Conf42 DevSecOps 2022 - Online

Adding DAST to CI/CD, Without Any Losing Friends

Video size:

Abstract

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this talk we will discuss multiple options for adding dynamic application security testing (DAST) to your CI/CD, in ways that won’t compromise speed or results.

Summary

  • Das is a dynamic application security testing tool to a CI CD pipeline. Batman says it's too slow. Tanya Janca wants to talk about how we can add Das without losing friends.
  • Tanya Jenka is the director of developer relations and community at Bright. She is also known as she hacks purple, which was acquired by Bright. Jenka wrote a book called Alice and Bob Learn Application Security. She's currently writing her second book about secure coding.
  • Insecure software is causing breaches, data breaches all over the world. Security folks working in a DevOps environment have to follow their rules. They want to test from multiple angles, not just one. And then lastly, they want to have bugs fixed as soon as possible.
  • DevOps is a more modern way to build software. It focuses on automation, efficiency, accuracy, and creating rugged software. Not all security testing needs to be in the pipeline.
  • You don't have to put everything in a CI CD to be doing DevOps. refine your scope using a Har file. Uncheck any box for a technology you're not using. Every bit of speed helps.
  • You could do scheduled automated regular scanning. Another thing you can do is do a one off or a manual scan. Other types of security tests I'd like you to think about are static application security testing. Just one tool is not enough. You need more.
  • It's really important if you're going to put an app on the Internet that you do security testing. Dynamic testing in a pipeline must be fast and it must be accurate. Other types of testing are still needed to find as many vulnerabilities as possible.
  • Tanya Janca: I would like to invite all of you to join the we hack purple community. We have a whole bunch of free courses about application security. Every Monday on Twitter I use this hashtag, cyber mentoring Monday to help people find professional mentors.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Our name you. Hi, I'm Tanya Janca and I am at Comp 42 and I'm going to talk about adding Das. Now that's a dynamic application security testing tool to a CI CD pipeline. But first I want to tell you a story. So I added the Das to the CI CD pipeline and Batman says it's too slow. The this is very reminiscent for me of when I first started adding security tools. I wants part of an open source project called Owasp Devswap, like swappy DevOps. And I had added a dynamic scanning tool and our app did almost nothing. And it took nine minutes. And I was like, nine minutes isn't that long? And my other person that wants working on the project with me said, tanya, it used to take 1 minute. So you added 900%. And it only worked at nine minutes when I really rushed it and the app didn't really do anything. And so as the app build and build, it wants longer and longer. And he's like, dude, what are you doing? And I was like, you're right. And so I want to talk about how we can add dynamic application security testing to a CI CD pipeline without losing any friends because I realized if I wanted people to, one, let me do these tests, and two, not kick me off my open source project. I had to go faster. And so we're going to talk about how I did that. Okay, so I am Tanya Jenka. I am also known as she hacks purple. And yes, that's me on my sweatshirt. I am that nerdy that I wear my own shirt. I am the director of developer relations and community at Bright. I am the CEO and founder. We hack purple, which was acquired by Bright. Again, I already told you this. I wrote a book called Alice and Bob Learn Application Security. And I'm actually currently writing my second book, Alice and Bob learn secure coding. So it's pretty clear that I'm a big nerd. I advise at some startups. I've been in it a very long time. It's basically the only thing I know how to do. And I am a nerd at large on the Internet. That is basically the main key takeaway. I'm very excited about the security of software and I do lots of content and stuff. And when I brush my hair, I can look pretty good. Okay, so what problems are we solving? Because this presentation isn't about me. It's about us doing better. And so insecure software is causing breaches, data breaches all over the world. You already know that this is a problem. It was about a $6 billion problem in 2020, and it has only grown since then. It is a very big problem. I'll just leave it at that. And so DevOps has some requirements. So if us security folks want to work with DevOps teams, which we do, we have to follow their rules. And so that means when we do tests in a pipeline, I've learned we need to be accurate. We can't have tons of false positives. We need to go fast. And