Empowering Application Security Protection in the World of DevOps
Denunciar
IBM SecuritySeguir
12 de May de 2016•0 gostou•974 visualizações
Empowering Application Security Protection in the World of DevOps
12 de May de 2016•0 gostou•974 visualizações
Baixar para ler offline
Denunciar
Tecnologia
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/ How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools. What can development teams do to keep pace with rapidly-evolving application security threats? The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks. In this session, you will learn: - New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments. - Best practices for designing and incorporating an automated approach to application security into your existing development environment. - Future development and application security challenges organizations will face and what they can do to prepare.
IBM SecuritySeguir
Recomendados
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
What’s the State of Your Endpoint Security?IBM Security
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
Uncover What's Inside the Mind of a HackerIBM Security
Cloud security enforcer - Quick steps to avoid the blind spots of shadow itIBM Security
Attack Autopsy: A Study of the Dynamic Attack ChainIBM Security
Mais conteúdo relacionado
Mais procurados
Compete To Win: Don’t Just Be Compliant – Be Secure!IBM Security
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...IBM Security
Top 12 Cybersecurity Predictions for 2017IBM Security
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteIBM Security
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
The 2016 Ponemon Cost of a Data Breach StudyIBM Security
Destaque
DevOps and IT securitych.osme
DevOps in a Regulated and Embedded Environment (AgileDC)Arjun Comar
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedSeniorStoryteller
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
Making Security Agile - Oleg GrybSeniorStoryteller
Building Security In - A Tale of Two Stories - Laksh RaghavanSeniorStoryteller
Similar a Empowering Application Security Protection in the World of DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
Solnet dev secops meetuppbink
Mais de IBM Security
Automation: Embracing the Future of SecOpsIBM Security
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
Integrated Response with v32 of IBM ResilientIBM Security
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
Último
Swiss Re Reinsurance Solutions - Automated Claims Experience – Insurer Innova...The Digital Insurer
Orchestration, Automation and Virtualisation Maturity ModelCSUC - Consorci de Serveis Universitaris de Catalunya
Charity Navigator Masterclass - Accountability and Finance BeaconOnBoard
Top tips for boosting your digital skills, with BT Group and Age UKAbilityNet
ISO Survey 2022: ISO 27001 certificates (ISMS)Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Jino Clone: Develop a Car Wash Mobile App with Limited Resources eSiteWorld TechnoLabs Pvt. Ltd.
Empowering Application Security Protection in the World of DevOps
- 1. EMPOWERING APPLICATION SECURITY IN THE WORLD OF DEVOPS
- 2. AGENDA STATE OF APPLICATION SECURITY INTEGRATING APPLICATION SECURITY IN DEVOPS UNIQUE CHALLENGES IN DEVOPS
- 3. © 2015 Black Duck Software, Inc. All Rights Reserved. STATE OF APPLICATION SECURITY: CUSTOM & OPEN SOURCE CODE
- 4. WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS XSS AND SQL INJECTION EXPLOITS ARE CONTINUING IN HIGH NUMBERS Source: IBM X-Force Threat Intelligence Quarterly, 2014Source: IBM X-Force Threat Intelligence Quarterly, 2014 APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN 25% 20% 15% 10% 5% 0% 2009 2010 2011 2012 2013 WEB APPLICATION VULNERABILITIES 33% OF VULNERABILITY DISCLOSURES ARE WEB APPLICATION VULNERABILITIES 33%
- 5. Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013 INVESTMENT PRIORITY - “SECURITY RISKS” VS. YOUR “SPEND” MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS 35% 30% 25% 20% 15% 10% 5% APPLICATION LAYER DATA LAYER NETWORK LAYER HUMAN LAYER HOST LAYER PHYSICAL LAYER SECURITY RISK SPENDING SPENDING DOES NOT EQUAL RISK Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
