This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Helsinki DevSecOps Hackathon write-up

From OWASP
Revision as of 09:49, 10 October 2017 by Psillanp (talk | contribs) (Started)

Jump to: navigation, search

Now it's time to tell about the hackathon, where 15 OWASP volunteers from 10 different companies gathered on Wed September 27th to find out how to add security into devops process in real life. This was done as a  DevSecOps mini hackathon. While normally hackathons may last even two full days, this lasted only 12 hours. It was organized at Nixu’s office in the beautiful Keilaniemi area. We had really enthusiastic athmosphere.

Many of the participants already had former experience of the CI tools and docker, while the others had experience some of the security testing tools, which was a nice starting point for the hackathon. At least the organizers who prepared the environment definitely learned a lot while preparing the hackathon setup! It was a great experience! Even if e.g. Docker, Jenkins and the basics of CI were familiar in theory level for most of the participants, it was exciting to dive much deeper into the practical challenges of them!

Goal

Initially, we had prepared a CI setup for OWASP Juice Shop application. Juice Shop is a web application that intentionally contains typical web application vulnerabilities, and has a nice set of unit tests and end-to-end tests. (The project is located here: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project) This project was forked into own repository under owasp-helsinki GitHub group and a Jenkins pipeline was created to build and deploy the Juice Shop as a Docker container.

We had three tracks in the hackathon:

  1. Application security testing
  2. Platform hardening and testing
  3. Vulnerability management

The main goal of the hackathon was to add security to CI pipeline, by using open source tools. The maturity and applicability of these tools for automated use in a CI pipeline was initially unknown. Many of these tools are developed under an OWASP project. Each track was responsible of investigating and configuring the tools relevant to their track, and see how applicable they are.

Setup

AWS infrastructure

We had six Amazon AWS Medium EC2 instances that was accessible from the hackathon Wi-Fi network.

The following diagram describes the setup:

The AWS setup for the hackathon

Every track had two instances. One instance was for running Jenkins pipeline defined in GitHub and running the target Juice Shop Docker image from Docker Hub. The other was for installing the required testing tools. We wanted to keep the jenkins/deployment environment stable and to allow flexible installation for the tools.

We shared owasp-hackathon SSH private key and a proper config file for all participants. Network access to the servers was limited only to the wi-fi network of the hackathon venue. Accesses from all servers to all servers were opened at AWS level both from their private and public IP-addresses, as the traffic was initially blocked. It was also noteworthy to see that even though the servers were opened at the same time, the public IP-addresses were in totally different B-class networks!

CI Pipeline

The pipeline was made using Jenkins Pipelines (JenkinsFile), which contained initially few stages (more info here: https://www.owasp.org/index.php/OWASP_Helsinki_DevSecOps_Hackathon).

Basically the pipeline had initially 5 stages. Stages are the different phases in Jenkins pipeline, that can be considered as "scripts" and measured independently.

Schedule

The event was basically divided into two parts: before-pizza and after-pizza.

12:00 - 12:30 Introduction to environment, tracks & goals

12:30 - 17:00 Track work

17:00 - 17:30 Preparation of track presentations

17:30 - 18:00 Pizza & beverages

18:00 - 18:30 Tracks presents their results and the next steps

19:00 - 21:30 Track work continues

21:30 - 22:00 Preparation of track presentations

22:00 - 22:45 Tracks presents results

22:45 - 23:00 Final wrap-up

After the first section, the tracks gave a presentation of the achievements and their intended next steps. Around 22:30 we started to go through the final achievements and had a quick wrap-up of the results.

Achievements

The following simplified diagram summarizes the achievements of the hackathon. We did not have time to bundle every possible security testing tool to the pipeline, but each track chose the optimal location for each stage for the tools.

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Helsinki_DevSecOps_Hackathon_write-up&oldid=234248"