SlideShare uma empresa Scribd logo

Making Security Agile

Transferir como PPTX, PDF
O
Oleg Gryb

Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing. It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.

Software
1 de 48
Getting security up to speed (with CI/CD) Oleg Gryb, Sanjay Tambe – Samsung SSIC
Retrospective – Waterfall 2 http://brentmailphotography.com Making Security Agile
3 DREAD • Damage potential: How great is the damage if the vulnerability is exploited? • Reproducibility: How easy it is to reproduce the attack? • Exploitability: How easy it is to successfully exploit this condition? • Affected users: As a rough percentage, how many users are affected? • Discoverability: How easy it is to find the vulnerability? Making Security Agile
4 STRIDE • Spoofing • Tampering • Repudiation • Information disclosure • Denial of service • Elevation of privileges Making Security Agile
Old AppSec Summary  We’ve generated huge *doc and *xls with Threat Models and pen test results.  We wrote nice exec summaries and we presented details to Dev/OPS/DB teams  We had a cool heat map to visualize the risk allocation for execs.  Then we worked on remediation with developers – informal name “nagging”  We supported a security dashboard and reported/escalated to CTO weekly 5Making Security Agile
DevOps + Agile = Big Bang for Security 6Making Security Agile
What is SAMI  Our core product is an API based service running in a cloud that supports IoT devices in real time  They also include web applications built on top of that.  All of that runs in an agile mode, because competition is too high and losing is not an option  More details: www.samsungsami.io 7Making Security Agile
We had no choice 8 http://www.octopus.euhttp://brentmailphotography.com Making Security Agile
New Agile Reality aka Reqs  No 2-4 weeks for security purposes  Nobody cares about (or understand) formalities such as STRIDE, DREAD or heat maps  Forget about 2 full days of interviews, not possible  Nobody gives Environment for 2-3 weeks solely for pen testing. Need to share.  Need to do security as Dev process goes and in parallel  Need to be integrated better with the DevOps and QA teams 9Making Security Agile
Other Challenges for API products  You *can* pass an API URL to a scanner and tell “do automatic scanning” , but it’s not going to crawl. No Spidering is available.  You can manually call each and every API while on a scan proxy and then do scanning, but if you have too many ever changing API’s, you’ll die doing that  Sanjay will talk about our approach in details 10Making Security Agile
Aggravating factor – security testing is not exactly QA  QA test are deterministic, AppSec tests are anything but  You can’t dump all app scanner’s “findings” to a bug tracking system  You usually need to triage each finding and verify a severity before submitting it to a bug tracking system  In many cases you still need to explain your finding and remediation to developers 11Making Security Agile
Coming to a Solution  Since Security does require a manual review, our hypothesis was that we need a dashboard with a broad import/export capabilities  Import from scanners, export to bug tracking systems  All scanners should be automated to run regression  Should also allow manual testing and import for new features and products 12Making Security Agile
Making Security Agile 13 Scheduled Job Scheduled Job Manual testing Custom Tools Security Artists DevOps Team Notifications
Step-by-step instructions to configure security automation  Demo of Security Automation  Install open source software  Configure scans for Web applications  Configure security testing using QA regression 14Making Security Agile
15Making Security Agile
A. Install ThreadFix (in AWS or VM)  Download ThreadFix from http://www.threadfix.org/download/  Follow instructions to start ThreadFix https://github.com/denimgroup/threadfix/wi ki/Getting-Started  Enable port 8080 for external access.  Once ThreadFix is up and running, go to http://xxx.xxx.xxx.xxx:8080/threadfix in a web browser and accept warning from browser.  Username: user  Password: password 16Making Security Agile
B. Add users in Security team into ThreadFix 17Making Security Agile
C: Add Team in ThreadFix 18Making Security Agile
D. Add application Payments under Accounts team in Threadfix 19Making Security Agile
E. Application Payments under team Accounts 20Making Security Agile
F. Configure Defect tracker in Threadfix 21Making Security Agile
G. Visit application in ThreadFix and note application # Note: Application Id is shown as 31 for Payments app in URL in snapshot below. We will use this later when we upload findings in XML format from command line. 22Making Security Agile
H. Set Defect tracker for application in ThreadFix 23Making Security Agile
I. Enter login for Defect tracker 24Making Security Agile
