SlideShare uma empresa Scribd logo

Securing your Software Delivery Pipelines with a slight shift to the left.

Melissa Kaulfuss
Melissa Kaulfuss

Securing our applications and data has never been more topical. We've recently seen many high profile data breaches, numerous critical vulnerabilities and frantic teams left scrambling to mitigate the damage to their users and ultimately their company's brand. Our automated software delivery pipelines mean we can ship our code fast and without friction, but with multitudes of micro-services to manage, and their countless dependencies, the attack surfaces are increasingly vast and difficult to manage. This talk covers some of the approaches you can use to identify and mitigate security risk and maximise your team's ability to respond! By 'shifting security left' and leaning on automation you'll reduce your chances of becoming a media headline and be well on the way to being able to react swiftly when the next big CVE happens.

Tecnologia
1 de 74
Baixar para ler offline
Securing your delivery pipelines with a slight shift to the left
I’m OK at Computers.
Can you imagine…
We should do better. We can do better.
Supply Chain Levels for Software Artefacts (SLSA) A framework designed to help organisations improve the integrity of their software supply chains.
Developer Burnout Recommendations Performance
The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.
The SSDF outlines solid practices for embedding secure software development practices in the delivery lifecycle, that don’t just identify threats but actually address them. Source: https://csrc.nist.gov/Projects/ssdf
33% of respondents described their security strategy as having a mix of prevention and detection. Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022 82% said they plan to implement, are implementing or have implemented.
33% of respondents described their security strategy as having a mix of prevention and detection. Source: Left and Right of Boom in Cybersecurity ,Elastic, 2022 82% said they plan to implement, are implementing or have implemented.
The road to hell is paved with good intentions.
“would pursue laws to establish liability for software companies that sell technology that lacks cybersecurity protections” The Biden-Harris National Cybersecurity Strategy
Security is our Responsibility
CI CD Git
CI CD Git
Top 10 CI/CD SECURITY RISKS SECURITY RISKS The Open Worldwide Application Security Project (OWASP)
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation 10 — Insufficient Logging and Visibility
Our goal is to limit the blast radius.
Is executing build scripts within all build contexts okay?
Executing scripts within all build contexts is not ok.
How about running `terraform plan` in all build contexts?
Executing arbitrary code in all build contexts is not ok.
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene Poisoned Pipeline Execution (PPE) 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation
Poisoned Pipeline Execution (PPE) • Have isolated pipeline environments and contexts • Sensitive and Non-Sensitive contexts • Use branch protection rules in GitHub/GitLab/BitBucket etc.
Upload Pipeline Build Docker Image Linting Security Scans RSpec Jest Code Coverage Bundle Analysis Branch Build Non-sensitive context - no access to secrets - no pipeline to prod
Upload Pipeline Build Docker Image Linting Security Scans RSpec Jest Code Coverage Bundle Analysis Branch Build Non-sensitive context - no access to secrets - no pipeline to prod Sensitive context - access to secrets - additional permissions Upload Pipeline Build Docker Image Linting Security Scans RSpec Jest Code Coverage Bundle Analysis Main Build Prepare for Deploy Deploy to Prod
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation Insufficient PBAC (Pipeline-Based Access Controls)
• Restrict the scope of a pipeline's access & permissions • Use granular access controls Insufficient PBAC (Pipeline-Based Access Controls)
ECS Service Agent Job ECS deploy role Agent API (Pipelines)
ECS Service Agent Job Agent API (Pipelines) OIDC provider OIDC token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1w bGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9u Y2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxM zExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0E HR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99 Obi1PRscwh3LOp146waJ8IhehcwL7F09JdijmBqk vPeB2T9CJNqeGpegccMg4vfKjkM8FcGvnzZUN4 _KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lc MiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0 _N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZ KflyuVCyixEoV9GfNQC3_os.jzw2PAithfubEEBLu VVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg Header
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1w bGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9u Y2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxM zExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0E HR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99 Obi1PRscwh3LOp146waJ8IhehcwL7F09JdijmBqk vPeB2T9CJNqeGpegccMg4vfKjkM8FcGvnzZUN4 _KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lc MiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0 _N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZ KflyuVCyixEoV9GfNQC3_os.jzw2PAithfubEEBLu VVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg Payload
