SlideShare uma empresa Scribd logo

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

New Relic
New Relic

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including: - How do we ensure that the code we deploy is secure when it was only written just this morning? - How can we provide the security our customers expect without impacting our speed and agility? - How can we insert security into an SDLC when there is no formal SDLC? - How do you deal with auditors that don't understand DevOps and Continuous Deployment? At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Tecnologia
1 de 111
Baixar para ler offline
AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13
Wednesday, November 6, 13
Speed Wednesday, November 6, 13
Speed Security Wednesday, November 6, 13
Speed vs. Security Wednesday, November 6, 13
Wednesday, November 6, 13
Accelerating Development Cycles Wednesday, November 6, 13
Accelerating Development Cycles Boxed Software Waterfall 1 Year Wednesday, November 6, 13
Accelerating Development Cycles Web 1.0 3 months Waterfall Wednesday, November 6, 13
Accelerating Development Cycles 4 week Wednesday, November 6, 13 Web 2.0 Agile
Accelerating Development Cycles 2x week DevOps Wednesday, November 6, 13
Accelerating Development Cycles daily Continuous Deployment DevOps Wednesday, November 6, 13
Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
Accelerating Development Cycles daily hourly Wednesday, November 6, 13 Continuous Deployment DevOps
Traditional (Waterfall) SDLC Requirements Wednesday, November 6, 13 Design Development Tes2ng Release Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Define functional (features) and nonfunctional requirements (capabilities) Wednesday, November 6, 13 Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Translate requirements into architecture and detailed design Wednesday, November 6, 13 Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Build it! Wednesday, November 6, 13 Release Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Produc2on Ensure functional and non-functional requirements Wednesday, November 6, 13
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Ship or push live Wednesday, November 6, 13 Release Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Maintain and patch as needed Wednesday, November 6, 13 Produc2on
Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
Checkpoints Controls Formal Processes Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Wednesday, November 6, 13
Continuous Deployment Security Requirements Low to No friction (can’t slow us down) Transparent No significant changes to development processes Make us More Secure Wednesday, November 6, 13
Continuous Deployment Security Requirements Strategies & Tactics Low to No friction (can’t slow us down) Automation Transparent Training & Empowerment No significant changes to development processes Lightweight Processes Make us More Secure Triage Quickly Detect & Respond Wednesday, November 6, 13
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements Design Requirements & Design • Functional & Non-Functional security requirement • Architectural • Review Threat Modeling Development Development, Testing & Release Release Testing, • Secure Coding • • Practices Static Analysis White Box Testing • Dynamic • • Separation Analysis Requirements Testing • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Required Security Evaluation < 25 Minute Meeting 1.Technical Overview 2.Business Context 3.Developer Concerns Wednesday, November 6, 13
Security Evaluation Outcomes Wednesday, November 6, 13
Security Evaluation Outcomes • Low Risk • Simple Guidance Wednesday, November 6, 13
Security Evaluation Outcomes • Higher Risk • Deep Dive • Whiteboarding • Threat Model Wednesday, November 6, 13
Security Evaluation Follow-Up Wednesday, November 6, 13
Security Evaluation Follow-Up • Document • Follow Up Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Threat Modeling Wednesday, November 6, 13
Threat Modeling Identify your assets and the threats against them Wednesday, November 6, 13
Threat Modeling Identify your assets and the threats against them Focus your resources on the greatest risks Wednesday, November 6, 13
Threat Modeling @ New Relic Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Address or Accept Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Secure Libraries & Services Authentication Service Security Event Logging Service Input Validation Regex Patterns Encryption Libraries Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Brakeman + Jenkins brakemanscanner.org Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Triage Process Dangerous Methods Sensitive Modules Security Keywords Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Wednesday, November 6, 13
Wednesday, November 6, 13
Wednesday, November 6, 13
Two Sets of (masked) eyes on every change Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
Continuous Deployment Security Requirements & Design • • Required Security Evaluation Lightweight Targeted Threat Modeling Development, Testing, & Release • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Automated • Penetration Commit Triage Testing Quick Detection • & Recovery • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production
Powered By... Wednesday, November 6, 13
Powered By... Automation Training & Empowerment Lightweight Processes Triage Quick Detection & Response Wednesday, November 6, 13
Auditors Wednesday, November 6, 13
Auditors Compensating Controls Wednesday, November 6, 13
Auditors Compensating Controls Tell the Story Wednesday, November 6, 13
Thank You! Wednesday, November 6, 13
Thank You! shaun@newrelic.com security@newrelic.com Wednesday, November 6, 13
Image Attribution Slide  14 Checkpoint  Rheinpark  by   h1p://www.flickr.com/photos/kecko/3179561892/ Wednesday, November 6, 13