J. Install ZAP  Download and Install open source ZAP (Zed Attack Proxy) on AWS/VM using following https://github.com/zaproxy/zaproxy/wiki/ Downloads?tm=2  We will be using ZAP on the AWS or VM in an headless mode (without UI).  Install ZAP on your laptop or Mac using above link. We will be using the UI to create sessions for web applications. 25Making Security Agile
K. ZAP UI 26Making Security Agile
L. Install web based job scheduler e.g. Juicebox  Install any Open source Cron job scheduler on AWS/VM. Configure scan Start scan 27Making Security Agile
BScan – burp automation and more Making Security Agile 28 • Automates burp using Ruby extensions • Allows adding custom tests to the same scan • Can be run as simple as: jruby –S bscan –c config • Will generate report automatically when completed • Can work in auto proxy mode • Configurable – can overwrite any Burp and custom settings • Version 3.0 is coming, stay tuned !
29Making Security Agile
Configure ThreadFix jar Use following commands in terminal mode on AWS/VM where ThreadFix is installed (obtain your API key from Threadfix) java -jar /home/user/tfcli.jar --set key 5fPO07kc8xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxy java -jar /home/user/tfcli.jar --set url https://127.0.0.1/threadfix/rest 30Making Security Agile
Create Shell scripts to scan each application Note: Following is Payment.sh script to scan Payment web app. We use app id # 31 found earlier. 31Making Security Agile
Configure JuiceBox to schedule daily scan for Payment web app 32Making Security Agile
33Making Security Agile
Why use QA regression  Over the years, QA team has built hundreds or even thousands of functional test scripts. They continue to add new scripts everyday.  Security team can reuse the work done by QA team to do security testing.  They can use a proxy such as BURP or ZAP to analyze requests & responses to find any security vulnerabilities. 34Making Security Agile
Create separate application for QA regression 35Making Security Agile
Start ZAP Proxy  Use command such as following to start ZAP in headless mode on port 8085: java -Xmx2048m -jar /home/user/zap/ZAP_2.4.2/zap-2.4.2.jar -cmd -daemon -installdir /home/user/zap/ZAP_2.4.2 -config api.key=12345 -port 8085 Making Security Agile 36
Configure and start QA regression  Configure QA regression properties to use proxy running on port 8085.  Use command such as following to start QA regression (will vary depending on scripts used for your QA regression) mvn clean test -Dcategory=api - Dtarget.environment=qa -DexcludedGroups=in- progress,sdr,email,logs,cleanup - DuseProxy=true -DlocalProxy=true 37Making Security Agile
Save security findings from regression in XML form  At the end of regression, save findings in XML form: curl "http://localhost:8085/OTHER/core/other/xmlre port/?apikey=12345" > /home/user/temp/newpaymentregression.xml  Upload the findings to Threadfix using (app id for regression # 32 found earlier) java -jar /home/user/tfcli.jar --upload 32 /home/user/temp/newpaymentregression.xml Note: Above commands are part of automated script. 38Making Security Agile
39Making Security Agile
Review results in ThreadFix 40Making Security Agile
Review Findings 41Making Security Agile
Create defect 42Making Security Agile
Create defect in Issue Repository 43Making Security Agile
ThreadFix supports these scanners Making Security Agile 44
Security Transformation Cheat Sheet 45 From TO Two full days TM meetings with many people involved Participating in arch/design discussions through Confluence or other collab tools Very formal, “scientific” TM with DREAD, STRIDE residual risks, etc. Recommendations in JIRA coming from arch/design discussions DREAD, residual risks, etc. HML (High, Medium, Low) STRIDE CVE (usually automatically assigned by a tool) Manual pen testing for everything Selective pen testing for new features and products Expensive commercial scanners To OWASP ZAP, Burp, custom tools Docs and PDF reports, manual export to Dev bug tracking systems Exporting tickets directly to JIRA from Threadfix Running/uploading scans manually Automated batch jobs w auto-upload to Threadfix Making Security Agile
Conclusion  You cannot do security as you did it 5-10 years ago. Security must work in parallel w Dev.  Automate security testing by using scheduled jobs, auto-uploading “findings” to a dashboard  Use Security professionals to review findings  Make sure that findings are triaged before they are submitted to a bug tracking system  Don’t feed false positives to Dev or you’ll completely lose your credibility 46Making Security Agile
All of that can be formulated even shorter:  STOP wiring buttons that nobody will ever push © Lean Startup Conference - 2013  STOP creating new buzz words: security as code, security as service, DevSecOps, etc.  START DOING REAL JOB CALLED SECURITY AUTOMATION  Don’t forget about Security Artists, because security is just as politics – an art of possibilities and tools are very much useless without us 47Making Security Agile
THANKS FOR COMING! Sanjay Tambe – Security Architect @ SSIC Oleg Gryb – Sr. Manager, Security Engineering @ SSIC Twitter: @oleggryb 48Making Security Agile