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ew ogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1w bGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAx IiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9u Y2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxM zExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0E HR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99 Obi1PRscwh3LOp146waJ8IhehcwL7F09JdijmBqk vPeB2T9CJNqeGpegccMg4vfKjkM8FcGvnzZUN4 _KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lc MiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0 _N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZ KflyuVCyixEoV9GfNQC3_os.jzw2PAithfubEEBLu VVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg Signature
• Restrict the scope of a pipeline's access & permissions • Apply granular access controls: • job-tokens • OIDC • Use these things with a dedicated Secrets Manager: • Hashicorp Vault (Buildkite plugin) • AWS Secure Secrets Manager (Buildkite plugin) • Have ingress/egress filters to the internet: • Tailscale • Cloudflare etc. • Always terminate agents and wipe VMs/Machines! Insufficient PBAC (Pipeline-Based Access Controls)
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation 10 — Insufficient Logging and Visibility Insufficient Credential Hygiene
• Limit the blast radius of potential breaches. • Reduce risk of Poisoned Pipeline Execution (PPE): • Limit what code is executed in certain contexts • Have sensitive/non-sensitive build contexts • Have strong Pipeline-Based Access Controls (PBAC): • Limit scope of what builds/pipelines have access to • Use ephemeral/tightly scoped access tokens • Have sufficient Identity and Access Management: • Stick to the principle of least privilege • Be able to revoke access swiftly Insufficient Credential Hygiene
Let machines do the work!
• Use a dedicated secret manager: • HashiCorp Vault, AWS Secure Secrets Manager etc. • Automatically scan for leaked keys and credentials: • GitGuardian, GitHub’s configurable Secret Scanning etc. Insufficient Credential Hygiene
Alerts are only useful if they’re seen and acted on.
SECURITY RISKS SECURITY RISKS 1 — Insufficienct Flow Control Mechanisms 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 4 — Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 1 — Insufficient Flow Control Mechanisms 3 — Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene
SECURITY RISKS SECURITY RISKS 2— Inadequate Identity and Access Management 3— Dependency Chain Abuse 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation Insufficient Flow Control Mechanisms
we accept mistakes are part of software delivery. CI/CD exists because
Insufficient Flow Control Mechanisms LGTM • Unreviewed code can’t trigger deployment pipelines • Code reviews & approvals should be part of the merge process. • Configure this process in your Source Control Manager: • 2 human approvals prior to a PR being merged • For teams with additional compliance regulations consider using a `block step` in your pipeline.
SECURITY RISKS SECURITY RISKS 1 — Insufficient Flow Control Mechanisms 2— Inadequate Identity and Access Management 4— Poisoned Pipeline Execution (PPE) 5 — Insufficient PBAC (Pipeline-Based Access Controls) 6 — Insufficient Credential Hygiene 7 — Insecure System Configuration 8— Ungoverned Usage of 3rd Party Services 9 — Improper Artifact Integrity Validation Dependency Chain Abuse
Open Source NPM, Yarn, PyPi, RubyGems, all the things…
Dependency Chain Abuse • Get visibility into CVEs and act on them, use tools like: • GitHub Dependabot • Identifies & notifies users about vulnerable dependencies • Can open PRs to keep dependencies updated • Snyk • Integrates with most CI/CD providers • Does all aspects of security scanning • Code/application/container scanning • Asset Discovery and tagging (so you can pin versions) • Avoid latest versions • Verify the checksum
Software Bill of Materials An immutable list of what’s in an application: • Open source libraries (languages, imports/dependencies) • Plugins, extensions, add-ons used • Application code (versioned) • Information about versions, licensing status and patch status of these components An SBOM for a SaaS application can include info like: • APIs • 3rd party services required to run the SaaS application.
SBOM > F-BOMB
CD CI/
CC/CD CI/
Create actionable SBOMs
Dependency Chain Abuse • Get visibility into packages + CVEs with tools and act on them • GitHub Dependabot • Snyk • Avoid latest versions • Verify the checksum • Practice Continous Compliance (Put a CC in CI/CD) • Generate SBOMs for your applications • Cloudsmith, JFrog, ReversingLabs, Sonatype • Create action oriented workflows around SBOMs
Aim to limit the blast radius
Establish Strict Boundaries
Lean on tooling & automation
Work together to create and adapt the human processes.
GAME OVER GAME OVER
OWASP Top 10 CI/CD Security risks 2022 State of DevOps Report Supply Chain Levels for Software Artifacts (SLSA) Secure Software Development Framework (SSDF) US National Cybersecurity Strategy (March 2023) Auth0's Open ID Connect Handbook Software Bill of Materials (SBOM) Automating Governance Risk and Compliance Creating Actionable SBOMs with Cloudsmith & Buildkite Resources
@MelissaKaulfuss
Securing your Software Delivery Pipelines with a slight shift to the left.

