Embed Size (px)
DESCRIPTION
Rakuten Technology Conference 2014 "Security checking which is as a part of Continuous Integration" Masanori Fujisaki (HEARTBEATS Corporation / Walti, Inc.)
Citation preview
![Page 1: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/1.jpg)
Security Checking,
as a part of
Continuous Integration
Rakuten Technology Conference
2014
@ FUKUOKA
![Page 2: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/2.jpg)
Who am I ?
Masanori Fujisaki
Twitter: @fujisaki_hb
Facebook: fujisaki.masanori
Founder & CEO
HEARBTEATS Corp. ( since April, 2005)
Walti, Inc. ( since July, 2014 )
Entrepreneur & Infrastructure Engineer
I was born in Iiduka, Fukuoka,
and grew up in Kitakyusyu, Fukuoka,
and now live in Shibuya, Tokyo.
![Page 3: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/3.jpg)
Who am I ?
Masanori Fujisaki
Twitter: @fujisaki_hb
Facebook: fujisaki.masanori
Founder & CEO
HEARBTEATS Corp. ( since April, 2005)
Walti, Inc. ( since July, 2014 )
Entrepreneur & Infrastructure Engineer
I was born in Iiduka, Fukuoka,
and grew up in Kitakyusyu, Fukuoka,
and now live in Shibuya, Tokyo.
![Page 4: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/4.jpg)
Today’s Topics
1. Recent Security Incidents.
2. Why you need to do security checking as a part of
Continuous Integration.
3. Some Open Source Security Check Tools
4. Some Security Communities and Organizations
5. About Walti.io
![Page 5: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/5.jpg)
Recent Security
Incidents(1)
Environmental Pattern..
![Page 6: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/6.jpg)
Recent Security
Incidents(1)
Environmental Pattern..
Heartbleed
OpenSSL
http://heartbleed.com/
![Page 7: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/7.jpg)
Recent Security
Incidents(1)
Environmental Pattern..
Heartbleed
OpenSSL
http://heartbleed.com/
ShellShock
Bash
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
![Page 8: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/8.jpg)
Recent Security
Incidents(1)
Environmental Pattern..
Heartbleed
OpenSSL
http://heartbleed.com/
ShellShock
Bash
http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29
POODLE
SSL3.0 protocol
https://www.openssl.org/~bodo/ssl-poodle.pdf
![Page 9: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/9.jpg)
Recent Security
Incidents(2)
DDoS Pattern..
![Page 10: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/10.jpg)
Recent Security
Incidents(2)
DDoS Pattern..
NTP Amplification Attack
CloudFlare 400Gbps
http://blog.cloudflare.com/technical-details-behind-a-
400gbps-ntp-amplification-ddos-attack/
![Page 11: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/11.jpg)
Recent Security
Incidents(2)
DDoS Pattern..
NTP Amplification Attack
CloudFlare 400Gbps
http://blog.cloudflare.com/technical-details-behind-a-
400gbps-ntp-amplification-ddos-attack/
DNS Amplification Attack
DNS Open Resolver
https://www.us-cert.gov/ncas/alerts/TA13-088A
![Page 12: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/12.jpg)
Recent Security
Incidents(2)
DDoS Pattern..
NTP Amplification Attack
CloudFlare 400Gbps
http://blog.cloudflare.com/technical-details-behind-a-
400gbps-ntp-amplification-ddos-attack/
DNS Amplification Attack
DNS Open Resolver
https://www.us-cert.gov/ncas/alerts/TA13-088A
UPnP Device-Based Reflection Attack
http://www.akamai.co.jp/enja/html/about/press/releases/2014/
press-101514-2.html
![Page 13: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/13.jpg)
One of the Solutions
Inbound Port 53 Blocking
Inbound Port 123 Blocking
http://www.kddi.com/important-news/20140825/
![Page 14: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/14.jpg)
Recent Security
Incidents(3)
Frameworks
Struts
https://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html
Rails
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3514
One of the Solutions
Request Pattern blocking by URL Filter or IDS/IDP
![Page 15: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/15.jpg)
This means…
Security Issues occur to each layer.
We always need to do security updating.
We have to develop secure applications.
We have to manage infrastructure securely.
![Page 16: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/16.jpg)
This means…
Security Issues occur to each layer.
We always need to do security updating.
We have to develop secure applications.
We have to manage infrastructure securely.
You can not do those by yourself.
