SlideShare uma empresa Scribd logo

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Threat Stack
Threat Stack

Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS). This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints. But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.

Software
1 de 30
Baixar para ler offline
8 PATTERNS FOR CONTINUOUS CODE SECURITY By Chris Wysopal, CTOVeracode produced for Threat Stack
Introductions Chris Wysopal Co-Founder and CTO, Veracode Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology. He can be found on Twitter as @WeldPond.
Best Practices of Secure Agile Teams
Web applications are the #1 attack vector leading to data breaches. According to the 2014 Verizon Data Breach Investigation Report (DBIR)…
Deploying insecure web applications into production can be risky …resulting in potential loss of customer data, corporate intellectual property and/or brand value!
Many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
WHY?
Traditional approaches to application security are complex, manual and time-consuming, deterring agile teams from incorporating code analysis into sprints.
IT DOESN’T HAVE TO BE THAT WAY…
Just follow these eight patterns. Incorporating SecDevOps concepts into the Software Development Lifecycle (SDLC), we can embed continuous code-level security and assessment into our agile development processes.
1. Think Like A Developer
•Upload code to a cloud-based application security service, such as Veracode, directly from the IDE •Analyze code automatically •Results downloaded to development environment — addressing vulnerabilities before check in This finds vulnerabilities DURING coding instead of during a SEPARATE security hardening sprint. How to do this in agile environments
2. Find It Early. Fix It Early.
•This makes vulnerabilities easier and less expensive to fix •It reduces the overall risk of successfully delivering the team’s payload •This allows continuous security assessments to fit into a one to two week sprint Frequent assessments allow teams to identify and remediate blockers early in the cycle.
3. Use Multiple Analysis Techniques For Optimum Coverage And Accuracy
Achieving the broadest view of application security Binary static analysis Also known as “white box testing” or “inside out testing”, this analyzes data and control paths without actually executing the application, looking for vulnerabilities such as SQLi and XSS. 3 components: Dynamic analysis (DAST) Manual penetration testing Also known as “black box” or “outside in” testing, identifies exploitable vulnerabilities at runtime, during pre- production QA/staging. This looks for vulnerabilities that can only be found by humans, such as Cross-Site Request Forgery (CSRF) or business logic issues.
4. Automate To Blend In
• Automation inside the IDE (Eclipse): Used to build, upload, scan and download results, which are shown against the code inside the editor for easy remediation. • Automation at team or release candidate stage: Allows the build server (Jenkins) to automatically upload build artifacts for assessment, using Veracode APIs. • API-driven automation in bug tracking system (JIRA): Downloads results and manages vulnerability lifecycle. • Tickets for vulnerabilities are triaged: This uses the same process as all other bugs. Blending in with developers’ automated toolchains means leveraging tools they already use.
When security assessments are blended in, developers don’t need to switch context — and can work more efficiently!
5. Play In The Sandbox
• Consider an assessment sandbox a branch inside the application • Developers scan the branch and understand if it will pass the current policy • Each team can have a sandbox for merging multiple branches to assess the integration Assess new code against the organization’s security policy without affecting policy compliance.
6. Avoid Replicating Vulnerabilities
Developers work in copy and paste patterns. But when vulnerabilities get replicated across the code base, it magnifies risk across project. This causes a “security debt” to clean up those vulnerabilities The “copy and paste” effect
7. Learn From Constant Feedback
Direct interaction between developers + detailed vulnerability feedback = self-reflection
Self-reflection allows developers to see their own coding habits and gain insights into how to develop more secure ones. “Oh I shouldn’t have coded it this way because as soon as I upload it, I’m going to see the same results.” Reuse secure patterns and avoid insecure ones! The “aha” moment
8. Be Transparent About Security Risk Via Policies
This raises visibility into vulnerabilities and allows for triaging of every application-layer threat before release. •Triage involves answering: •“Do we need to remediate this vulnerability?” •“Can we mitigate instead, and if so, how?” •“Is this a risk we’re willing to accept?” Using labels to identify vulnerabilities that violate corporate security policies Visibility enables pragmatic discussions about risk within the normal agile sprint management process.
Adopting these 8 patterns has helped Veracode and Threat Stack become more efficient secure successful in delivering code with short delivery cycles — without sacrificing security.
Start Implementing Continuous Code Security Today threatstack.com veracode.com @threatstack @veracode

