My Little Webap - DevOpsSec is Magic
-
Upload
apollo-clark -
Category
Technology
-
view
705 -
download
2
Transcript of My Little Webap - DevOpsSec is Magic
![Page 1: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/1.jpg)
My Little Webapp – DevOpsSec is Magic
Apollo Clark
@apolloclark
apolloclark.com
slideshare.net/ApolloClark/my-little-webap-devopssec-is-magic
![Page 2: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/2.jpg)
![Page 3: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/3.jpg)
About Me• Originally from Maine• Lived in Milwaukee, Chicago, Atlanta• Web developer since 2001• PHP, Python, Java, C++, Perl, Visual Basic, etc.• MySQL, PostgreSQL, MongoDB, Redis• Kali Linux, Burpsuite, Gauntlt, SQLMap, XSSer, etc.• Got badly hacked in 2010, been learning since• I like making good software
![Page 4: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/4.jpg)
![Page 5: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/5.jpg)
![Page 6: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/6.jpg)
What if we could fix anythingin 10 minutes?
![Page 7: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/7.jpg)
With DevOpsSec, you can!
![Page 8: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/8.jpg)
How does it feel?
![Page 9: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/9.jpg)
![Page 10: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/10.jpg)
Prepare for a meme filled ride.
![Page 11: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/11.jpg)
![Page 12: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/12.jpg)
![Page 13: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/13.jpg)
How do we do things today?
![Page 14: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/14.jpg)
![Page 15: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/15.jpg)
![Page 16: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/16.jpg)
![Page 17: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/17.jpg)
We need to build QA and security in.
![Page 18: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/18.jpg)
What can we do?
![Page 19: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/19.jpg)
![Page 20: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/20.jpg)
![Page 21: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/21.jpg)
![Page 22: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/22.jpg)
![Page 23: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/23.jpg)
Dev vs. Ops
![Page 24: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/24.jpg)
![Page 25: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/25.jpg)
Dev vs. Ops
• Devs are paid to change code, high entropy
![Page 26: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/26.jpg)
Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
![Page 27: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/27.jpg)
Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
• Change != Stability
![Page 28: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/28.jpg)
Dev vs. Ops
• Devs are paid to change code, high entropy
• Ops are paid to have stability, low entropy
• Change != Stability
• IE8 only supports loading 31 CSS files
![Page 29: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/29.jpg)
"One line of code can break everything."
![Page 30: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/30.jpg)
What do we do?
![Page 31: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/31.jpg)
![Page 32: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/32.jpg)
![Page 33: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/33.jpg)
Climbing the Pyramid
![Page 34: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/34.jpg)
![Page 35: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/35.jpg)
![Page 36: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/36.jpg)
"The worst thing that can happen to a system is that it doesn't run. The second worse thing is that it runs very slowly."
![Page 37: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/37.jpg)
Performance
• stress testing: "how many concurrent users?"
![Page 38: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/38.jpg)
![Page 39: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/39.jpg)
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
![Page 40: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/40.jpg)
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
![Page 41: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/41.jpg)
![Page 42: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/42.jpg)
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
• client latency: "how long does action take?"
![Page 43: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/43.jpg)
Performance
• stress testing: "how many concurrent users?"
• server latency: "how long is the response wait?"
• initial client-side load latency: "time to first tweet"
• client latency: "how long does action take?"
![Page 44: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/44.jpg)
Don’t forget to DDoS yourself.
![Page 45: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/45.jpg)
![Page 46: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/46.jpg)
![Page 47: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/47.jpg)
What we got:
![Page 48: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/48.jpg)
![Page 49: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/49.jpg)
What we want:
![Page 50: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/50.jpg)
![Page 51: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/51.jpg)
Code quality testing IS security testing.