![Page 17: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/17.jpg)
TEST
![Page 18: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/18.jpg)
TEST
Old Style TEST
You test your application before release.
![Page 19: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/19.jpg)
TEST
Old Style TEST
You test your application before release.
Modern Style TEST
You constantly test by CI Tools.
![Page 20: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/20.jpg)
Security Check
![Page 21: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/21.jpg)
Security Check
Old Style Security Check
You only check your application security before
release.
![Page 22: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/22.jpg)
Security Check
Old Style Security Check
You only check your application security before
release.
Modern Style Security Check
You constantly check your app security by CI Tools.
![Page 23: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/23.jpg)
Security Check,
as a part of
Continuous Integration.
![Page 24: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/24.jpg)
Continuous Integration
Security Checking
develop
testdeploy
![Page 25: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/25.jpg)
Continuous Integration
Security Checking
develop
testdeploy
develop
Test
deploy to staging
Security check
deploy to production
![Page 26: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/26.jpg)
Security Checking by OSS,
as a part of
Continuous Integration
![Page 27: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/27.jpg)
for Web Application
![Page 28: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/28.jpg)
for Web Application
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
zapper
https://github.com/adedayo/zapper
![Page 29: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/29.jpg)
for Web Application
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
zapper
https://github.com/adedayo/zapper
Skipfishhttps://code.google.com/p/skipfish/
shellhttp://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf
![Page 30: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/30.jpg)
for Web Application
OWASP ZAPhttps://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
zapper
https://github.com/adedayo/zapper
Skipfishhttps://code.google.com/p/skipfish/
shellhttp://cloudapplistore.biglobe.ne.jp/ca/help/devops_3_manual_Jenkins.pdf
Wapitihttp://wapiti.sourceforge.net/
![Page 31: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/31.jpg)
for Infrastructure
![Page 33: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/33.jpg)
for Infrastructure
nmaphttp://nmap.org/
for Firewall / netfilter
niktohttps://www.cirt.net/Nikto2
for Web Server
![Page 34: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/34.jpg)
for Infrastructure
nmaphttp://nmap.org/
for Firewall / netfilter
niktohttps://www.cirt.net/Nikto2
for Web Server
sslyzehttps://github.com/nabla-c0d3/sslyze
for HTTPS setting
![Page 35: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/35.jpg)
for Infrastructure
nmaphttp://nmap.org/
for Firewall / netfilter
niktohttps://www.cirt.net/Nikto2
for Web Server
sslyzehttps://github.com/nabla-c0d3/sslyze
for HTTPS setting
Metasploithttp://www.metasploit.com/
All in one
![Page 36: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/36.jpg)
CI Tools
![Page 37: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/37.jpg)
CI Tools
JenkinsAn extendable open source Continuous Integration server
http://jenkins-ci.org/
![Page 38: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/38.jpg)
CI Tools
JenkinsAn extendable open source Continuous Integration server
http://jenkins-ci.org/
Mozilla MinionAn open source Security Automation platform.
https://wiki.mozilla.org/Security/Projects/Minion
http://heartbeats.jp/hbblog/2013/08/minion.html
![Page 39: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/39.jpg)
Security Communities &
Organizations
![Page 40: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/40.jpg)
OWASP
The Open Web Application Security Project (OWASP)https://www.owasp.org/
the free and open software security community
Japan Chapterhttps://www.owasp.org/index.php/Japan
OWASP Top 10https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 41: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/41.jpg)
MITRE
MITREa not-for-profit organization that operates multiple federally funded
research and development centers
http://www.mitre.org/
CWECommon Weakness Enumeration
http://cwe.mitre.org/
used by NIST, OWASP Top 10 project, etc…
![Page 42: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/42.jpg)
CSIRT
CSIRTComputer Security Incident Response Team
CERT/CC
JPCERT/CC
NIRT(National Incident Response Team)
Nippon CSIRT Association
http://www.nca.gr.jp/
![Page 43: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/43.jpg)
Japan MSP Association
Japan MSP Association
( To be Founded on November 1, 2014 )
![Page 44: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/44.jpg)
How can you do Security
Checking Easily by OSS,
as a part of
Continuous Integration?
![Page 45: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/45.jpg)
I have one proposal.
