Skip to main content

Battle-tested Code Without the Battle - Security Testing and Continuous Integration

James Wickett (Mentor Graphics), Gareth Rushgrove (Government Digital Service)
Operations
Grand Ballroom CD
Tutorial Please note: to attend, your registration must include Tutorials on Tuesday.
Average rating: ***..
(3.75, 59 ratings)

THIS TUTORIAL HAS REQUIREMENTS AND INSTRUCTIONS LISTED BELOW

Everyone knows that we need to harden our code before it goes into production, but very few actually test for security flaws in their delivery pipeline. We will show a basic continuous delivery pipeline that should be familiar to anyone who has worked with continuous integration, and then proceed to add steps to identify security issues in a typical web application stack. We’ll demonstrate how to:

  • Make sure code commits are really coming from the person you think they are
  • Check build artifacts for viruses
  • Identify changes to sensitive components that probably require review
  • Scan source code for common security issues
  • Make sure dependencies don’t have known vulnerabilities
  • Use real penetration testing tools as part of integration testing
  • Develop security tests along-side unit and integration tests
  • and more!

We’ll also talk about practical considerations; like when to block the pipeline and when to just alert someone to the potential danger, and how to prevent your build time going through the roof.

Attendees will be able to follow along either online or by building the pipeline locally on their own computers. All of the source code will be open source and available for people to use for testing their own applications after the conference. We’ll use a range of open source technology including OWASP ZAP, Gauntlt, Jenkins, Vagrant, and more.

At the end, the attendee will:

  • Learn about common web application vulnerabilities and how to detect them
  • Be familiar with the security tools that can be used to testing
  • Be able to setup a security testing pipeline for themselves
  • Have a working sample architecture and design that you can take back to the office to start implementing

TUTORIAL REQUIREMENTS AND INSTRUCTIONS FOR ATTENDEES

Attendees will need:

* a GitHub account
* a Travis CI account
* a computer with a web browser

QUESTIONS for the speaker?: Use the “Leave a Comment or Question” section at the bottom to address them.

Photo of James Wickett

James Wickett

Mentor Graphics

James is involved in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. From his work at Mentor Graphics, James helped launch four cloud based-products for the Embedded Software Division.

James is a dynamic speaker on topics in cloud computing, cloud security and Rugged DevOps. He is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He holds the following security certifications: CISSP, GWAPT, GCFW, GSEC and CCSK.

http://about.me/wickett

Photo of Gareth Rushgrove

Gareth Rushgrove

Government Digital Service

I’m a professional and experienced software developer based in
Cambridge, UK. By day I work for the UK Government fixing the internet. By night I curate the devops weekly email newsletter, hack on various open source projects, organise local meetups in London and write tutorials or articles about software development and web
operations.

Comments on this page are now closed.

Comments

06/26/2014 1:09pm PDT

for lab 1, how could i add the CI badge? do you have the example for the readme.md? thanks

Edit README.md to point the Travis CI badge to your forked repo’s build status instead of the main.

06/23/2014 2:18pm PDT

Hi Gareth — I have the same concern as Ryan. I don’t know anything about Travis … could you post (or walk us through during the tutorial) how to grant finer-grained access to GitHub. It’s not obvious to me in the permissions process.

Picture of Gareth Rushgrove
05/19/2014 10:09am PDT

Hi Ryan. Travis I think has fine grained permissions, at least down to the repo level. So you would only be giving it access repositories you create for the workshop. Alternatively it should be easy to follow along with someone else for those bits, and lots of the examples will be using a Jenkins instance that we’ll be providing for everyone as well.

Ryan Park
05/19/2014 9:43am PDT

Is there any way to create a Travis CI account without giving them access to my GitHub repositories? I had a bad experience granting Circle CI access to my repos, so I don’t want to do that for Travis. If there’s no way to do that, how important is the Travis CI account to this tutorial?