Integrate App. Security in Continuous Integration

Transcription

1 Integrate App. Security in October 12, 2015 TLP: WHITE

2 Excellium ID card A Luxembourg company created in 2012 targeting PSF and Support PSF. An experimented team in Information Technology Security (30 people). Management by local entrepreneurs with an operation center in Luxembourg and an eco-system of partners. Our core competencies: Making customer Information Systems more secure Protect your non material assets (#SaaS #Cloud #BigData #Security). Our Customers : Banks, Insurances, Administration (90 up to date).. And Service Providers PSF Application file in progress (Statute Jul 2015) SOC and CERT in Operation Certification process ISO27001 started. Located in the BGL BNP Paribas Future lab Startup Incubator in Luxembourg City (BLD Royal). 2

3 Some reminder about (CI) (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. By integrating regularly, you can detect errors quickly, and locate them more easily. CI helps to unify quality of the different projects of the company regardless of the provider because they are validated by a common system and set of quality rules. 3

4 Why integrate Application Security validation into CI? As the CI promote the validation and enhancement of the quality and stability of the application during the development process, it can be interesting to apply the same philosophy to the security aspects of the application. The goal is to perform validation on the application from a static and dynamic points of view. These automated checks will never replace human validation (manual code review and penetration test will always be performed, they are complementary) but they helps de detect obvious security issues during development process. 4

5 Source: 5

6 SAST or DAST? Static Application Security Testing The application is not executed. The application can be compiled depending on SAST analyzer. Inspect source code, compiled code in order to find vulnerabilities at code/design level. Dynamic Application Security Testing The application is executed. Inspect the application by sending specific crafted order in order to find vulnerabilities at behavior level. Both are complementary because sometime application behave differently depending on runtime environment! 6

7 Dependencies analysis? Wait, is not my code It s a good point to validate your code but it s important to ensure that the third party assets (libraries/frameworks) on which you build your application are not broken too.build a fortress on shifting sand Source: 7

8 Check out sources Publish binary Compile sources Classical Integration Process without security validation steps Reports & docs Unit Tests Integration Tests Code quality analysis Build & deploy 8

9 Publish binary Check out sources Compile sources Classical Integration Process with security validation steps Reports & docs DAST Unit Tests Audit dependencies Integration Tests Code quality analysis Build & deploy SAST 9

10 SCM Code quality analysis Example of tooling and their integration for Java /.Net technologies Sandbox for DAST SAST CI Platform Dep. analysis for CVE Artifacts repository DAST 10

11 Going Further Integrate App. Security into CI it s a good start but it s better to combine it with human factor Train all people involved in application build from Business team to Infrastructure team App. Sec target all application layers. Perform manual Security Code Review/Mini Intrusion Test during Sprint (agile) or Phase (waterfall). About training, you are welcome to our CodeHackademy ( 11

12 12