![Page 46: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/46.jpg)
Walti.io
![Page 47: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/47.jpg)
Walti.io is…
https://walti.io/
Continuous Server-side Security Scanner
Run Scans Easily from Dashboard
Team-based Web Safety Protection
Continuous Security Management
API Support
Impressive Low Cost
![Page 48: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/48.jpg)
Scanners in Walti.io
Portscan ¥10/scan
Nikto ¥10/scan
Sslyze ¥5/scan
Skipfish ¥100/scan
develop
Test
deploy to staging
Security check
deploy to production
![Page 50: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/50.jpg)
Today’s Summary
1. Recent Security Incidences
2. Why you need to do security checking as a part of
Continuous Integration.
3. Some Open Source Security Check Tools
4. Some Security Communities and Organizations
5. About Walti.io
![Page 51: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/51.jpg)
Q & A
![Page 52: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/52.jpg)
Thank you.
![[Rakuten TechConf2014] [Sendai] Little look inside Global Ichiba: Ichiba Business Support](https://img.pdfslide.net/doc/110x75/55959ffd1a28ab14448b4601/rakuten-techconf2014-sendai-little-look-inside-global-ichiba-ichiba-business-support.jpg)
![[Rakuten TechConf2014] [Fukuoka] Enhancement of team productivity for smart device application](https://img.pdfslide.net/doc/110x75/5595a0181a28ab0f448b460a/rakuten-techconf2014-fukuoka-enhancement-of-team-productivity-for-smart-device-application.jpg)
![Page 32: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/32.jpg)
![Page 49: [Rakuten TechConf2014] [Fukuoka] Security checking which is as a part of Continuous Integration](https://reader034.pdfslide.net/reader034/viewer/2022052601/5595a01c1a28ab0f448b460f/html5/thumbnails/49.jpg)
![[Rakuten TechConf2014] [E-4] Rakuten Front-end Framework Project](https://img.pdfslide.net/doc/110x75/55959feb1a28ab19448b45da/rakuten-techconf2014-e-4-rakuten-front-end-framework-project.jpg)
![[Rakuten TechConf2014] [F-6] Changing the Behavior of IT](https://img.pdfslide.net/doc/110x75/55959fe61a28ab19448b45d7/rakuten-techconf2014-f-6-changing-the-behavior-of-it.jpg)
![[Rakuten TechConf2014] [A-5] Lessons learned from Ruby](https://img.pdfslide.net/doc/110x75/55959fed1a28ab19448b45dd/rakuten-techconf2014-a-5-lessons-learned-from-ruby.jpg)
![[Rakuten TechConf2014] [C-6] Japan ICHIBA Daily Work - Tools & Processes](https://img.pdfslide.net/doc/110x75/557d608ed8b42aba3d8b4ffc/rakuten-techconf2014-c-6-japan-ichiba-daily-work-tools-processes.jpg)
![[Rakuten TechConf2014] [Osaka] Introducing Selenium 2 WebDriver](https://img.pdfslide.net/doc/110x75/5595a01a1a28ab0f448b460d/rakuten-techconf2014-osaka-introducing-selenium-2-webdriver.jpg)
![[Rakuten TechConf2014] [Fukuoka] Technologies that underlie service delivery](https://img.pdfslide.net/doc/110x75/5595a0f41a28ab00448b46ec/rakuten-techconf2014-fukuoka-technologies-that-underlie-service-delivery.jpg)
![[Rakuten TechConf2014] [B-4] Rakuten Technology Conference Diversity session](https://img.pdfslide.net/doc/110x75/5595a0071a28ab14448b4609/rakuten-techconf2014-b-4-rakuten-technology-conference-diversity-session.jpg)
![[Rakuten TechConf2014] [A-4] Rakuten Ichiba](https://img.pdfslide.net/doc/110x75/5595a04d1a28ab0a448b4646/rakuten-techconf2014-a-4-rakuten-ichiba.jpg)
![[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic](https://img.pdfslide.net/doc/110x75/5595a1021a28ab00448b46f4/rakuten-techconf2014-c-5-ichiba-architecture-on-exalogic.jpg)
![[Rakuten TechConf2014] [D-1] A/B Testing for Mobile Apps: techniques and opportunities](https://img.pdfslide.net/doc/110x75/5595a04a1a28ab0a448b4643/rakuten-techconf2014-d-1-ab-testing-for-mobile-apps-techniques-and-opportunities.jpg)
![[Rakuten TechConf2014] [D-2] The Pattern-Matching-Oriented Programming Language Egison](https://img.pdfslide.net/doc/110x75/5595a0831a28ab05448b4682/rakuten-techconf2014-d-2-the-pattern-matching-oriented-programming-language-egison.jpg)