Recomendados

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 

Recomendados

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Kevin Fealey
 
Manual Code Review
Manual Code ReviewManual Code Review
Manual Code Reviewn|u - The Open Security Community
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsHdiv Security
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Informe scsi 2012 sobre ciberseguridad
Informe scsi 2012 sobre ciberseguridadInforme scsi 2012 sobre ciberseguridad
Informe scsi 2012 sobre ciberseguridadPablo Heraklio
 
Software
SoftwareSoftware
Softwaremacarenariann
 

Mais conteúdo relacionado

Mais procurados

Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsHdiv Security
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 

Mais procurados (20)

Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Protection and Verification of Security Design Flaws
Protection and Verification of Security Design FlawsProtection and Verification of Security Design Flaws
Protection and Verification of Security Design Flaws
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 

Destaque

Informe scsi 2012 sobre ciberseguridad
Informe scsi 2012 sobre ciberseguridadInforme scsi 2012 sobre ciberseguridad
Informe scsi 2012 sobre ciberseguridadPablo Heraklio
 
Viii congreso isaca 2015 grc
Viii congreso isaca 2015 grcViii congreso isaca 2015 grc
Viii congreso isaca 2015 grcbalejandre
 
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptxIndustrial cyber security_tgs_barcelona_jun_2015_v1.pptx
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptxItconic
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Ciber... nacion: afrontando los retos del siglo XXI
Ciber... nacion: afrontando los retos del siglo XXICiber... nacion: afrontando los retos del siglo XXI
Ciber... nacion: afrontando los retos del siglo XXICorporacion Colombia Digital
 
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...Paco Barranco
 
End-user computing - The Mobile Workforce Report
End-user computing - The Mobile Workforce ReportEnd-user computing - The Mobile Workforce Report
End-user computing - The Mobile Workforce ReportDimension Data Asia Pacific
 
Digital transformation: introduction to cyber risk
Digital transformation: introduction to cyber riskDigital transformation: introduction to cyber risk
Digital transformation: introduction to cyber riskMosoco Ltd
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
The future of banking
The future of bankingThe future of banking
The future of bankingBarbara Biro
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon
 
Affects of Media on the Mind
Affects of Media on the MindAffects of Media on the Mind
Affects of Media on the MindJanvi Pattni
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityBen Liu
 

Destaque (20)

Informe scsi 2012 sobre ciberseguridad
Informe scsi 2012 sobre ciberseguridadInforme scsi 2012 sobre ciberseguridad
Informe scsi 2012 sobre ciberseguridad
 
Software
SoftwareSoftware
Software
 
Viii congreso isaca 2015 grc
Viii congreso isaca 2015 grcViii congreso isaca 2015 grc
Viii congreso isaca 2015 grc
 
