Automating security tests for Continuous Integration
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Quem viu também gostou (20)
Semelhante a Integrating DevOps and Security (20)
Mais recentes (20)
Integrating DevOps and Security
- 1. Integrating DevOps and Security
- 2. $whoami • Independent consultant • Ethical hacking • Organising security • Building applications • Twitter: @ddccffvv
- 3. Goals Improving security Bringing dev/ops/QA/… and security together Making your life better
- 4. Part 1 Where are we now?
- 5. zuckerberg slide
- 6. IT is changing
- 7. We’re only getting started
- 8. Increasingly dependent
- 9. Rising importance of security
- 10. Part 2 Bringing everyone together
- 11. zuckerberg slide
- 12. zuckerberg slide
- 13. Uncertainty is a threat
- 14. Rugged DevOps security
- 15. Security is the infrastructure team before DevOps Does not like risks (change) Tries to keep control Bottleneck
- 16. How did we solve this before?
- 17. 1) Empathy 2) Automate 3) Feedback loops
- 18. “We found that blockages at the end of the project were much more expensive than at the beginning - and InfoSec blockages were among the worst” Justin Arbuckle
- 19. “By having Infosec involved throughout the creation of any new capability, we were able to reduce our use of static checklists dramatically and rely more on using their expertise throughout the entire software development process.” Justin Arbuckle
- 20. Message to infosec people:
- 21. Don’t (only) say no!
- 22. Say: We could do it this way…
- 23. Part 3 Tactics (to scale)
- 24. 1) Empathy 2) Automate 3) Feedback loops
- 25. Defect Tracking & Post Mortem Security issues in work tracker: Visibility ++ Priorities ++ Security issue -> post mortem Rework - - Team knowledge ++
- 26. Preventive security controls Provide security libraries or services that every modern application or environment requires Place them in a central location, easily accessible to anyone
- 27. Preventive security controls • libraries/configs • secret management • OS packages/builds
- 28. Security in deployment pipeline Automate as many security tests as possible so that they run alongside other tests in our deployment pipeline.
- 29. Security in deployment pipeline • Static scanning • Dynamic scanning • Sad path
- 30. A word about false positives versus
- 31. Security of software supply chain “The typical organization uses 18,614 external software parts. Of those components being used, 7.5% had known vulnerabilities, with over 66% of those vulnerabilities being over two years old without having been resolved. Sonatype 2015 State of the software supply chain report
- 32. Security and monitoring How do you know if you’ve been compromised?
- 33. Security and monitoring “Year after year, in the vast majority of cardholder breaches, organisations detected the security breach months or quarters after the breach occurred. Worse, the way the breach was detected was not an internal monitoring control, but was far more likely someone outside of the organization” Marcus Sachs (Verizon data breach researcher)
- 34. Security and monitoring • Set up central monitoring and make it easy to use • Application level • Environment
- 35. Security and monitoring: etsy example • abnormal process terminations • internal server errors (500) • database syntax error • indication of sql injection attacks (UNION ALL)
- 36. “Nothing helps you understand how hostile the operating environment is than seeing your code being attacked in real-time.” Nick Galbreath
- 37. 1) Empathy 2) Automate 3) Feedback loops
- 38. Questions and discussion
