SlideShare uma empresa Scribd logo

Proactive Security AppSec Case Study

Andy Hoernecke
Andy Hoernecke

Automating your way to Proactive Application Security Andy Hoernecke AppSec Engineer Netflix OWASP Atlanta 4/21/2016

Internet
1 de 42
Baixar para ler offline
PROACTIVE SECURITY APPSEC CASE STUDY ANDY HOERNECKE
HELO Andy Hoernecke
 Application Security Engineer
 AppSec, Automation, Data Visualization
What We Will Cover • Background on Netflix • Our Security Philosophy • Walkthrough of Our Approach to AppSec
Terminology • Define technology terms: • Application • Instance • ELB (Load Balance) • AMI • Security Groups
Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • Very Pro Open Source • No Security Gates!
Continuous Delivery • Fast, Automated Deployment • Immutable Platform • Low Friction
The Challenge • Provide security in the environment described: • No security gates • Production Changes Rapidly • Multiple Codes Bases (A/B Testing) • Many Developers vs. 5 Member AppSec Team
How?
Act as enablers not gatekeepers
Application developers are responsible for the security of their application.
Security is as important as: • functionality • performance • availability • scalability
Create paved paths, that are secure by default
Proactive Security • Know your environment & weaknesses and work to improve • Find problems early and address them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
Implementing Proactive Security AppSec Case Study* * Note: Talk discusses new version of software yet to be open sourced
Goals 1. Understand your environment 2. Inject automated security controls 3. Tie environment and security together
Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
Defining The Environment • Applications that make up and support the Netflix experience 1. Accessibility (How, Where, Who) 2. Functionality 3. Ownership 4. Risk Level 5. Security
Where do Applications Come From? • Binaries • Appliances • SaaS • Internally Developed (Source Code)
Where do Applications Come From? SCMDevelopers Build Bake Deploy 1. Developers push code to SCM 2. Built into a package 3. Combined with BaseAMI to form a machine image 4. Deployed as an EC2 Instance
SCMDevelopers Build Bake Deploy Dependencies BaseAMI Source Code Package Baked AMI EC2 Instance
SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Cluster Cluster EC2 InstanceEC2 Instance ELB DNS Name
SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Dependencies BaseAMI Source Code Package Baked AMI DNS Name ELB Penguin Shortbread
Penguin Shortbread • Specialized Branch of Scumblr • Tracks Applications and all their associated metadata • Repositories • Committers • DNS Names • BaseAMI Information • Dependencies • More!
Penguin Shortbread • Individual tasks for gathering different pieces of metadata • Tasks for Spinnaker, Github, Stash, Jenkins, etc. • Easy to customize, maintain, etc. • Searching and filtering based on any information stored on the application. • Examples:
 What application uses sketchy.netflix.com?
 What repos does Andy Hoernecke contribute to?
While we're at it... • Collect information about how risky an application is • Calculate a risk score • Determine which applications posed the great risk and make decisions based on this
Security Monkey • Monitor for changes in AWS environment • Get alerts for important changes • Integrations with Scumblr/Penguin Shortbread
Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
SCMDevelopers Build Bake Deploy Systems Github Stash OpenGrok Information Source Code Commit History Committer Owner Info Security Tools/Services Static Analysis
SCMDevelopers Build Bake Deploy Systems Jenkins Information Packaged Application Dependency Info Security Tools/Services Static Analysis, Dependency Checking
SCMDevelopers Build Bake Deploy Systems Spinnaker Bakery Animator Information OS/Version Animation Date BaseAMI Info Security Tools/Services Host Analysis/Hardening
SCMDevelopers Build Bake Deploy Systems Spinnaker DNS Security Monkey Information Application Name DNS Names 
 Security Groups Security Tools/Services Dynamic Scanning, Runtime Analysis, Penetration Testing
Dirty Laundry • Evolution of Scumblr
Scumblr 1.0 queryquery Results Results URLs
Scumblr 2.0 • Extended the model with Metadata • Added: • Generic Tasks • Task Ordering/Grouping • Customizable Views • Events
New vs. Old • Scumblr 1.0 Tasks:
 Search Google
 Search Twitter
 Search Facebook
 • Example Scumblr 2.0 Tasks:
 1. Get list of Stash Repos
 2. Run Brakeman on Rails Repos
 3. Save the Results and Send out Notifications
Pulling it Together • Dirty Laundry integrates with all our security tools • Can track results based on a repo, a DNS name, an API endpoint, etc. • With Penguin Shortbread, can fit things together
Action • Enhanced the ability to track status • Added standard way to store/action vulnerability data • Workflowable provides easy mechanism to create JIRA tickets, send out notifications, etc.
Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
Goal 3 Tie Environment and Security Together 1. Understand vulnerabilities in context 2. Prioritize security services and remediation efforts 3. Enable linking security risks with their source 4. Identify weak links and look for improvements Coming Soon
Open Source • Netflix Open Source • Scumblr • Security Monkey • Penguin Shortbread (soon) • Spinnaker • Animator • More: https://netflix.github.io/ • Arachni www.arachni-scanner.com • Dependency Check https://www.owasp.org/index.php/ OWASP_Dependency_Check • FindSecBugs http://find-sec-bugs.github.io/ • Brakeman http://brakemanscanner.org/ • Bandit https://github.com/openstack/bandit
Thanks!