Cyberseguridad en entornos empresariales
Cyberseguridad en entornos empresarialesCyberseguridad en entornos empresariales
Cyberseguridad en entornos empresariales
 
Implementing NIST Cybersecurity Framework Using COBIT 5
Implementing NIST Cybersecurity Framework Using COBIT 5Implementing NIST Cybersecurity Framework Using COBIT 5
Implementing NIST Cybersecurity Framework Using COBIT 5
 
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptxIndustrial cyber security_tgs_barcelona_jun_2015_v1.pptx
Industrial cyber security_tgs_barcelona_jun_2015_v1.pptx
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Ciber... nacion: afrontando los retos del siglo XXI
Ciber... nacion: afrontando los retos del siglo XXICiber... nacion: afrontando los retos del siglo XXI
Ciber... nacion: afrontando los retos del siglo XXI
 
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
¡¡Ya hemos llegado!! @socialbrainsES, @BETA_permanente y @dygytalyaCOM han na...
 
End-user computing - The Mobile Workforce Report
End-user computing - The Mobile Workforce ReportEnd-user computing - The Mobile Workforce Report
End-user computing - The Mobile Workforce Report
 
Digital transformation: introduction to cyber risk
Digital transformation: introduction to cyber riskDigital transformation: introduction to cyber risk
Digital transformation: introduction to cyber risk
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 
Cybersecurity for the digital age
Cybersecurity for the digital ageCybersecurity for the digital age
Cybersecurity for the digital age
 
The future of banking
The future of bankingThe future of banking
The future of banking
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Cyber resilience (building the cyber security governance) isaca id tech ses ...
Cyber resilience (building the cyber security governance) isaca id tech ses ...Cyber resilience (building the cyber security governance) isaca id tech ses ...
Cyber resilience (building the cyber security governance) isaca id tech ses ...
 
Ancaman cyber terhadap keamanan nasional cybersecurityy risk and control - ...
Ancaman cyber terhadap keamanan nasional cybersecurityy risk and control - ...Ancaman cyber terhadap keamanan nasional cybersecurityy risk and control - ...
Ancaman cyber terhadap keamanan nasional cybersecurityy risk and control - ...
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
Affects of Media on the Mind
Affects of Media on the MindAffects of Media on the Mind
Affects of Media on the Mind
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 

Semelhante a Making Security Agile

Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017Amazon Web Services
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...DevOpsDays Tel Aviv
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryMikhail Prudnikov
 

Semelhante a Making Security Agile (20)

Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 

Último

Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Último (20)

Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

Making Security Agile

  • 1. Getting security up to speed (with CI/CD) Oleg Gryb, Sanjay Tambe – Samsung SSIC
  • 3. 3 DREAD • Damage potential: How great is the damage if the vulnerability is exploited? • Reproducibility: How easy it is to reproduce the attack? • Exploitability: How easy it is to successfully exploit this condition? • Affected users: As a rough percentage, how many users are affected? • Discoverability: How easy it is to find the vulnerability? Making Security Agile
  • 4. 4 STRIDE • Spoofing • Tampering • Repudiation • Information disclosure • Denial of service • Elevation of privileges Making Security Agile
  • 5. Old AppSec Summary  We’ve generated huge *doc and *xls with Threat Models and pen test results.  We wrote nice exec summaries and we presented details to Dev/OPS/DB teams  We had a cool heat map to visualize the risk allocation for execs.  Then we worked on remediation with developers – informal name “nagging”  We supported a security dashboard and reported/escalated to CTO weekly 5Making Security Agile
  • 6. DevOps + Agile = Big Bang for Security 6Making Security Agile
  • 7. What is SAMI  Our core product is an API based service running in a cloud that supports IoT devices in real time  They also include web applications built on top of that.  All of that runs in an agile mode, because competition is too high and losing is not an option  More details: www.samsungsami.io 7Making Security Agile
  • 8. We had no choice 8 http://www.octopus.euhttp://brentmailphotography.com Making Security Agile
  • 9. New Agile Reality aka Reqs  No 2-4 weeks for security purposes  Nobody cares about (or understand) formalities such as STRIDE, DREAD or heat maps  Forget about 2 full days of interviews, not possible  Nobody gives Environment for 2-3 weeks solely for pen testing. Need to share.  Need to do security as Dev process goes and in parallel  Need to be integrated better with the DevOps and QA teams 9Making Security Agile
  • 10. Other Challenges for API products  You *can* pass an API URL to a scanner and tell “do automatic scanning” , but it’s not going to crawl. No Spidering is available.  You can manually call each and every API while on a scan proxy and then do scanning, but if you have too many ever changing API’s, you’ll die doing that  Sanjay will talk about our approach in details 10Making Security Agile
  • 11. Aggravating factor – security testing is not exactly QA  QA test are deterministic, AppSec tests are anything but  You can’t dump all app scanner’s “findings” to a bug tracking system  You usually need to triage each finding and verify a severity before submitting it to a bug tracking system  In many cases you still need to explain your finding and remediation to developers 11Making Security Agile
  • 12. Coming to a Solution  Since Security does require a manual review, our hypothesis was that we need a dashboard with a broad import/export capabilities  Import from scanners, export to bug tracking systems  All scanners should be automated to run regression  Should also allow manual testing and import for new features and products 12Making Security Agile
  • 13. Making Security Agile 13 Scheduled Job Scheduled Job Manual testing Custom Tools Security Artists DevOps Team Notifications
  • 14. Step-by-step instructions to configure security automation  Demo of Security Automation  Install open source software  Configure scans for Web applications  Configure security testing using QA regression 14Making Security Agile
  • 16. A. Install ThreadFix (in AWS or VM)  Download ThreadFix from http://www.threadfix.org/download/  Follow instructions to start ThreadFix https://github.com/denimgroup/threadfix/wi ki/Getting-Started  Enable port 8080 for external access.  Once ThreadFix is up and running, go to http://xxx.xxx.xxx.xxx:8080/threadfix in a web browser and accept warning from browser.  Username: user  Password: password 16Making Security Agile
  • 17. B. Add users in Security team into ThreadFix 17Making Security Agile
  • 18. C: Add Team in ThreadFix 18Making Security Agile
  • 19. D. Add application Payments under Accounts team in Threadfix 19Making Security Agile
  • 20. E. Application Payments under team Accounts 20Making Security Agile
  • 21. F. Configure Defect tracker in Threadfix 21Making Security Agile
  • 22. G. Visit application in ThreadFix and note application # Note: Application Id is shown as 31 for Payments app in URL in snapshot below. We will use this later when we upload findings in XML format from command line. 22Making Security Agile
  • 23. H. Set Defect tracker for application in ThreadFix 23Making Security Agile
  • 24. I. Enter login for Defect tracker 24Making Security Agile