whenever possible we want to automate as much as we can. And the reason for this is because that's what DevOps is. And it's the first way of dev. Anyway, you should know this. Okay, so devsecops, so that's us security folks working in a DevOps environment. If we want to get it right, there's requirements for that. So we want to test from multiple angles, not just one. We want to have good relationships between the security team and whether you call it the dev team and the ops team, the DevOps team, the awesome, super cool people that make software, whatever you call them, where you work, us security folks need to have a good relationship with them if we want to get our jobs done. And then lastly, we want to have bugs fixed as soon as we can in the system development lifecycle. So we don't want to find things at the end. We want to find things as early as we can so they can be fixed sooner. When it costs less money, it's less difficult. And also that makes sure they don't accidentally end up in production. So what's with the acronyms? Tanya? So dast stands for dynamic application security testing. It's an automated, there's so bright makes one, but a whole bunch of companies make one. Obviously ours is by far the best. But basically what dynamic scanners do is they interact with your application while it's running on a virtual machine or a container or wherever it's running. And what it does is it sends requests and responses in an automated way to try to find vulnerabilities. Most of them, they'll make you a really nice report. And then at the end it's like, these are the things that are wrong. This is how we suggest you fix each one and then we hope you fix them. And so that is the gist of what a dynamic scanner does. So why do we need to do this? So there's lots of different ways you can do security testing if you can only do one type of test. I personally always start with Das. One is because it's the first tool I learned so I was a software developer. I learned how to scan things. I found it really fun. Honestly, the first time I got to work and I found all these vulnerabilities, I was like, pew, pew, pew, pew. I'm a hacker. Yeah. Immediately went out and bought a black hoodie. I did not. But the point is that of all the security testing tools, dast and other variations of tools that do dynamic testing. So sometimes there's slightly variations on the name, but basically, if your app's living on the Internet, any moron can learn how to use a dast in, like, an hour or less, point it at your app, and then find vulnerabilities. And most of us don't have, like, a shield in front of our app, like a content delivery network or a waf, a web app firewall or a rasp, a runtime application security protection tool. Most of us don't have that. Most apps on the Internet don't have a shield. And so you can't just say, no, go away. Stop that. And so if any moron can learn how to use these very quickly and then are very able to point it at our systems, I feel we should fix those bugs first. Other bugs where you require a copy of the code or you have to have lots and lots of time, et cetera, et cetera. I still think we should fix those bugs, but not at the same speed and with the same urgency. And so that's why dast. So you're at a DevOps conference. So I'm going to assume that, one, you kind of know what DevOps is. Two, you're very aware that it is not paying one person to do two jobs. When my cousin, she's like, my boss told me, we do DevOps now because the ops guy failed. Like, he left. And so I have to do both jobs. Now, I didn't get a raise, but apparently I'm a DevOps engineer. That's not what we mean, and we all know that. But basically, DevOps is a more modern way to build software. It's also about the culture and the way that you work. It's about having better processes to get things done more efficiently. It focuses on automation, efficiency, accuracy, and creating rugged software that delight our customers. Usually we use a CI CD and a whole bunch of other cool things like infrastructure as code. But the main point is, it's a very modern way to build software, and I am all for this as a security person. So, very briefly, CI CD means the pipeline software that we use to test and release DevOps has requirements. So we want to have efficiency of the entire system. We want to give fast feedback that's accurate and that actually gets to the right people. There's no point in having a lot of feedback that's all wrong or never gets to the person who needs it. And lastly, continuous learning and improvement. Last point. Not all security testing needs to be in the pipeline. Okay, so let's talk strategy for putting a dynamic scanner into your CI CD. So the first thing you can do is you can put your dynamic scanner in, you check all the boxes, you click, let's go. And then you lose all the new friends you made on the nice DevOps team. All those people are like, you are no longer invited to coffee