Scaling Security Testing at the Speed of DevOps presented at BSidesAsheville 2017

by Roger Seagle,

Summary : Recent software development trends, namely DevOps, Continuous
Integration, Continuous Delivery, and Continuous Deployment,
have empowered developers and drastically reduced the DevTest
window
forcing teams to adopt highly automated test infrastructures.
While the adoption of these trends and automated test
frameworks have improved feature delivery and time to market,
they have complicated security assessment, producing substantial
gaps between the current release and the last security audited
code. Consumers are now being forced to adopt new code releases
daily or hourly without substantive security review, especially
in the Software as a Service (SaaS) sector. As engineeringteams
rapidly embrace these development methodologies, the community must
evolve security testing strategies so as to enhance the security
posture of products, services, and solutions.
This evolution must address three primary problems elucidated by
the aforementioned development trends:
1. Testability: Security requirements should be testable and
verifiable.
2. Scalability: Security requirements should be capable of being
automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily
digestible by software engineers and testers, and new security
tools
should be accessible to all development and test engineers.
Therefore, we have developed and are preparing to open source a
new distributed security testing framework called Norad which
facilitates security assessment at scale. This framework
automates multiple open-source and vendor security tools and
aggregates their results for review. It also provides an SDK
which promotes the development of community developed security
test content. This talk will explain Norad's design philosophy,
architecture, and demonstrate its usage.
Authors: Blake Hitchcock, Brian Manifold, Roger Seagle