Recomendados

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleSeniorStoryteller
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)dev2ops
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOpsRobert Grupe, CSSLP CISSP PE PMP
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platformdcjuengst
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 

Recomendados

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleSeniorStoryteller
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)dev2ops
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOpsRobert Grupe, CSSLP CISSP PE PMP
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platformdcjuengst
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at ScaleNew Relic
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at ScaleNew Relic
 
New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic
 
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...New Relic
 
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...New Relic
 
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をFutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をNew Relic
 
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...New Relic
 
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏New Relic
 
Three Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemThree Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemNew Relic
 
Intro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringIntro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringNew Relic
 
FS18 Chicago Keynote
FS18 Chicago Keynote FS18 Chicago Keynote
FS18 Chicago Keynote New Relic
 
SRE-iously
SRE-iouslySRE-iously
SRE-iouslyNew Relic
 
10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock YouNew Relic
 
Ground Rules for Code Reviews
Ground Rules for Code ReviewsGround Rules for Code Reviews
Ground Rules for Code ReviewsNew Relic
 
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...New Relic
 
Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic New Relic
 
Host for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationHost for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationNew Relic
 
New Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic
 
Best Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineBest Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineNew Relic
 
Top Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringTop Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringNew Relic
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Mais conteúdo relacionado

Mais de New Relic

7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at ScaleNew Relic
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at ScaleNew Relic
 
New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic
 
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...New Relic
 
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...New Relic
 
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をFutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をNew Relic
 
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...New Relic
 
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏New Relic
 
Three Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemThree Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemNew Relic
 
Intro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringIntro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringNew Relic
 
FS18 Chicago Keynote
FS18 Chicago Keynote FS18 Chicago Keynote
FS18 Chicago Keynote New Relic
 
10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock YouNew Relic
 
Ground Rules for Code Reviews
Ground Rules for Code ReviewsGround Rules for Code Reviews
Ground Rules for Code ReviewsNew Relic
 
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...New Relic
 
Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic New Relic
 
Host for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationHost for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationNew Relic
 
New Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic
 
Best Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineBest Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineNew Relic
 
Top Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringTop Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringNew Relic
 

Mais de New Relic (20)

7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale
 
New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019
 
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
 
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
 
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をFutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
 
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
 
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
 
Three Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemThree Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid Them
 
Intro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringIntro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes Monitoring
 
FS18 Chicago Keynote
FS18 Chicago Keynote FS18 Chicago Keynote
FS18 Chicago Keynote
 
SRE-iously
SRE-iouslySRE-iously
SRE-iously
 
10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You
 
Ground Rules for Code Reviews
Ground Rules for Code ReviewsGround Rules for Code Reviews
Ground Rules for Code Reviews
 
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
 
Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic
 
Host for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationHost for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost Optimization
 
New Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWS
 
Best Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineBest Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code Pipeline
 
Top Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringTop Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with Monitoring
 

Último

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Último (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