Recomendados

The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 

Recomendados

The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Splitting the Check on Compliance and Security
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and SecurityJason Chan
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsSumo Logic
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec rubyChristian KAKESA
 

Mais conteúdo relacionado

Mais procurados

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsAlert Logic
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA ChennaiAbhay Bhargav
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 

Mais procurados (20)

Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
we45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennaiwe45 SecDevOps Presentation - ISACA Chennai
we45 SecDevOps Presentation - ISACA Chennai
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 

Destaque

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive securityScott Behrens
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec rubyChristian KAKESA
 
Creating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus NetworkCreating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus Networkcafs-org
 
Deber de la comunicacion
Deber de la comunicacionDeber de la comunicacion
Deber de la comunicacionAngiste
 
Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)wander delgadocladeron
 
James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead, Jr
 
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Chris Ippolito
 
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina Nix
 
Scumblr, quick presentation
Scumblr, quick presentationScumblr, quick presentation
Scumblr, quick presentationChristian KAKESA
 
Sociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legalSociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legalRicardo Cardona
 
Careers in Security
Careers in SecurityCareers in Security
Careers in SecurityJason Chan
 
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)AppFolio
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 

Destaque (19)

Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
Web services par l'exemple avec ruby
Web services par l'exemple avec rubyWeb services par l'exemple avec ruby
Web services par l'exemple avec ruby
 
Creating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus NetworkCreating and operating the Riyadh Bus Network
Creating and operating the Riyadh Bus Network
 
Nudg
NudgNudg
Nudg
 
Deber de la comunicacion
Deber de la comunicacionDeber de la comunicacion
Deber de la comunicacion
 
Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)Impacto de la tecnología en la educación (1)
Impacto de la tecnología en la educación (1)
 
ELEKS-Company-Overview
ELEKS-Company-OverviewELEKS-Company-Overview
ELEKS-Company-Overview
 
Finance Report 2009
Finance Report 2009Finance Report 2009
Finance Report 2009
 
cae_broch_8pp_med
cae_broch_8pp_medcae_broch_8pp_med
cae_broch_8pp_med
 
James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015James Mead Jr. CV-resume - May 27 2015
James Mead Jr. CV-resume - May 27 2015
 
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
Mailer - Program for the San Diego Dental Convention, JUNE 24-25, 2016
 
Gina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU ExperienceGina's Sports Marketing Portfolio throughout OSU Experience
Gina's Sports Marketing Portfolio throughout OSU Experience
 
Scumblr, quick presentation
Scumblr, quick presentationScumblr, quick presentation
Scumblr, quick presentation
 
Sociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legalSociedad virtual. Vacío ético y legal
Sociedad virtual. Vacío ético y legal
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
 
