continuous security - thunderplains 2016

Report

Post on 21-Jan-2018

359 Views

Category:

Technology

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Continuous Security

adam_baldwinevilpacket

Node Security Project

What is Continuous Security?

-Keep Vulnerabilities out of Production

-Don't ignore Production Code

-Shift Security Culture

Keep Vulnerabilities out of Production

productiondevelopment risk

productiondevelopment risk

Design / Threat ModelingTHREAT PROPERTY VIOLATED

Spoofing Authentication

Tampering Integrity

Repudiation Non-Repudiation

Info Disclosure Confidentiality

Denial of Service Availability

Elevation of Privilege Authorization

Threat Modeling -Designing for Security, 2014

The 100% Test Coverage MythThinking Beyond Tests

Challenge assumptions

Demo?

Pull Request Reviews- What sources & sinks were added - What new dependencies - What new technologies were added - What new behaviors are introduced / change

Automation

npm i nsp -g cd your-fantastic-project nsp check(+) 1 vulnerability found ┌───────────────┬───────────────────────────────────────────────────────────────────────────┐ │ │ SQL Injection due to unescaped object keys │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Name │ mysql │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Installed │ 2.0.0-alpha3 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Vulnerable │ <=v2.0.0-alpha7 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Patched │ >=v2.0.0-alpha8 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Path │ demo@1.0.0 > core@1.0.11 > mysql@2.0.0-alpha3 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/66 │ └───────────────┴───────────────────────────────────────────────────────────────────────────┘

Stay in your workflow

Production CodeDevSecOps

Actively engage production code

Monitoring

Monitoring

Tools.

http://pre14.deviantart.net/4b02/th/pre/i/2013/352/6/4/shaving_cream_from_jurassic_park_by_aleg8r-d6yfj5i.png

SSL Labs

securityheaders.io

securityheaders.io

Internal Bug Hunts

Penetration Testing

Penetration Testing

Shifting Security Culturepain & persistance

It usually happens when pain is felt

Improvement Resistance

Threat Modeling Complicated, Time consuming

Deeper Pull Request Reviews Complacency

Automation Cost, Time

Penetration Testing Cost, What if's

???

It has to happen from within *

It has to have

support from the

right people

Top down security

Be patientIt does not happen over over night.

</presentation>adam_baldwinevilpacket

top related

homepage | cisa - continuous diagnostics and mitigation...
Documents
security automation and continuous monitoring (sacm) ·...
Documents
continuous security
Technology
continuous diagnostics and mitigation (cdm)dhs)...
Documents
nextgen business plan - faa.gov03/04/2016 page 3 of 35...
Documents
it security procedural guide: information security...
Documents
continuous security on aws
Technology
continuous monitoring - houston cpa - what is...
Documents
continuous security testing - global appsec ·...
Documents
continuous dynamics & security
Documents
tapping hackers for continuous security: that's...
Internet
continuous security monitoring
Documents
continuous security: 5 ways devops improves security
Technology
continuous assurance: continuous integration meets ... ·...
Documents
continuous security testing
Technology
attacking pipelines--security meets continuous delivery
Technology
information security continuous monitoring (iscm)
Documents
ensuring security through continuous testing
Technology
modelling security market events in continuous time...
Documents
security auditing continuous process 1150
Documents