Test Driven Security in the DevOps pipeline - AppSecUSA 2017

Watch on YouTube

1. zap

docker pull owasp/zap2docker-weekly
docker run -t owasp/zap2docker-weekly zap-baseline.py -t https://bugzilla.mozilla.org


NIN: Bandit is a tool designed to find common security issues in Python code.

Ref: openstack/bandit: Github

$ bandit -r ~/src/github.com/Kinto/Kinto

Security Group Testing for AWS

NIN: This is a prototype to assert the content of security groups between AWS components. It only supports ELB, EC2 and RDS at the moment. Doesn't do any egress inspection and doesn't flag overly open groups. Basically, it's not ready for production, I'm just toying with the concept.

Ref: jvehent/pineapple

$ go get github.com/jvehent/pineapple
$ pineapple -c example/invoicer.yaml

TLS Quality

Ref: mozilla/tls-observatory: Github

$ go get github.com/mozilla/tls-observatory/tlsobs
$ tlsobs -targetlevel intermediate addons.mozilla.org

// or docker
$ docker pull mozilla/tls-observatory
$ docker run -it mozilla/tls-observatory tlsobs accounts.firefox.com

Show Comments