Vector Databases 101 - An introduction to the world of Vector Databases
Software Security: In the World of Cloud & CI-CD
1. 26 Nov 2015
Venue: Akamai, Singapore
OWASP Singapore.
28 Nov 2015
Venue: Airtel, Delhi-India.
OWASP, Delhi-India.
Remote WebEx From Singapore.
Software Security:
“In The World Of, Cloud & CI-CD”
-Aniket Kulkarni
Software Security Architect (BigdataCloudMobileWeb)
2. Agenda
Cloud & It’s Snapshots
Definition Of Todays Client’s
Users Angle To cloud
Changing Landscape Of Customer Requirements
CI, CD
An Era Of Dashboards
Secure SDLC: CI-CD Way
3. Cloud Computing?
Cloud computing:
Also known as on-demand computing, is a kind of
internet-based computing, where shared resources and
information are provided to computers and other devices
on-demand.
6. Continuous Integration-CI.
Continuous Integration (CI)
is a development practice
that requires developers to
integrate code into a shared
repository several
times a day.
Each check-in is then verified
by an automated build,
allowing teams to detect
problems early.
7. Continuous Delivery-CD.
Continuous Delivery (CD): is a
software engineering approach in which teams keep producing
valuable software in short cycles and ensure that
the software can be reliably released at
any time.
It aims at, building, testing, and
releasing software, faster and
more frequently.
8. Continuous Deployment-CD.
Continuous Deployment (CD): Is next phase to continuous
delivery.
Every change that passes the automated tests get deployed on
production automatically.
9. Users Angle To Cloud.
Client Side
Subscribed
USER1
Free
USER3
Subscribed
USER2
Application
Server
Storage
ServiceI & AM
Notification
Service
11. Changing Landscape Of Requirements
On Going Customer Demands
Associated Market Competitions
Product Research Outcomes
“Constant Rotating Eyeball On Product In Production, Hosted On Cloud, with
constant changes”
12. Challenges For Business Stakeholders
How to manage security posture of 150+ cloud
products ?
Shall we invest for Security (Yes/NO) ?
If yes, how much ? Confused for decision ?
Invested $X million. How much secure we are ?
We are 100% Compliance done! Are We Secure
now?
Are we satisfying customer demands ?
16. S-SDLC (CI-CD): QA
• Internal Automation Frameworks
• Mostly Python Scripts
Actual Web Product Hosted On
Staging
Dynamic Analysis Tool Run
Manual Dashboard Update
InternalExternal Penetration Tests
Continuous Dashboard
Update
Interactive Application Security Testing
(Ex: Contrast)
17. S-SDLC (CI-CD): SASTDASTIAST
SAST
DAST
IAST
• Uses source code to find vulnerabilities without running the
application.
• Misses run time vulnerabilities.
• Many false positives
• Analyzes application in its running state by fuzzing with
malicious payloads from outside
• Misses business logic vulnerabilities
• Many false positives
• Analyzes application in its running state by deploying
sensors inside the app.
• Finds most of the things which SAST and DAST misses
• Almost NoLess false positives
18. S-SDLC (CI-CD): Typical IAST Deployment
Custom Code
Java Runtime
Application Server
Frameworks
Libraries
IAST
Engine
Security
Information To
Dashboard
Web Application
Data
From
Passive
Sensors
19. S-SDLC (CI-CD): Compact View
DEVELOPMENTCOMPONENT
SELECTION
QA IASTSTAGING
All Set For Product Release ?
20. Rethinking challenges!
How we appear on challenges now ?
How to manage security posture of 150+ cloud products?
Shall we invest for Security (Yes/NO) ?
If yes, how much ? Confused for decision ?
Invested $X million. How much secure we are ?
We are 100% Compliance done! Are We Secure now?
Are we satisfying customer demands ?
21. Key Points Take Away
Cloud & CI,CD
Software product Business challenges
Pitching security in fast pace environment:
-3rd party component security
-Security at Development
-Security at QA
-Security at StagingProduction
Solutions that we have for this fast pace environment
Security an input for business decisions
Deciding factor for security investment & ROI