involved in OWASP since 2004 Created BDD-Security framework @stephendv

Security Testing

• Performed after build • Outsourced to external experts • Process is opaque to dev/ops

Unit/Integration/Acceptance Testing

• Performed during build • Owned by dev/test • Tests visible to the team

Design Build Unit Tests

Integration Tests

Acceptance Tests Deploy

Development Pre-prod Production

Agile

• Short iterative cycles • Extensive automated testing • Low/zero cost to test • Tests can replace documentation

Design Build Unit Tests

Integration Tests

Acceptance Tests Deploy

Development Pre-prod Production

Continuous Delivery

Automated acceptance tests

Design Build Unit Tests

Integration Tests

Acceptance Tests Deploy

Development Pre-prod Production

Continuous Delivery into Production

• Etsy: 50+ deploys per day • Gov.uk: 10+ deploys per day • Amazon: 300+ per hour

Security Tests?

• Everyone is responsible for

• Move testing closer to the code

• Continuous automated testing

quality

quality

security

securitysecurity

^

BDD: Behaviour Driven Development

BDD: Behaviour Driven Development

https://github.com/continuumsecurity/bdd-security

JBehave +

OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications

Selenium/WebDriver +

HTTP/S Proxy

Manual Application Security Testing with OWASP ZAP

HTTP/S Proxy

Manual Application Security Testing with OWASP ZAPAutomated

^

BDD-Security

Demo https://vimeo.com/89848072

Who owns the security tests?

Option 1: Security Team

• Low cost test runs • Slower feedback to dev • Poor collaboration • Lack of ownership by DevOps

Design Build Integration TestsUnit Tests

Acceptance Tests

Deploy

Development Pre-prod Production

Semi-SecDevOps: Parallel tests

Manual Security Tests

Auto. Security Tests

Who owns the security tests?

Option 2: DevOps team with oversight by Security

• Better collaboration • Sense of ownership of security • Good stepping stone to…

SecDev

Ops

Option 3: Sec+Dev+Ops in a cross-functional team

• Security testing is our problem • We have the tools and skills to manage

it

DesignAuto. Security Tests

BuildIntegration TestsUnit

TestsAcceptance

TestsDeploy

Development Pre-prod Production

SecDevOps: Inline blocking tests

Manual Security Tests

Related Tools

• Mittn (Python + Burp Intruder) https://github.com/F-Secure/mittn

• ZAP-JUnit (Java) https://github.com/continuumsecurity/zap-webdriver

• Guantlet (Ruby) http://gauntlt.org/

• OWASP ZAP Jenkins plugin https://wiki.jenkins-ci.org/display/JENKINS/Zapper+Plugin

LONDON 2015Join the conversation #devseccon

Thank you!

www.continuumsecurity.net

@continuumsecure @stephendv