time or lunch. You broke everything. This is a bad plan manually when you're first testing and playing with it, yes, but in a CI CD you're not going to go fast if you do that. So let's talk about ways you could do better. So first, refine your scope using a Har file. So har stands for HTML archive. And so whatever the name of your file is, it's har. When you are going to, let's say you're doing your work in sprints and you are going to be releasing a feature, this Sprint, another feature. Next sprint, you could record an Har file, shove it into your dast, and then immediately it is like a laser focus and it's only going to test those things and that's it. If you have a QA team that uses har files for automation, for instance, let's say they use selenium and they record themselves doing things, you can just plug that into your dast scanner and it is very, very quick. So that's one way. Another way I think of that song. Don't worry, be happy, only test what you want. So this sounds ridiculous, but most security teams, especially appsec people, they have certain things that are the end of the world that are very bad. And we want to make absolute sure nothing like that gets to production. And then for everything else, we might say, you know what, that can go in the backlog or that can be fixed within five days or whatever, but there are certain things that absolutely cannot go to prod. And so you just test for those things in the release pipeline and then you test for everything else, either in another pipeline that no one's waiting on. You overrun it overnight, all sorts of other things, but just in the release pipeline, just test the emergency things. So this is another way that you could do it. This is the way everyone should do it. Don't check off the boxes. So uncheck any box for a technology you're not using. So if you made a super awesome ruby app that has a NoSQL mongo database attached to it, you don't need to run WordPress tests, you don't need to run SQL server tests, you don't need to run Java tests. So uncheck everything that doesn't apply to you. And although that won't make it 50% faster, it'll maybe be 10% or 15% faster. Every bit of speed helps. Okay, so those are the three things that I would suggest to start with when you're tuning your system so it can go faster. Next, you don't have to put everything in a CI CD to be doing DevOps. So just because we have this beautiful, shiny pipeline that has lots of cool tests and all the cool kids are doing it, does not mean every single security thing needs to go there. So I'm going to talk about other ways that you can use a das that's also good, that respects the rules and processes of the DevOps team. Okay, so you could do scheduled automated regular scanning. You could have a dynamic scan run every Sunday on 100% of your apps. You come in Monday with a whole bunch of reports. You prioritize, you put things in backlogs, and you go, you're like Jira tickets for everyone. I'm Oprah. So you can do this. And this is not that hard. When I first started, as soon as I realized scheduling was an option, I'm like, oh, I'm always just going to schedule this late at night so I don't have to wait on it. I just arrive in the morning with reports. Another thing you can do is do a one off or a manual scan. So last year, one of my clients said, oh, yeah, we're going to buy this company. Could you just do a two or three hour assessment of this company's web app? Because we just need to know if it's a disaster or not. And so I just ran a couple of scans on it manually and then gave them a report, and then they could renegotiate the price accordingly because they knew there were some problems that need to be fixed. Like whenever you get a tool, the first thing you do is play with it manually before you put it in a CI CD. But sometimes there are reasons that you need to do things manually, like contracts or short term things, et cetera. Guess who use lots of dast tools? Pen testers. Pen testers use all sorts of different tools. They do also manual testing, but they'll come with like an entire toolbox worth of stuff. They'll have like 18 2030 different things that they'll test with because they're trying to find literally everything that's wrong. And you can't do a pen test in your pipeline. You just can't automate that. You need a really super duper, well trained security expert. And so that is another way that you can use a dynamic scanner. And if you recall, I said just one tool is not enough. So I work at bright, we sell dast. That's awesome. But that's not all you need. You need more. So other types of security tests I'd like you to think about are static application security testing. So it analyzes the code that your team wrote for problems, software composition analysis, or SCA. This is where basically they look at all the different components you have in your app. So nuget packages, ruby gems, libraries, anything that is code you didn't write, but