Iguana iguana
Iguana iguanaIguana iguana
Iguana iguana
 
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)AppFolio Owner & Tenant Portals (Customer Webinar Recap)
AppFolio Owner & Tenant Portals (Customer Webinar Recap)
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 

Semelhante a Proactive Security AppSec Case Study

Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryMikhail Prudnikov
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
A Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpecA Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpecCliffano Subagio
 
SRV312 DevOps on AWS: Building Systems to Deliver Faster
SRV312 DevOps on AWS: Building Systems to Deliver FasterSRV312 DevOps on AWS: Building Systems to Deliver Faster
SRV312 DevOps on AWS: Building Systems to Deliver FasterAmazon Web Services
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Niels Frydenholm
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkIonic Security
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon InspectorAmazon Web Services
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers SoftwareDevOps Chicago
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 

Semelhante a Proactive Security AppSec Case Study (20)

Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
A Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpecA Journey to Improve Infrastructure Compliance With InSpec
A Journey to Improve Infrastructure Compliance With InSpec
 
SRV312 DevOps on AWS: Building Systems to Deliver Faster
SRV312 DevOps on AWS: Building Systems to Deliver FasterSRV312 DevOps on AWS: Building Systems to Deliver Faster
SRV312 DevOps on AWS: Building Systems to Deliver Faster
 
Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...Getting your mobile test automation process in place - using Cucumber and Cal...
Getting your mobile test automation process in place - using Cucumber and Cal...
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Getting Started with Amazon Inspector
Getting Started with Amazon InspectorGetting Started with Amazon Inspector
Getting Started with Amazon Inspector
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Sonarjenkins ajip
Sonarjenkins ajipSonarjenkins ajip
Sonarjenkins ajip
 
20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software20140708 - Jeremy Edberg: How Netflix Delivers Software
20140708 - Jeremy Edberg: How Netflix Delivers Software
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 

Último

AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.CarlotaBedoya1
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 

Último (20)

AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
INDIVIDUAL ASSIGNMENT #3 CBG, PRESENTATION.
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 