Recomendados

Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
Stephen Durrant
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 

Recomendados

Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
Stephen Durrant
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
Veracode
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 

Mais conteúdo relacionado

Mais procurados

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
Virtual Forge
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 

Mais procurados (20)

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFix
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 

Destaque

The Seven Kinds of Security
The Seven Kinds of SecurityThe Seven Kinds of Security
The Seven Kinds of Security
Veracode
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with Chef
Julian Dunn
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
Zane Lackey
 

Destaque (20)

Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
Web Services og SOA – hvordan vi ser for oss bruk i fremtiden?
Web Services og SOA – hvordan vi ser for oss bruk i fremtiden?Web Services og SOA – hvordan vi ser for oss bruk i fremtiden?
Web Services og SOA – hvordan vi ser for oss bruk i fremtiden?
 
Creating Business Agility and Connectivity using Open Technologies
Creating Business Agility and Connectivity using Open TechnologiesCreating Business Agility and Connectivity using Open Technologies
Creating Business Agility and Connectivity using Open Technologies
 
The Seven Kinds of Security
The Seven Kinds of SecurityThe Seven Kinds of Security
The Seven Kinds of Security
 
The Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t IgnoreThe Four(ish) Appsec Metrics You Can’t Ignore
The Four(ish) Appsec Metrics You Can’t Ignore
 
DevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as CodeDevOps Columbus Meetup Kickoff - Infrastructure as Code
DevOps Columbus Meetup Kickoff - Infrastructure as Code
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with Chef
 
[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools[Poland] SecOps live cooking with OWASP appsec tools
[Poland] SecOps live cooking with OWASP appsec tools
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Process
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 

Semelhante a 8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
Bryan Fendley
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 

Semelhante a 8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal (20)

Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning project
 
US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.US AI Safety Institute and Trustworthy AI Details.
US AI Safety Institute and Trustworthy AI Details.
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 

Mais de Threat Stack

The Case For Continuous Security
The Case For Continuous SecurityThe Case For Continuous Security
The Case For Continuous Security
Threat Stack
 

Mais de Threat Stack (9)

It All Started With a Wager About System Upgrades
It All Started With a Wager About System UpgradesIt All Started With a Wager About System Upgrades
It All Started With a Wager About System Upgrades
 
Should You Use Security Point Solutions?
Should You Use Security Point Solutions?Should You Use Security Point Solutions?
Should You Use Security Point Solutions?
 
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud 3 Reasons Why The Host Rules Intrusion Detection in The Cloud
3 Reasons Why The Host Rules Intrusion Detection in The Cloud
 
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
4 Steps to Effectively Integrate DevOps Workflows With Cloud Security Practices
 
Preparing for the Next Shellshock
Preparing for the Next ShellshockPreparing for the Next Shellshock
Preparing for the Next Shellshock
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete CheslockBringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
 
SHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditDSHOWDOWN: Threat Stack vs. Red Hat AuditD
SHOWDOWN: Threat Stack vs. Red Hat AuditD
 
The Case For Continuous Security
The Case For Continuous SecurityThe Case For Continuous Security
The Case For Continuous Security
 
Detection, Response and the Azazel Rootkit
Detection, Response and the Azazel RootkitDetection, Response and the Azazel Rootkit
Detection, Response and the Azazel Rootkit
 