Recomendados

securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
Melissa Kaulfuss
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
Security BSides London
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
 
Block-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachBlock-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing Approach
IRJET Journal
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
CAST
 
Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1
Dr. Anish Cheriyan (PhD)
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 

Recomendados

securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdfsecuring-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
securing-your-software-delivery-pipelines-with-a-slight-shift-to-the-left.pdf
Melissa Kaulfuss
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
Security BSides London
 
Compliance as Code Everywhere
Compliance as Code EverywhereCompliance as Code Everywhere
Compliance as Code Everywhere
Matt Ray
 
Block-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing ApproachBlock-Chain Oriented Software Testing Approach
Block-Chain Oriented Software Testing Approach
IRJET Journal
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
CAST
 
Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1Quality management in continuous delivery and dev ops world pm footprints v1
Quality management in continuous delivery and dev ops world pm footprints v1
Dr. Anish Cheriyan (PhD)
 
Continuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on AzureContinuous Integration and Continuous Delivery on Azure
Continuous Integration and Continuous Delivery on Azure
CitiusTech
 
Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
Len Bass
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
QAware GmbH
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
GoQA
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Amazon Web Services
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-apps
Andrii Skrypnychenko
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf
SamHoney6
 
IRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET- E-Gatepass System
IRJET- E-Gatepass System
IRJET Journal
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
IRJET Journal
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Weaveworks
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
Vishwas N
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
Aryan G
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
Dr. Anish Cheriyan (PhD)
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
Dr. Anish Cheriyan (PhD)
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
Opsta
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 

Mais conteúdo relacionado

Semelhante a Securing your Software Delivery Pipelines with a slight shift to the left.

Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
QAware GmbH
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Amazon Web Services
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf
SamHoney6
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 

Semelhante a Securing your Software Delivery Pipelines with a slight shift to the left. (20)

Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
 
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAPKontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
Kontinuierliche Sicherheitstests für APIs mit Testkube und OWASP ZAP
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
БОГДАН САВЧУК «IoT testing: Manual, Automation and Cyber Security techniques»
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar SeriesGetting Started with Amazon Inspector - AWS June 2016 Webinar Series
Getting Started with Amazon Inspector - AWS June 2016 Webinar Series
 
All levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-appsAll levels of performance testing and monitoring in web-apps
All levels of performance testing and monitoring in web-apps
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf04+ECETEMT092-+WDT+APB+UVM.pdf
04+ECETEMT092-+WDT+APB+UVM.pdf
 
IRJET- E-Gatepass System
IRJET- E-Gatepass SystemIRJET- E-Gatepass System
IRJET- E-Gatepass System
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
Quality assurance in dev ops and secops world
Quality assurance in dev ops and secops worldQuality assurance in dev ops and secops world
Quality assurance in dev ops and secops world
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Securing your Software Delivery Pipelines with a slight shift to the left.