Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Me
@MakotoTheCat
@presidentbeef
Obligatory “About Me”
6 years of application security(AT&T Interactive, Twitter, SurveyMonkey)
6 years working on Brakeman OSS(Static analysis security tool for Rails)
2.5 years working on (More pro static analysis security tool for Rails)
@presidentbeef
The Ratio of Doom
100 : 10 : 1Dev Ops Sec
Shannon Lietzhttp://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops
@presidentbeef
The Ratio of Doom
100 developers - experts on their slice of the code
1 security person - responsible for ALL code + systems
@presidentbeef
Not Sustainable nor Scalable
@presidentbeef
DevOpsDevelopers as responsible for stable code as ops team is
DevSecOpsDevelopers as responsible for secure code as security team is
@presidentbeef
Security Team’s Role
Expertise
Guidance
Training
Tools
@presidentbeef
Security Tools in DevOps Land
Automation friendly
Fast
Consistent
Provide early feedback for developers
@presidentbeef
Static Analysis
@presidentbeef
Static Source Code Analysis
@presidentbeef
Automation Friendly
Input: Source Code
Output: Report
@presidentbeef
@presidentbeef
@presidentbeef
Fast
(Especially in comparison to “web scanners”)
@presidentbeef
Project Controllers Models Templates Scan Time
Diaspora 48 54 44 5s
Discourse 78 162 57 15s
Redmine 50 86 342 24s
GitlabHQ 150 123 707 61s
Canvas LMS 176 384 455 161s
Brakeman Scan Times
Brakeman 3.4.1, Ruby 2.3.1p112
@presidentbeef
Consistent
(Especially in comparison to “web scanners”)
@presidentbeef
Consistent
Baseline scan -> Incremental results
@presidentbeef
brakeman --compare report.json
@presidentbeef
Early Feedback (for Developers)
“Amplify feedback loops”
@presidentbeef
“Shift Left”
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security?
@presidentbeef
“Shift Left”
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Kind of Latebut Possible
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
DeploymentGate
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
QA?Why not?
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Manual Scans
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
New WarningsFail Build
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Commit Hooks
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Run in Tests
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Run in IDE /On Save
@presidentbeef
Early Feedback
Few dependencies makes integration easy
Fast tools can be “in line” with workflow
Incremental results relevant to changes
@presidentbeef
Automation Strategies
@presidentbeef
Continuous Integration
https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
Brakeman plugin
@presidentbeef
Code Review
Brakeman engine
@presidentbeef
Deployment Gate
@presidentbeef
Tweetable Incremental Scan
@presidentbeef
Separate Process
@presidentbeef
Local Tests/Git Hook
guard-brakeman
@presidentbeef
require "brakeman/test/minitest"
class TestBrakemanWarnings < Minitest::Test def test_no_brakeman_warnings assert_no_brakeman_warnings endend
(Brakeman Pro only)
@presidentbeef
Types of Static Analysis Tools
Security - Vulnerabilities
Composition - Old/vulnerable dependencies
Quality - Complexity
Style
@presidentbeef
Finding Tools
@presidentbeef
Building Tools
@presidentbeef
In Conclusion
Source code analysis fits well with DevOps
Enables security review inside workflow
Provides feedback early in development
Multiple options for integration points
@presidentbeef
Thank You
@presidentbeef / presidentbeef.com
Related Documents