![Page 52: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/52.jpg)
Security Testing without Code Quality Checks:
![Page 53: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/53.jpg)
![Page 54: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/54.jpg)
Code Quality
• linting, correct formatting
![Page 55: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/55.jpg)
![Page 56: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/56.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
![Page 57: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/57.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
![Page 58: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/58.jpg)
![Page 59: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/59.jpg)
2^6 possible code pathways
![Page 60: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/60.jpg)
64 possible outcomes from 1 function.
![Page 61: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/61.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
![Page 62: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/62.jpg)
![Page 63: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/63.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
![Page 64: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/64.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
![Page 65: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/65.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
• coverage, testing thoroughness
![Page 66: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/66.jpg)
Code Quality
• linting, correct formatting
• copy + paste, easily refactor
• complexity, refactoring target
• unsafe calls, change implementation
• e2e tests, detect regressions
• unit tests, detect integration issues
• coverage, testing thoroughness
• mocks, speed up testing
![Page 67: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/67.jpg)
![Page 68: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/68.jpg)
Unit Testing
![Page 69: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/69.jpg)
![Page 70: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/70.jpg)
Ready to try some Unit Testing?
![Page 71: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/71.jpg)
![Page 72: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/72.jpg)
Unit Testing
GET /users/<account_name>
• happy path: "aclark"
• missing entry: "aclark2"
• lower bounds: "a"
• upper bounds: "aaaaaaaaa"
• empty: "account_name" : ""
• null: (null)
• fuzzing: "a2$@o9(@1"
![Page 73: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/73.jpg)
![Page 74: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/74.jpg)
"a2$@o9(@1" eventually becomes "a or 1=1; --"
![Page 75: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/75.jpg)
![Page 76: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/76.jpg)
![Page 77: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/77.jpg)
![Page 78: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/78.jpg)
![Page 79: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/79.jpg)
Supported
![Page 80: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/80.jpg)
Supported
• define supported devices, resolutions,
browsers, and versions
![Page 81: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/81.jpg)
You can’t support everything:
![Page 82: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/82.jpg)
![Page 83: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/83.jpg)
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
![Page 84: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/84.jpg)
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
![Page 85: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/85.jpg)
![Page 86: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/86.jpg)
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
• test on the cloud
![Page 87: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/87.jpg)
Supported
• define supported devices, resolutions,
browsers, and versions
• use Selenium WebDriver
• test locally in VM images
• test on the cloud
![Page 88: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/88.jpg)
Try using unsupported systems. Hopefully fail gracefully. Might even find something…
![Page 89: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/89.jpg)
Pro-tip: Try setting your browser User-Agent to iPhone 3.0 when visiting news websites :P
![Page 90: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/90.jpg)
![Page 91: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/91.jpg)
![Page 92: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/92.jpg)
![Page 93: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/93.jpg)
Deployable
• atomic base box VM
![Page 94: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/94.jpg)
![Page 95: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/95.jpg)
Deployable
• atomic base box VM
• provisioning scripts
![Page 96: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/96.jpg)
![Page 97: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/97.jpg)
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
![Page 98: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/98.jpg)
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
![Page 99: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/99.jpg)
![Page 100: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/100.jpg)
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
• scan server setup
![Page 101: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/101.jpg)
#!/bin/bash
HOST="192.168.1.4"
PATTERN="443/tcp\s+open"
if nmap -p 80,443 $HOST | grep $PATTERN > /dev/null
then
echo "ERROR: Port 443 open!"
exit 1
else
echo "SUCCESS: No unauthorized ports open."
exit 0
fi
Bash Test
![Page 102: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/102.jpg)
Gauntlt Test
@slow
Feature: simple nmap attack (sanity check)
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | 192.168.1.4 |
Scenario: Verify server is available on standard web ports
When I launch an "nmap" attack with:
"""
nmap -p 80,443 <hostname>
"""
Then the output should match /80.tcp\s+open/
And the output should not match:
"""
443/tcp\s+open
"""
![Page 103: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/103.jpg)
Deployable
• atomic base box VM
• provisioning scripts
• deploy to local, AWS, Rackspace, etc.