- 6. CUSTOM AND OPEN SOURCE CODE MIX OPEN SOURCE • Needed functionality without acquisition costs • Faster time to market • Lower development costs • Broad support from communities CUSTOM CODE • Proprietary functionality • Core enterprise IP • Competitive differentiation OPEN SOURCE CUSTOM CODE
- 7. The shifting application security threat landscapeRISE OF OPEN SOURCE VULNERABILITIES OPEN SOURCE COMPONENTS WITH KNOWN VULNERABILITIES Since 2014, over 6,000 new vulnerabilities in open source components. Source: Risk Based Security’s VulnDB 0 200 400 600 800 1,000 1,200 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 Heartbleed Disclosure
- 8. 8 CONFIDENTIAL WHO’S RESPONSIBLE FOR SECURITY?WHO IS RESPONSIBLE FOR SECURITY? DEDICATED SECURITY RESEARCHERS ALERTING AND NOTIFICATION INFRASTRUCTURE REGULAR PATCH UPDATES DEDICATED SUPPORT TEAM WITH SLA “COMMUNITY”-BASED CODE ANALYSIS MONITOR NEWSFEEDS YOURSELF NO STANDARD PATCHING MECHANISM ULTIMATELY, YOU ARE RESPONSIBLE COMMERCIAL CODE OPEN SOURCE CODE
- 9. 9 CONFIDENTIAL CONTAINERS AND DEVOPS Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors • Could cause problems for the application itself • Could cause more problems if the container is running with the – privileged flag set
- 10. © 2015 Black Duck Software, Inc. All Rights Reserved. UNIQUE CHALLENGES IN DEVOPS
- 11. 11 CONFIDENTIAL WHAT IS DEVOPS? • Set of principles • Faster software delivery • Continuous process • Collaborative • Achieved by automation
- 12. 12 CONFIDENTIAL CHALLENGES WITH APPLICATION SECURITY IN DEVOPS • Developers are not security experts • Time pressure • Security can be an afterthought • Application security teams are small • Testing happens too late in the process
- 13. 13 CONFIDENTIAL BENEFIT FROM DEVOPS WITHOUT COMPROMISING SECURITY • Automation of Security Testing • Security Gates
- 14. INTEGRATING APPLICATION SECURITY IN DEVOPS
- 15. 15 CONFIDENTIAL CONTINUOUS INTEGRATION ENVIRONMENT Binary Repository Management (Artifactory / Nexus) Developers / IDE (Eclipse) Deployment Environments (Amazon / Docker / VMWare / Openstack) Continuous Integration Server (Jenkins / TeamCity / Bamboo) Test Automation Tools (Selenium / JUnit) Quality Management Tools Bug Tracking Tools Source Control Management (Git, CVS / Subversion / Perforce) Build Tools (Maven / Bundler)
- 16. 16 CONFIDENTIAL Static Analysis Dynamic Analysis Interactive Analysis Open Source Scanning APPLICATION SECURITY TESTING TECHNOLOGIES
- 17. 17 CONFIDENTIAL CONTINUOUS INTEGRATION ENVIRONMENT Binary Repository Management (Artifactory / Nexus) Developers / IDE (Eclipse) Continuous Integration Server (Jenkins / TeamCity / Bamboo) Deployment Environments (Amazon / Docker / VMWare / Openstack) Test Automation Tools (Selenium / JUnit) Quality Management Tools Bug Tracking Tools Source Control Management (Git, CVS / Subversion / Perforce) Build Tools (Maven / Bundler) DAST / IAST SAST / OSS Bug Tracking Integration OSS IDE integration
- 18. 18 CONFIDENTIAL BUILD CUSTOM SECURITY GATES BASED ON NEEDS DELIVERY TEAM VERSION CONTROL BUILD & UNIT TESTS AUTOMATED ACCEPTANC E TESTS USER ACCEPTANC E TESTS RELEASE PIPELINE 1 PIPELINE 2 PIPELINE 3
- 19. 19 CONFIDENTIAL CUSTOM CODE VULNERABILITIESIBM AND BLACK DUCK – INTEGRATED VIEW CUSTOM CODE VULNERABILITIES OPEN SOURCE VULNERABILITIES CUSTOM CODE VULNERABILITIES
- 20. 20 CONFIDENTIAL WHAT CAN YOU DO TOMORROW?WHAT CAN YOU DO TOMORROW? Speak with your head of application development, DevOps and find out… What are your current application security practices? What kinds of security gates do you need to build to ensure nothing gets through? What tools are you using as part of the development and application security lifecycle? Are containers like Docker part of your deployment model? How are you tracking for new vulnerabilities over time?
- 21. SEND QUESTIONS TO IBM@BLACKDUCKSOFTWARE.COM THANK YOU!