Download - [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration
Security Checking,
as a part of
Continuous Integration
Rakuten Technology Conference
2014
@ FUKUOKA
Who am I ?
Masanori Fujisaki
Twitter: @fujisaki_hb
Facebook: fujisaki.masanori
Founder & CEO
HEARBTEATS Corp. ( since April, 2005)
Walti, Inc. ( since July, 2014 )
Entrepreneur & Infrastructure Engineer
I was born in Iiduka, Fukuoka,
and grew up in Kitakyusyu, Fukuoka,
and now live in Shibuya, Tokyo.
Who am I ?
Masanori Fujisaki
Twitter: @fujisaki_hb
Facebook: fujisaki.masanori
Founder & CEO
HEARBTEATS Corp. ( since April, 2005)
Walti, Inc. ( since July, 2014 )
Entrepreneur & Infrastructure Engineer
I was born in Iiduka, Fukuoka,
and grew up in Kitakyusyu, Fukuoka,
and now live in Shibuya, Tokyo.
Today’s Topics
1. Recent Security Incidents.
2. Why you need to do security checking as a part of
Continuous Integration.
3. Some Open Source Security Check Tools
4. Some Security Communities and Organizations
5. About Walti.io
Recent Security
Incidents(1)
Environmental Pattern..
Recent Security
Incidents(1)
Environmental Pattern..
Heartbleed
OpenSSL
http://heartbleed.com/
Recent Security
Incidents(1)
Environmental Pattern..
Heartbleed
OpenSSL
http://heartbleed.com/
ShellShock
Bash
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
Recent Security
Incidents(1)
Environmental Pattern..
Heartbleed
OpenSSL
http://heartbleed.com/
ShellShock
Bash
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
POODLE
SSL3.0 protocol
https://www.openssl.org/~bodo/ssl-poodle.pdf
Recent Security
Incidents(2)
DDoS Pattern..
Recent Security
Incidents(2)
DDoS Pattern..
NTP Amplification Attack
CloudFlare 400Gbps
http://blog.cloudflare.com/technical-details-behind-a-
400gbps-ntp-amplification-ddos-attack/
Recent Security
Incidents(2)
DDoS Pattern..
NTP Amplification Attack
CloudFlare 400Gbps
http://blog.cloudflare.com/technical-details-behind-a-
400gbps-ntp-amplification-ddos-attack/
DNS Amplification Attack
DNS Open Resolver
https://www.us-cert.gov/ncas/alerts/TA13-088A
Recent Security
Incidents(2)
DDoS Pattern..
NTP Amplification Attack
CloudFlare 400Gbps
http://blog.cloudflare.com/technical-details-behind-a-
400gbps-ntp-amplification-ddos-attack/
DNS Amplification Attack
DNS Open Resolver
https://www.us-cert.gov/ncas/alerts/TA13-088A
UPnP Device-Based Reflection Attack
http://www.akamai.co.jp/enja/html/about/press/releases/2014/
press-101514-2.html
One of the Solutions
Inbound Port 53 Blocking
Inbound Port 123 Blocking
http://www.kddi.com/important-news/20140825/
Recent Security
Incidents(3)
Frameworks
Struts
https://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html
Rails
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3514
One of the Solutions
Request Pattern blocking by URL Filter or IDS/IDP
This means…
Security Issues occur to each layer.
We always need to do security updating.
We have to develop secure applications.
We have to manage infrastructure securely.
This means…
Security Issues occur to each layer.
We always need to do security updating.
We have to develop secure applications.
We have to manage infrastructure securely.
You can not do those by yourself.
TEST
TEST
Old Style TEST
You test your application before release.
TEST
Old Style TEST
You test your application before release.
Modern Style TEST
You constantly test by CI Tools.
Security Check
Security Check
Old Style Security Check
You only check your application security before
release.
Security Check
Old Style Security Check
You only check your application security before
release.
Modern Style Security Check
You constantly check your app security by CI Tools.
Security Check,
as a part of
Continuous Integration.
Continuous Integration
Security Checking
develop
testdeploy
Continuous Integration
Security Checking
develop
testdeploy
develop
Test
deploy to staging
Security check
deploy to production
Security Checking by OSS,
as a part of
Continuous Integration
for Web Application
for Web Application
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
zapper
https://github.com/adedayo/zapper
for Web Application
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
zapper
https://github.com/adedayo/zapper
Skipfishhttps://code.google.com/p/skipfish/
shellhttp://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf
for Web Application
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
zapper
https://github.com/adedayo/zapper
Skipfishhttps://code.google.com/p/skipfish/
shellhttp://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf
Wapitihttp://wapiti.sourceforge.net/
for Infrastructure
for Infrastructure
nmaphttp://nmap.org/
for Firewall / netfilter
niktohttps://www.cirt.net/Nikto2
for Web Server
for Infrastructure
nmaphttp://nmap.org/
for Firewall / netfilter
niktohttps://www.cirt.net/Nikto2
for Web Server
sslyzehttps://github.com/nabla-c0d3/sslyze
for HTTPS setting
for Infrastructure
nmaphttp://nmap.org/
for Firewall / netfilter
niktohttps://www.cirt.net/Nikto2
for Web Server
sslyzehttps://github.com/nabla-c0d3/sslyze
for HTTPS setting
Metasploithttp://www.metasploit.com/
All in one
CI Tools
CI Tools
JenkinsAn extendable open source Continuous Integration server
http://jenkins-ci.org/
CI Tools
JenkinsAn extendable open source Continuous Integration server
http://jenkins-ci.org/
Mozilla MinionAn open source Security Automation platform.
https://wiki.mozilla.org/Security/Projects/Minion
http://heartbeats.jp/hbblog/2013/08/minion.html
Security Communities &
Organizations
OWASP
The Open Web Application Security Project (OWASP)https://www.owasp.org/
the free and open software security community
Japan Chapterhttps://www.owasp.org/index.php/Japan
OWASP Top 10https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
MITRE
MITREa not-for-profit organization that operates multiple federally funded
research and development centers
http://www.mitre.org/
CWECommon Weakness Enumeration
http://cwe.mitre.org/
used by NIST, OWASP Top 10 project, etc…
CSIRT
CSIRTComputer Security Incident Response Team
CERT/CC
JPCERT/CC
NIRT(National Incident Response Team)
Nippon CSIRT Association
http://www.nca.gr.jp/
Japan MSP Association
Japan MSP Association
( To be Founded on November 1, 2014 )
How can you do Security
Checking Easily by OSS,
as a part of
Continuous Integration?
I have one proposal.
Walti.io
Walti.io is…
https://walti.io/
Continuous Server-side Security Scanner
Run Scans Easily from Dashboard
Team-based Web Safety Protection
Continuous Security Management
API Support
Impressive Low Cost
Scanners in Walti.io
Portscan ¥10/scan
Nikto ¥10/scan
Sslyze ¥5/scan
Skipfish ¥100/scan
develop
Test
deploy to staging
Security check
deploy to production
Today’s Summary
1. Recent Security Incidences
2. Why you need to do security checking as a part of
Continuous Integration.
3. Some Open Source Security Check Tools
4. Some Security Communities and Organizations
5. About Walti.io
Q & A
Thank you.