  • 1. AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13
  • 8. Accelerating Development Cycles Boxed Software Waterfall 1 Year Wednesday, November 6, 13
  • 9. Accelerating Development Cycles Web 1.0 3 months Waterfall Wednesday, November 6, 13
  • 10. Accelerating Development Cycles 4 week Wednesday, November 6, 13 Web 2.0 Agile
  • 11. Accelerating Development Cycles 2x week DevOps Wednesday, November 6, 13
  • 13. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  • 14. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  • 15. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  • 16. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  • 17. Accelerating Development Cycles daily hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  • 18. Traditional (Waterfall) SDLC Requirements Wednesday, November 6, 13 Design Development Tes2ng Release Produc2on
  • 19. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Define functional (features) and nonfunctional requirements (capabilities) Wednesday, November 6, 13 Produc2on
  • 20. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Translate requirements into architecture and detailed design Wednesday, November 6, 13 Produc2on
  • 21. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Build it! Wednesday, November 6, 13 Release Produc2on
  • 22. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Produc2on Ensure functional and non-functional requirements Wednesday, November 6, 13
  • 23. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Ship or push live Wednesday, November 6, 13 Release Produc2on
  • 24. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Maintain and patch as needed Wednesday, November 6, 13 Produc2on
  • 25. Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  • 26. Checkpoints Controls Formal Processes Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  • 27. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 28. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 29. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 30. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 31. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 32. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 33. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 34. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 35. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 36. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 37. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 38. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 39. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 40. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 41. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 42. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  • 43. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  • 44. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  • 46. Continuous Deployment Security Requirements Low to No friction (can’t slow us down) Transparent No significant changes to development processes Make us More Secure Wednesday, November 6, 13
  • 47. Continuous Deployment Security Requirements Strategies & Tactics Low to No friction (can’t slow us down) Automation Transparent Training & Empowerment No significant changes to development processes Lightweight Processes Make us More Secure Triage Quickly Detect & Respond Wednesday, November 6, 13
  • 48. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 49. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 50. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 51. Continuous Deployment Security Requirements Design Requirements & Design • Functional & Non-Functional security requirement • Architectural • Review Threat Modeling Development Development, Testing & Release Release Testing, • Secure Coding • • Practices Static Analysis White Box Testing • Dynamic • • Separation Analysis Requirements Testing • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 52. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 53. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 54. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 55. Required Security Evaluation < 25 Minute Meeting 1.Technical Overview 2.Business Context 3.Developer Concerns Wednesday, November 6, 13
  • 57. Security Evaluation Outcomes • Low Risk • Simple Guidance Wednesday, November 6, 13
  • 58. Security Evaluation Outcomes • Higher Risk • Deep Dive • Whiteboarding • Threat Model Wednesday, November 6, 13
  • 60. Security Evaluation Follow-Up • Document • Follow Up Wednesday, November 6, 13
  • 61. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 62. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 64. Threat Modeling Identify your assets and the threats against them Wednesday, November 6, 13
  • 65. Threat Modeling Identify your assets and the threats against them Focus your resources on the greatest risks Wednesday, November 6, 13
  • 66. Threat Modeling @ New Relic Wednesday, November 6, 13
  • 67. Threat Modeling @ New Relic Decompose your Application Wednesday, November 6, 13
  • 68. Threat Modeling @ New Relic Decompose your Application Identify your Assets Wednesday, November 6, 13
  • 69. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Wednesday, November 6, 13
  • 70. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Wednesday, November 6, 13
  • 71. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Address or Accept Wednesday, November 6, 13
  • 72. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 73. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 74. Secure Libraries & Services Authentication Service Security Event Logging Service Input Validation Regex Patterns Encryption Libraries Wednesday, November 6, 13
  • 75. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 76. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 78. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 79. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 80. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 81. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 82. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 83. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 84. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 85. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 86. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 87. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 88. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 89. Triage Process Dangerous Methods Sensitive Modules Security Keywords Wednesday, November 6, 13
  • 90. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 91. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 92. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 93. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 94. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 95. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 99. Two Sets of (masked) eyes on every change Wednesday, November 6, 13
  • 100. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 101. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  • 102. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  • 103. Continuous Deployment Security Requirements & Design • • Required Security Evaluation Lightweight Targeted Threat Modeling Development, Testing, & Release • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Automated • Penetration Commit Triage Testing Quick Detection • & Recovery • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production
  • 105. Powered By... Automation Training & Empowerment Lightweight Processes Triage Quick Detection & Response Wednesday, November 6, 13
  • 108. Auditors Compensating Controls Tell the Story Wednesday, November 6, 13
  • 111. Image Attribution Slide  14 Checkpoint  Rheinpark  by   h1p://www.flickr.com/photos/kecko/3179561892/ Wednesday, November 6, 13