  • 25. J. Install ZAP  Download and Install open source ZAP (Zed Attack Proxy) on AWS/VM using following https://github.com/zaproxy/zaproxy/wiki/ Downloads?tm=2  We will be using ZAP on the AWS or VM in an headless mode (without UI).  Install ZAP on your laptop or Mac using above link. We will be using the UI to create sessions for web applications. 25Making Security Agile
  • 26. K. ZAP UI 26Making Security Agile
  • 27. L. Install web based job scheduler e.g. Juicebox  Install any Open source Cron job scheduler on AWS/VM. Configure scan Start scan 27Making Security Agile
  • 28. BScan – burp automation and more Making Security Agile 28 • Automates burp using Ruby extensions • Allows adding custom tests to the same scan • Can be run as simple as: jruby –S bscan –c config • Will generate report automatically when completed • Can work in auto proxy mode • Configurable – can overwrite any Burp and custom settings • Version 3.0 is coming, stay tuned !
  • 30. Configure ThreadFix jar Use following commands in terminal mode on AWS/VM where ThreadFix is installed (obtain your API key from Threadfix) java -jar /home/user/tfcli.jar --set key 5fPO07kc8xyxyxyxyxyxyxyxyxyxyxyxyxyxyxyxy java -jar /home/user/tfcli.jar --set url https://127.0.0.1/threadfix/rest 30Making Security Agile
  • 31. Create Shell scripts to scan each application Note: Following is Payment.sh script to scan Payment web app. We use app id # 31 found earlier. 31Making Security Agile
  • 32. Configure JuiceBox to schedule daily scan for Payment web app 32Making Security Agile
  • 34. Why use QA regression  Over the years, QA team has built hundreds or even thousands of functional test scripts. They continue to add new scripts everyday.  Security team can reuse the work done by QA team to do security testing.  They can use a proxy such as BURP or ZAP to analyze requests & responses to find any security vulnerabilities. 34Making Security Agile
  • 35. Create separate application for QA regression 35Making Security Agile
  • 36. Start ZAP Proxy  Use command such as following to start ZAP in headless mode on port 8085: java -Xmx2048m -jar /home/user/zap/ZAP_2.4.2/zap-2.4.2.jar -cmd -daemon -installdir /home/user/zap/ZAP_2.4.2 -config api.key=12345 -port 8085 Making Security Agile 36
  • 37. Configure and start QA regression  Configure QA regression properties to use proxy running on port 8085.  Use command such as following to start QA regression (will vary depending on scripts used for your QA regression) mvn clean test -Dcategory=api - Dtarget.environment=qa -DexcludedGroups=in- progress,sdr,email,logs,cleanup - DuseProxy=true -DlocalProxy=true 37Making Security Agile
  • 38. Save security findings from regression in XML form  At the end of regression, save findings in XML form: curl "http://localhost:8085/OTHER/core/other/xmlre port/?apikey=12345" > /home/user/temp/newpaymentregression.xml  Upload the findings to Threadfix using (app id for regression # 32 found earlier) java -jar /home/user/tfcli.jar --upload 32 /home/user/temp/newpaymentregression.xml Note: Above commands are part of automated script. 38Making Security Agile
  • 40. Review results in ThreadFix 40Making Security Agile
  • 43. Create defect in Issue Repository 43Making Security Agile
  • 45. Security Transformation Cheat Sheet 45 From TO Two full days TM meetings with many people involved Participating in arch/design discussions through Confluence or other collab tools Very formal, “scientific” TM with DREAD, STRIDE residual risks, etc. Recommendations in JIRA coming from arch/design discussions DREAD, residual risks, etc. HML (High, Medium, Low) STRIDE CVE (usually automatically assigned by a tool) Manual pen testing for everything Selective pen testing for new features and products Expensive commercial scanners To OWASP ZAP, Burp, custom tools Docs and PDF reports, manual export to Dev bug tracking systems Exporting tickets directly to JIRA from Threadfix Running/uploading scans manually Automated batch jobs w auto-upload to Threadfix Making Security Agile
  • 46. Conclusion  You cannot do security as you did it 5-10 years ago. Security must work in parallel w Dev.  Automate security testing by using scheduled jobs, auto-uploading “findings” to a dashboard  Use Security professionals to review findings  Make sure that findings are triaged before they are submitted to a bug tracking system  Don’t feed false positives to Dev or you’ll completely lose your credibility 46Making Security Agile
  • 47. All of that can be formulated even shorter:  STOP wiring buttons that nobody will ever push © Lean Startup Conference - 2013  STOP creating new buzz words: security as code, security as service, DevSecOps, etc.  START DOING REAL JOB CALLED SECURITY AUTOMATION  Don’t forget about Security Artists, because security is just as politics – an art of possibilities and tools are very much useless without us 47Making Security Agile
  • 48. THANKS FOR COMING! Sanjay Tambe – Security Architect @ SSIC Oleg Gryb – Sr. Manager, Security Engineering @ SSIC Twitter: @oleggryb 48Making Security Agile

