2. â Agile and Security
â Vulnerability management
â Application security testing methodologies
â CI/CD pipeline phases with integrated security checks
â Demo
â Limitations of tools
â Final thoughts
Agenda
3. Agile and Security
â Agile development and Security
â Manual testing and compliance checking cannot keep up with
the speed of delivery
â Security teams that try to reduce risk by minimizing change are
irrelevant in an Agile world
â Instead of doing security, enable security (DevSecOps)
â Document techniques
â Build capability to develop and deploy secure services
â Build tools and automation
4. Vulnerability management
â Vulnerability scanning and patching
â Some ways of getting vulnerability information:
â Automated Security Testing (AST) tools
â Software Component Analysis (SCA) tools
â Scanning container images
â Scanning cloud instances (AWS Inspector)
â Bug reports from partners, users, âŠ
â ...
â Automate and streamline scanning and run it often - as part of
build pipelines
â The information should be consolidated, tracked and reported
â Handle vulnerabilities as any other software defects - âShift Leftâ
to reduce the cost of defects
8. Limitations of tools
â Automated web vulnerability scans run through a set of
well-known attacks and look for well-known vulnerabilities and
common mistakes
â Can't find holes in business logic
â Some types of vulnerabilities are difficult to detect such as
authentication problems, access control issues
â Understand what you are getting out of the tools and how much
you can rely on them
9. Final thoughts
â Tools that require significant effort from developers will end up
not being used
â Long output with irrelevant information
â Handle false positives
â Do not introduce a new scan to pipelines without setting a
baseline first
â Avoid disruption
â Roll out incrementally (one aspect at a time, get feedback while
iterating)
â Do not stop with the automated security testing