{"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa","forks_url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/forks","commits_url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/commits","id":"f4238112db7654aa2919be1e3faf5dfa","node_id":"MDQ6R2lzdGY0MjM4MTEyZGI3NjU0YWEyOTE5YmUxZTNmYWY1ZGZh","git_pull_url":"https://gist.github.com/f4238112db7654aa2919be1e3faf5dfa.git","git_push_url":"https://gist.github.com/f4238112db7654aa2919be1e3faf5dfa.git","html_url":"https://gist.github.com/michaellihs/f4238112db7654aa2919be1e3faf5dfa","files":{"security-automation-ci.md":{"filename":"security-automation-ci.md","type":"text/markdown","language":"Markdown","raw_url":"https://gist.githubusercontent.com/michaellihs/f4238112db7654aa2919be1e3faf5dfa/raw/ef77ef7fbf7639c7ee5a3440b49eff89a06525e5/security-automation-ci.md","size":5605,"truncated":false,"content":"# Meetup: Automated Security Testing in Continuous Integration\n\nThis is a short summary of our [DevOps Stuttgart Meetup from March 5th](https://www.meetup.com/de-DE/devops-stuttgart/events/268094799/) about automated security testing in Continuous Integration. For the meetup we had [Christian Kühn](https://twitter.com/CYxChris) and [Arnold Franke](https://twitter.com/indyarni) from [Synyx](https://synyx.de/) with us as speakers.\n\nChris started the presentation with a question who is currently running security tests in their pipelines and I was surprised by the majority of hands being raised. Also it seems like nowadays more then half of the audience is running production workloads in containers.\n\nFor motivating the topic of security testing, we've been introduced to a recent [security incident at Euquifax](https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638/), where a huge amount of private data (i.e. social security numbers and credit card data) leaked, due to a non-patched Java library. The point is that this incident could have been avoided with proper scanning of dependencies and timely patching.\n\nAfterwards the presentation mainly covered the following topics:\n\n* How security is treated in many software projects, a.k.a. \"I am a developer, leave me alone with your security stuff, we have a team / specialists for that\"\n* Short introduction to [OWASP Top 10](https://owasp.org/www-project-top-ten/) and the [CVE database](https://nvd.nist.gov/vuln/full-listing) from NIST\n  * TOP 9 is *Using Components with known vulnerabilities* which we took a closer look at\n* **Dependency scanning** with a [\"broken\" Spring Boot](https://github.com/cy4n/broken) app as an example\n  * showing that even the simplest Spring Boot application has > 50 transitive dependencies\n  * so a first important learning of the evening was do not only take care of the code you write, but **know your dependencies**\n* Introduce **security scans in pipelines** - with an example of how this can look like in Jenkins\n  * distinguish between broken builds and **unstable builds**. Reason for this is to still be able to ship your artifacts with having vulnerable dependencies in them - as long as you work around the issue within your code.\n  * **Whitelisting depenendencies** in dependency security scans allows you to mute findings in your dependencies if they do not impact your artifact (e.g. vulnerabilities in a library that only impact your application when you use a certain feature)  \n  * presented **tool for security scans** was [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/)\n  * other tools of interest might be [snyk](https://snyk.io/), GitHub offers [security scanning for free](https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies) on open source projects\n* What are the security-related issues with using Docker images\n  * Docker images are often based on other images, hard to track versions, if using `:latest`\n  * base images are maintained by the community and are usually patched properly\n  * custom intermediate images are often problematic since people tend to forget about them\n  * widely used anti-pattern: we have nightly builds of our software and application images but forget to patch intermediate images\n* **Container Scanning** - scans Docker images for known vulnerabilities\n  * presented **tool for container / image scanning** [CoreOS Clair](https://github.com/quay/clair)\n  * there is a Docker image to run clair on demand [clair-local-scan](https://github.com/arminc/clair-local-scan)\n  * it is challenging to figure out, which vulnerabilities are critical for you\n  * there is **another tool for scanning images** [trivy](https://github.com/aquasecurity/trivy)\n  * hint: run tests in multiple vulnerability testing tools and check which findings are relevant for you\n* scan your applications endpoints in an **API Scanner**\n  * presented tool for automated penetration tests for APIs is [OWASP ZAP](https://owasp.org/www-project-zap/)\n  * how it works is that a spider first of all generates a list of endpoints for your API that is then passed on to a penetration test\n  * you can also feed your **Open API definition** in a [Swagger](https://swagger.io/specification/) format to make the tool aware of your actual endpoints\n  * by looking at the tests ZAP is running against your app **you can already learn a lot about application security**\n  \nSo in summary, we learned how to add 3 new stages to our Build Pipeline which are\n\n1. Security checking of dependencies\n2. Vulnerability scanning for Docker images\n3. Penetration testing your (REST) API in the running application\n\nand about the challenges with properly using the three tools and their findings. \n\nAfter the presentation, someone mentioned [OWASP Secure Codebox](https://owasp.org/www-project-securecodebox/#) as another tool you might want to take a look at.\n\nThe lively discussion after the presentation showed that it was very well received by the audience. We hope to have further security topics in our [DevOps Stuttgart Meetup](https://www.meetup.com/de-DE/devops-stuttgart/) in the near future. If you want to give a talk, feel free to reach out to me any time.\n\nHere's the [link to the slides](https://www.slideshare.net/ChristianKhn8/automated-security-testing-in-continuous-integration).\n\nA big Thank You! goes to the team at [ZOI](https://www.zoi.de/) and especially [Malte](https://twitter.com/derBroBro) who provided a pleasant location and food and drinks.","encoding":"utf-8"}},"public":true,"created_at":"2020-03-06T07:56:17Z","updated_at":"2020-03-06T18:16:35Z","description":"Meetup: Automated Security Testing in Continuous Integration","comments":0,"user":null,"comments_enabled":true,"comments_url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/comments","owner":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"forks":[],"history":[{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"bfefd98dd88405fc11f8e4141c6db3f5efbac7e7","committed_at":"2020-03-06T18:16:35Z","change_status":{"total":9,"additions":6,"deletions":3},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/bfefd98dd88405fc11f8e4141c6db3f5efbac7e7"},{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"fe414d1146d97fdf007858f3aba190a55877a50d","committed_at":"2020-03-06T12:10:55Z","change_status":{"total":4,"additions":2,"deletions":2},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/fe414d1146d97fdf007858f3aba190a55877a50d"},{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"52edfec3d60c7e25bab8aeb5cd1822ec6065222e","committed_at":"2020-03-06T12:09:19Z","change_status":{"total":4,"additions":3,"deletions":1},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/52edfec3d60c7e25bab8aeb5cd1822ec6065222e"},{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"37a1ebfb9f6859a16c7c9988021e9dbb24d58664","committed_at":"2020-03-06T09:20:48Z","change_status":{"total":4,"additions":3,"deletions":1},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/37a1ebfb9f6859a16c7c9988021e9dbb24d58664"},{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"fe34e665647882e252b460cdbcbf997f764ef717","committed_at":"2020-03-06T09:08:10Z","change_status":{"total":8,"additions":8,"deletions":0},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/fe34e665647882e252b460cdbcbf997f764ef717"},{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"a44f62e41e7a6d8b0105e252494e2ff16b45338f","committed_at":"2020-03-06T09:04:45Z","change_status":{"total":45,"additions":18,"deletions":27},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/a44f62e41e7a6d8b0105e252494e2ff16b45338f"},{"user":{"login":"michaellihs","id":575011,"node_id":"MDQ6VXNlcjU3NTAxMQ==","avatar_url":"https://avatars.githubusercontent.com/u/575011?v=4","gravatar_id":"","url":"https://api.github.com/users/michaellihs","html_url":"https://github.com/michaellihs","followers_url":"https://api.github.com/users/michaellihs/followers","following_url":"https://api.github.com/users/michaellihs/following{/other_user}","gists_url":"https://api.github.com/users/michaellihs/gists{/gist_id}","starred_url":"https://api.github.com/users/michaellihs/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/michaellihs/subscriptions","organizations_url":"https://api.github.com/users/michaellihs/orgs","repos_url":"https://api.github.com/users/michaellihs/repos","events_url":"https://api.github.com/users/michaellihs/events{/privacy}","received_events_url":"https://api.github.com/users/michaellihs/received_events","type":"User","user_view_type":"public","site_admin":false},"version":"5a001b00bc510490ce9dbfb44f8e5a63da717be1","committed_at":"2020-03-06T07:56:16Z","change_status":{"total":47,"additions":47,"deletions":0},"url":"https://api.github.com/gists/f4238112db7654aa2919be1e3faf5dfa/5a001b00bc510490ce9dbfb44f8e5a63da717be1"}],"truncated":false}