it's in your app, it checks that to see if it's known to be vulnerable. Some of them also tests to see if the way you implemented it, if the vulnerability is exploitable. And that's new and very cool. Interactive application security testing, where you put a binary inside your app and it tests it from the inside out. Secret scanners, these are super easy. You just run it over your code base and it tells you anything that looks like a password or a hash, an API key. And basically it looks for mistakes. So there's so many types of testing. There's even more than this. Although I would start with a dynamic scanner, I wouldn't stop there and I don't want you to either. And so very briefly, where do we put a dast in the SDLC so we can do security regression unit testing with some dynamic scanners. We could test against our dev server. So as soon as we are able to deploy code or even in local host, you can aim a dynamic scanner at that and get some results. When you're in the testing phase, if you're doing a pen test or you're just trying it out, you could either automate it in the CI CD or just run it on full blast manually. You could have a manual pen test done. You can have it tuned in your CI CD pipeline from then on. So every new release, it checks for all those emergency things that are really important to you and then also scheduled weekly tests. So these are the places in the CI CD pipeline that you could add it. But how does dast feel how does it feel to run a dast? So I personally feel it's like this for me. But one of my other friends told me for her, it sort of feels like this. I know twins and they told me it's sort of like this because they both do testing. It really depends on the person because everyone feels differently. But the key takeaway is that I am ridiculous. Okay, so, conclusion. It's really important if you're going to put an app on the Internet that you do security testing. Dynamic security testing is where I would start. I would like it if you also did it. Automation is all of our friends. Whatever we can do to automate more stuff, our life is better. Dynamic testing in a pipeline must be fast and it must be accurate. We can do dynamic testing outside the pipeline and still be DevOps friendly. We're not disobeying all the DevOps rules. If we do more testing that's more thorough and slower outside the pipeline. If anything, we're being more respectful of the DevOps processes. Other types of testing are still needed to find as many vulnerabilities as possible to make your app very tough and rugged. The people at bright we can be a little silly sometimes. Okay, so I have some resources for you. So, first of all, I have a podcast. It's called the we Hack Purple podcast. And we're actually now on season three. I just realized it says season two, where it's just conversations about application security and how to make more secure software and what tools exist and what are some good strategies for this or that. And so it's on YouTube, or it's on any podcast platform in audio only formats. Awesome books. So there's the DevOps handbook, the Phoenix Project, accelerate the Unicorn project, and if you are at Comp 42s DevOps conference, I have a feeling you've read those. My book is in here. Me and my mom both agree it's basically the best book ever. We might be biased, but I'm not sure. I would like to invite all of you to join the we hack purple community. So this is an online community that I founded in early 2020, and basically we have a whole bunch of free courses, even courses about this topic, secure coding, how to secure your infrastructure as code, cloud security appsec. Anyway, it goes on and on and on, and it's free for you to join. The next thing is, every Monday on Twitter I use this hashtag, cyber mentoring Monday to help people find professional mentors. If you're a Twitter person, please feel free on Monday to check this out. And maybe find a professional mentor for yourself. Bright has a blog that is highly technical. If you're trying to figure out how to fix something and you're not sure, we probably have an article on it. And so brightsec.com blog is a good place to learn more stuff. And then lastly, me my stuff. That's me. I'm me and I'm shehackspurple everywhere basically if you look that up that's definitely me except for shehackspurple dev. Someone took that and it's not me so that's awkward but also flattering. Imitation is flattering. So I have a newsletter, YouTube, all the stuff. And lastly, thank you. Thank you to the organizers of this conference who worked very, very hard to make it a success. Thank you you for giving me your time. There's a lot of cool cat videos on the Internet and instead you chose me. So thank you. I'm Tanya Janca and I hope you enjoy the rest of the conference.
...

Tanya Janca

Founder, CEO, Security Trainer @ We Hack Purple

Tanya Janca's LinkedIn account Tanya Janca's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)