Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
A Secure and Reliable Document Management System is Essential.docx
Implementing an Application Security Pipeline in Jenkins
1.
2. Implementation an Application Security
Pipeline in Jenkins
• Introduction
• Continuous Integration
• Application Security Pipelines
• Approaches in Jenkins
• Demo
3. About me
Software Security Professional having 10+ years of
experience
Specialize in Secure SDLC implementation
Threat Modeling/Secure Code Review/Penetration
Continuous Security Testing
Secure Coding Trainer, SecurityQA Testing Trainer
Speaker
DevSecOps Singapore & Null Singapore
What next for me ?
IoT Security
8. • Rugged Software
“Rugged” describes software development organizations which have a culture of rapidly evolving
their ability to create available, survivable, defensible, secure, and resilient software.
• BSIMM
The Building Security In Maturity Model (BSIMM, pronounced “bee simm”) is a study of existing
software security initiatives. By quantifying the practices of many different organizations, we can
describe the common ground shared by many as well as the variation that makes each unique.
• OWASP SAMM
Evaluate an organization’s existing software security practices
Build a balanced software security assurance program in well-defined iterations
Demonstrate concrete improvements to a security assurance program
Define and measure security-related activities throughout an organization
Software security centric process, standards &
approaches
9. Choose the right tools
IDE Plugins
SAST/
Dependencies
check
• CI/CD Supports
• Scalability
• Scan time
• Incremental Report
• False Positives
• Custom Rules Set
• Language Supports
• Plugins
DAST
• API Calls
• Scalability
• Scan Policies
• Plugins
Security Unit
test Cases
IAST
• Less False Positives
• Monitor Traffic
• Along with QA testing
• Immediate Feedback • Threat
Modelling
Secure
Coding
Training