In August we were able to have another successful and exciting Meetup with you once again. We were really happy to see that so many of you came and we hope you enjoyed our Meetup as much as we did! This time our Meetup was under the stars of “DevOps” and “Security Tests”.
DevOps has been on everyone’s lips in the IT world for a long time now. The reason why is simple – The things developers, testers, security testers, admins and co. used to work out manually in an elaborate process chain is now done by developers with the help of powerful tools and automatisms. They develop, test and deploy themselves: Programming & Operation in one, DevOps for short.
In addition, there is another step that can be performed in the course of testing: The security testing or so-called penetration tests.
Testing the security is an important step before a software is released. Because nobody wants to put a software into production that has security gaps and is therefore potentially vulnerable. However, even renowned security experts find it difficult to manually test software for known vulnerabilities. That’s why a whole range of automated tools are now available. The possibility of automating security testing is an extremely exciting topic for IT, a topic to which Kevin, who is currently doing his doctorate at the Institute for Internet Security, gave us a detailed introduction.
Well, security testing… This subject should be a given step in software development today, shouldn’t it? It should be, yes. But it is not always! That is because the comprehensive testing of security and vulnerability of a software is not that simple. Especially in the web area there is a mass of exploits (known security gaps) that should be intercepted. Therefore, tools which can execute automated tests are required in order to automatically detect security gaps. This merges the areas of security and development. Kevin introduced us to various open source and proprietary tools that can help with that, including OWASP Dependency Check, OWASP ZAP, FindBugs, Docker, Testcontainer and Gitlab.
The tools can be used to automatically check for common vulnerabilities at no costs tot he developers. All they have to do is to integrate the tools into the build pipeline. Then developers have to respond to any vulnerabilities found and decide whether to neglect or to fix any identified security gabs before the software goes live. The tools provide immediate, detailed solutions for the issues identified, so the developer can get to fixing the gabs right away.
But it’s not that simple…
Using an automatic tool does not immediately solve all problems. On the one hand, only simpler bugs, the “low-hanging fruits”, are sufficiently detected. However, more difficult bugs are not necessarily found. An ITS expert, who should be integrated into the teams, has to deal with these manually. On the other hand, the tools themselves can also cause new problems! After all, in addition to actual security gabs the tools also discover false positives, gaps that have been falsely identified. During the introduction of such tools false positives occur frequently. Obsolete dependencies, differing conditions or naming problems are enough to cause such false positives.
The penetration tests can simulate a whole number of attacks, but to do so, they sometimes run for up to an hour. Kevin showed us live how to find gaps in an application. In a small demo, he detected various security gaps in a self-made web book catalog and impressively demonstrated what an attack, in this case an SQL injection, can do. Kevin also told us about the top 10 security vulnerabilities of the Open Web Application Security Project (OWASP), which provides an online overview of the most common security vulnerabilities. Especially attacks through these gabs can be devastating for the application, particularly in the browser.
More options for security testing are therefore an absolute must for the IT world!
Being able to offer these automated on a larger scale with DevOps pipelines and perhaps even inside of the containers means an exciting prospect for our IT future, in which developers can sleep more peacefully.