@presidentbeef
Obligatory “About Me”
6 years of application security(AT&T Interactive, Twitter, SurveyMonkey)
6 years working on Brakeman OSS(Static analysis security tool for Rails)
2.5 years working on (More pro static analysis security tool for Rails)
@presidentbeef
The Ratio of Doom
100 : 10 : 1Dev Ops Sec
Shannon Lietzhttp://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops
@presidentbeef
The Ratio of Doom
100 developers - experts on their slice of the code
1 security person - responsible for ALL code + systems
@presidentbeef
DevOpsDevelopers as responsible for stable code as ops team is
DevSecOpsDevelopers as responsible for secure code as security team is
@presidentbeef
Security Tools in DevOps Land
Automation friendly
Fast
Consistent
Provide early feedback for developers
@presidentbeef
Project Controllers Models Templates Scan Time
Diaspora 48 54 44 5s
Discourse 78 162 57 15s
Redmine 50 86 342 24s
GitlabHQ 150 123 707 61s
Canvas LMS 176 384 455 161s
Brakeman Scan Times
Brakeman 3.4.1, Ruby 2.3.1p112
@presidentbeef
“Shift Left”
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security?
@presidentbeef
“Shift Left”
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Kind of Latebut Possible
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
DeploymentGate
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
QA?Why not?
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Manual Scans
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
New WarningsFail Build
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Commit Hooks
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Run in Tests
@presidentbeef
Source Code Analysis
WriteCode
UnitTests
Commit Code
Push to CI
CodeReview
QATests
Deploy!Plan /Reqs
In Production
Security!
Run in IDE /On Save
@presidentbeef
Early Feedback
Few dependencies makes integration easy
Fast tools can be “in line” with workflow
Incremental results relevant to changes
@presidentbeef
Continuous Integration
https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
Brakeman plugin
@presidentbeef
require "brakeman/test/minitest"
class TestBrakemanWarnings < Minitest::Test def test_no_brakeman_warnings assert_no_brakeman_warnings endend
(Brakeman Pro only)
@presidentbeef
Types of Static Analysis Tools
Security - Vulnerabilities
Composition - Old/vulnerable dependencies
Quality - Complexity
Style
@presidentbeef
Finding Tools
@presidentbeef
Building Tools
@presidentbeef
In Conclusion
Source code analysis fits well with DevOps
Enables security review inside workflow
Provides feedback early in development
Multiple options for integration points