Notas do Editor

  1. We’ve just returned from an AppSecUSA conference where quite a few folks were talking about security automation tools, which is cool of course. We love tools, but it’s not about tools only, it’s about how well your security process is integrated to SDLC. Going back 5 to 7 years our SDLC model was still very much Waterfall and our security process was adjusted well to it: We had 2 full days for onsite interviews Business owners, s/w and DB architects, Dev, OPS, QA were available to sit with us for those two days and talk about security and threats We were buttoned up and very formal We’ve created our own scoring system based on DREAD We created Threat Models based on interviews, We categorized findings based on STRIDE, After TM was completed we would start our pen testing. We had 2-4 weeks to complete it! We used heavy commercial tools to do static and dynamic analysis
  2. I won’t talk much about DREAD, it’s very much dead and it’s dead because of a good reason. You were required to score each dread category, and it was a pure guestimate anyway. It looks scientific because it has categories, but is essence it’s worth than just assigning a score in simple HML terms, because HML is very intuitive and can be easily understood by everyone.
  3. STRIDE – again, looks scientific and cool, but that categorization is very abstract and it’s difficult to practically apply it, because some vulnerabilities will fall into several categories, while for others will be difficult to find a match for. When you use CVE, it’s actually something that has a match in real world, easy to understand and most importantly it will be automatically created by many scanners and understood by dashboard such as Threadfix.
  4. It was very much like a waterfall model, where we had a “security gateway” clearly defined. There was no way to by-pass It was clearly “us” and “them” model, meaning that our involvement to Dev matters or Dev involvement to our matters was limited. It required a significant time and money to support all that There was an essential lag between a sec assessment and a release date, which could result in big differences between production and what we’ve tested and reviewed. Fixing was not easy, “nagging” didn’t always work
  5. And then Big Bang has happened. It happened because everybody has moved to Agile SDLC and new projects started flying over our head with a huge velocity. We’ve realized at this point that we could not do all those cool things that we did in the waterfall model.
  6. It’s not only about agility and speed. There were other issues that were coming form the products that we need to support. It’s all about API’s today. Web applications become just a thin wrapper built on the top of API’s. Let us take a quick look at the product that we support.
  7. We had no choice. We needed to move from a waterfall to agile quickly. We’ve looked around at what is available. We’ve realized quickly that some new buzz words such as “security as code” or “security as service”, do not mean much and do not allow creating a comprehensive E2E security process alone. It usually goes like this: We write code and build services and they will solve ALL our security problems. No we won’t and I don’t even want to go to this discussion until I see a comprehensive security scanner that doesn’t produce “false positives” and gets all severities right. Or after someone figures out how to design apps with all necessary sec controls in place from day one.
  8. “Us” and “them” model didn’t work anymore. We need to move with the team at their pace.
  9. This is how we’d come to our solution. This is our reasoning.
  10. Explain diagram. Our security team is not big, it’s two permanent people. Security artists as we modestly call ourselves, 1-2 consultants and people in other teams who support our projects. Our QA team is probably 4 times bigger and Sanjay will talk today about automating the process and utilizing QA unit tests, thousand of them to implement security.
  11. What remained unchanged here is a necessity to review the results and start working with developers on remediation. What we try to avoid are tools that generate a lot of false positives, because it creates road block for automation
  12. I took it from a Lean Startup conference and I think it’s very appropriate for our sec transformation process. Sec as code is overstatement. You can’t solve all your security problems just by writing code. You need to do more than that. That sec automation job does include writing code, creating sec services and an agile security process, but don’t forget about “security artists” who can make sense of tons of data generated by scanners and other tools, because security is still very much like politics, which is an art of possibilities I’m still missing the old process a bit and ask myself often: did we through out any babies with bath waters during this transformation? The answer is probably “yes”, but this is the nature of any agile approach, it usually bears bigger risks, not only in security domain and we’ll have to live with it. Security artists are people who can make sense of ravings generated by security tools.