Join us for the June 2015 OWASP San Antonio meeting. We will be having a talk about Continuous Integration and Continuous Deployment (CI/CD) of OpenStack.
Speaker: Michael Xin
Michael Xin is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application / web service / API security, mobile application security and cloud security. Michael has years of experience with application security assessment, security code review and security SDLC.
Title: OpenStack Security CI/CD Way
As OpenStack becomes popular, Continuous Integration and Continuous Deployment (CI/CD) of OpenStack is gaining attention. Customers need the ability to deploy multiple times every day to meet their business needs. This is a huge challenge to application security. Traditional web application security testing and API security testing are manual processes aided by various tools. The tests are time consuming and lack consistence. It is almost impossible to embed these types of security testing into CI/CD process.
In Rackspace, security engineering team is working with quality engineers and developers to integrate security testing into CI/CD process. Security engineering team uses the same framework/tool that quality engineer use to ease integration. Currently we are focusing on API security testing automation and web application security testing. We are working on a couple of approaches to integrate security-testing cases with QE testing framework. The security test cases cover necessary security checks including common security vulnerability checks and some product specific checks. These security test cases can be run by anyone from the team. They can also be invoked as Jenkins jobs as part of integration test. The failed security test cases indicate some types of security defects and need to be remediated.
The security testing automation improves the consistency, repeatability and auditability of our security testing process. Security testing within CI/CD process can detect security defect in early stage and reduce remediation costs.
Denim Group Offices: 1354 N Loop 1604 E Suite 110, San Antonio, TX 78232