• scan dependency list
• scan server setup
![Page 104: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/104.jpg)
![Page 105: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/105.jpg)
![Page 106: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/106.jpg)
![Page 107: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/107.jpg)
My personal websites:
![Page 108: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/108.jpg)
![Page 109: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/109.jpg)
![Page 110: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/110.jpg)
Monitoring
• request origin
![Page 111: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/111.jpg)
If you’re a ‘Murican only company, why are you letting your server talk
to Russia?
![Page 112: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/112.jpg)
Monitoring
• request origin
• request scans
![Page 113: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/113.jpg)
![Page 114: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/114.jpg)
![Page 115: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/115.jpg)
Monitoring
• request origin
• request scans
• invalid requests
![Page 116: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/116.jpg)
![Page 117: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/117.jpg)
Monitoring
• request origin
• request scans
• invalid requests
• request flood
![Page 118: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/118.jpg)
![Page 119: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/119.jpg)
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
![Page 120: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/120.jpg)
![Page 121: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/121.jpg)
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
![Page 122: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/122.jpg)
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
![Page 123: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/123.jpg)
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
• cpu load
![Page 124: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/124.jpg)
Monitoring
• request origin
• request scans
• invalid requests
• request flood
• response flood
• server uptime
• latency
• cpu load
![Page 125: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/125.jpg)
My startup has < 100 users. It gets scanned and attacked every day.
![Page 126: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/126.jpg)
Your live servers are gettinghammered all the time.
![Page 127: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/127.jpg)
![Page 128: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/128.jpg)
![Page 129: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/129.jpg)
![Page 130: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/130.jpg)
Security
• what to test?
![Page 131: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/131.jpg)
This is your attack surface:
![Page 132: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/132.jpg)
![Page 133: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/133.jpg)
![Page 134: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/134.jpg)
![Page 135: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/135.jpg)
You can't know where those red dots are, so protect everything.
![Page 136: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/136.jpg)
Security
• what to test?
• how to test?
![Page 137: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/137.jpg)
![Page 138: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/138.jpg)
Security
• what to test?
• how to test?
• monitor issues
![Page 139: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/139.jpg)
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
![Page 140: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/140.jpg)
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
![Page 141: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/141.jpg)
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
• automate tests
![Page 142: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/142.jpg)
Security
• what to test?
• how to test?
• monitor issues
• aggregate reports
• prioritize issues
• automate tests
![Page 143: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/143.jpg)
Give and request automated tests,not PDF docs.
![Page 144: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/144.jpg)
Write "Malicious User Stories"
![Page 145: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/145.jpg)
![Page 146: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/146.jpg)
IF YOU SEE SOMETHING,
SAY SOMETHING.
![Page 147: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/147.jpg)
... but, at least write a test.
![Page 148: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/148.jpg)
![Page 149: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/149.jpg)
![Page 150: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/150.jpg)
Common Concerns:
![Page 151: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/151.jpg)
DevOpsSec is free, you can do it today.
![Page 152: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/152.jpg)
Automation does not replace people.Know why?
![Page 153: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/153.jpg)
![Page 154: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/154.jpg)
Automation is people.
![Page 155: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/155.jpg)
Automation helps them focus on more difficult problems.
![Page 156: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/156.jpg)
![Page 157: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/157.jpg)
Repeat after me:
![Page 158: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/158.jpg)
"I am DevOpsSec ..."
![Page 159: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/159.jpg)
"... and so can you!"
![Page 160: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/160.jpg)
![Page 161: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/161.jpg)
Infosec Taylor Swift@SwiftOnSecurity
![Page 162: My Little Webap - DevOpsSec is Magic](https://reader033.fdocuments.in/reader033/viewer/2022042615/55a8a0711a28abe7588b4701/html5/thumbnails/162.jpg)
Apollo Clark@apolloclark
apolloclark.com
slideshare.net/ApolloClark/my-little-webap-devopssec-is-magicgithub.com/apolloclark/py-jenkins-ci