Último

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 

Último (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

  • 1. 8 PATTERNS FOR CONTINUOUS CODE SECURITY By Chris Wysopal, CTOVeracode produced for Threat Stack
  • 2. Introductions Chris Wysopal Co-Founder and CTO, Veracode Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology. He can be found on Twitter as @WeldPond.
  • 3. Best Practices of Secure Agile Teams
  • 4. Web applications are the #1 attack vector leading to data breaches. According to the 2014 Verizon Data Breach Investigation Report (DBIR)…
  • 5. Deploying insecure web applications into production can be risky …resulting in potential loss of customer data, corporate intellectual property and/or brand value!
  • 6. Many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
  • 8. Traditional approaches to application security are complex, manual and time-consuming, deterring agile teams from incorporating code analysis into sprints.
  • 9. IT DOESN’T HAVE TO BE THAT WAY…
  • 10. Just follow these eight patterns. Incorporating SecDevOps concepts into the Software Development Lifecycle (SDLC), we can embed continuous code-level security and assessment into our agile development processes.
  • 11. 1. Think Like A Developer
  • 12. •Upload code to a cloud-based application security service, such as Veracode, directly from the IDE •Analyze code automatically •Results downloaded to development environment — addressing vulnerabilities before check in This finds vulnerabilities DURING coding instead of during a SEPARATE security hardening sprint. How to do this in agile environments
  • 13. 2. Find It Early. Fix It Early.
  • 14. •This makes vulnerabilities easier and less expensive to fix •It reduces the overall risk of successfully delivering the team’s payload •This allows continuous security assessments to fit into a one to two week sprint Frequent assessments allow teams to identify and remediate blockers early in the cycle.
  • 15. 3. Use Multiple Analysis Techniques For Optimum Coverage And Accuracy
  • 16. Achieving the broadest view of application security Binary static analysis Also known as “white box testing” or “inside out testing”, this analyzes data and control paths without actually executing the application, looking for vulnerabilities such as SQLi and XSS. 3 components: Dynamic analysis (DAST) Manual penetration testing Also known as “black box” or “outside in” testing, identifies exploitable vulnerabilities at runtime, during pre- production QA/staging. This looks for vulnerabilities that can only be found by humans, such as Cross-Site Request Forgery (CSRF) or business logic issues.
  • 17. 4. Automate To Blend In
  • 18. • Automation inside the IDE (Eclipse): Used to build, upload, scan and download results, which are shown against the code inside the editor for easy remediation. • Automation at team or release candidate stage: Allows the build server (Jenkins) to automatically upload build artifacts for assessment, using Veracode APIs. • API-driven automation in bug tracking system (JIRA): Downloads results and manages vulnerability lifecycle. • Tickets for vulnerabilities are triaged: This uses the same process as all other bugs. Blending in with developers’ automated toolchains means leveraging tools they already use.
  • 19. When security assessments are blended in, developers don’t need to switch context — and can work more efficiently!
  • 20. 5. Play In The Sandbox
  • 21. • Consider an assessment sandbox a branch inside the application • Developers scan the branch and understand if it will pass the current policy • Each team can have a sandbox for merging multiple branches to assess the integration Assess new code against the organization’s security policy without affecting policy compliance.
  • 22. 6. Avoid Replicating Vulnerabilities
  • 23. Developers work in copy and paste patterns. But when vulnerabilities get replicated across the code base, it magnifies risk across project. This causes a “security debt” to clean up those vulnerabilities The “copy and paste” effect
  • 24. 7. Learn From Constant Feedback
  • 25. Direct interaction between developers + detailed vulnerability feedback = self-reflection
  • 26. Self-reflection allows developers to see their own coding habits and gain insights into how to develop more secure ones. “Oh I shouldn’t have coded it this way because as soon as I upload it, I’m going to see the same results.” Reuse secure patterns and avoid insecure ones! The “aha” moment
  • 27. 8. Be Transparent About Security Risk Via Policies
  • 28. This raises visibility into vulnerabilities and allows for triaging of every application-layer threat before release. •Triage involves answering: •“Do we need to remediate this vulnerability?” •“Can we mitigate instead, and if so, how?” •“Is this a risk we’re willing to accept?” Using labels to identify vulnerabilities that violate corporate security policies Visibility enables pragmatic discussions about risk within the normal agile sprint management process.
  • 29. Adopting these 8 patterns has helped Veracode and Threat Stack become more efficient secure successful in delivering code with short delivery cycles — without sacrificing security.
  • 30. Start Implementing Continuous Code Security Today threatstack.com veracode.com @threatstack @veracode