Proactive Security AppSec Case Study

  • 1. PROACTIVE SECURITY APPSEC CASE STUDY ANDY HOERNECKE
  • 2. HELO Andy Hoernecke
 Application Security Engineer
 AppSec, Automation, Data Visualization
  • 3. What We Will Cover • Background on Netflix • Our Security Philosophy • Walkthrough of Our Approach to AppSec
  • 4. Terminology • Define technology terms: • Application • Instance • ELB (Load Balance) • AMI • Security Groups
  • 5. Netflix Primer • 100's of Developers • Over 1,000 applications • Hundreds of production pushes a day • Over 50k instances • Very Pro Open Source • No Security Gates!
  • 6. Continuous Delivery • Fast, Automated Deployment • Immutable Platform • Low Friction
  • 7. The Challenge • Provide security in the environment described: • No security gates • Production Changes Rapidly • Multiple Codes Bases (A/B Testing) • Many Developers vs. 5 Member AppSec Team
  • 9. Act as enablers not gatekeepers
  • 10. Application developers are responsible for the security of their application.
  • 11. Security is as important as: • functionality • performance • availability • scalability
  • 12. Create paved paths, that are secure by default
  • 13. Proactive Security • Know your environment & weaknesses and work to improve • Find problems early and address them • Monitor for anomalies and be prepared to respond • Collect meaningful data and use it to improve • Simplify make security the easy path • Reevaluate your approach • Share what you learn with others
  • 14. Implementing Proactive Security AppSec Case Study* * Note: Talk discusses new version of software yet to be open sourced
  • 15. Goals 1. Understand your environment 2. Inject automated security controls 3. Tie environment and security together
  • 16. Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
  • 17. Defining The Environment • Applications that make up and support the Netflix experience 1. Accessibility (How, Where, Who) 2. Functionality 3. Ownership 4. Risk Level 5. Security
  • 18. Where do Applications Come From? • Binaries • Appliances • SaaS • Internally Developed (Source Code)
  • 19. Where do Applications Come From? SCMDevelopers Build Bake Deploy 1. Developers push code to SCM 2. Built into a package 3. Combined with BaseAMI to form a machine image 4. Deployed as an EC2 Instance
  • 20. SCMDevelopers Build Bake Deploy Dependencies BaseAMI Source Code Package Baked AMI EC2 Instance
  • 21. SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Cluster Cluster EC2 InstanceEC2 Instance ELB DNS Name
  • 22. SCMDevelopers Build Bake Deploy EC2 Instance Cluster Application Dependencies BaseAMI Source Code Package Baked AMI DNS Name ELB Penguin Shortbread
  • 23. Penguin Shortbread • Specialized Branch of Scumblr • Tracks Applications and all their associated metadata • Repositories • Committers • DNS Names • BaseAMI Information • Dependencies • More!
  • 24. Penguin Shortbread • Individual tasks for gathering different pieces of metadata • Tasks for Spinnaker, Github, Stash, Jenkins, etc. • Easy to customize, maintain, etc. • Searching and filtering based on any information stored on the application. • Examples:
 What application uses sketchy.netflix.com?
 What repos does Andy Hoernecke contribute to?
  • 25. While we're at it... • Collect information about how risky an application is • Calculate a risk score • Determine which applications posed the great risk and make decisions based on this
  • 26. Security Monkey • Monitor for changes in AWS environment • Get alerts for important changes • Integrations with Scumblr/Penguin Shortbread
  • 27. Goal 1 Understand Your Environment 1. Know the components of your environment 2. Understand connections 3. Monitor for changes
  • 28. Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
  • 29. SCMDevelopers Build Bake Deploy Systems Github Stash OpenGrok Information Source Code Commit History Committer Owner Info Security Tools/Services Static Analysis
  • 30. SCMDevelopers Build Bake Deploy Systems Jenkins Information Packaged Application Dependency Info Security Tools/Services Static Analysis, Dependency Checking
  • 31. SCMDevelopers Build Bake Deploy Systems Spinnaker Bakery Animator Information OS/Version Animation Date BaseAMI Info Security Tools/Services Host Analysis/Hardening
  • 32. SCMDevelopers Build Bake Deploy Systems Spinnaker DNS Security Monkey Information Application Name DNS Names 
 Security Groups Security Tools/Services Dynamic Scanning, Runtime Analysis, Penetration Testing
  • 35. Scumblr 2.0 • Extended the model with Metadata • Added: • Generic Tasks • Task Ordering/Grouping • Customizable Views • Events
  • 36. New vs. Old • Scumblr 1.0 Tasks:
 Search Google
 Search Twitter
 Search Facebook
 • Example Scumblr 2.0 Tasks:
 1. Get list of Stash Repos
 2. Run Brakeman on Rails Repos
 3. Save the Results and Send out Notifications
  • 37. Pulling it Together • Dirty Laundry integrates with all our security tools • Can track results based on a repo, a DNS name, an API endpoint, etc. • With Penguin Shortbread, can fit things together
  • 38. Action • Enhanced the ability to track status • Added standard way to store/action vulnerability data • Workflowable provides easy mechanism to create JIRA tickets, send out notifications, etc.
  • 39. Goal 2 Automated Security Controls 1. Select and run tools 2. Aggregate data 3. Take action
  • 40. Goal 3 Tie Environment and Security Together 1. Understand vulnerabilities in context 2. Prioritize security services and remediation efforts 3. Enable linking security risks with their source 4. Identify weak links and look for improvements Coming Soon
  • 41. Open Source • Netflix Open Source • Scumblr • Security Monkey • Penguin Shortbread (soon) • Spinnaker • Animator • More: https://netflix.github.io/ • Arachni www.arachni-scanner.com • Dependency Check https://www.owasp.org/index.php/ OWASP_Dependency_Check • FindSecBugs http://find-sec-bugs.github.io/ • Brakeman http://brakemanscanner.org/ • Bandit https://github.com/openstack/bandit