continuous security
TRANSCRIPT
CONTINUOUSSECURITY
#DevSecOpsDevSecOps#DevSecOps
@parker0phil
Thinkingabout Security
@parker0phil
OWASP Top 10
@parker0phil
CVSS
Exploitability Impact
@parker0phil
Security Agile Manifesto
1. Rely on developers and testers more than security specialists.
2. Secure while we work more than after we’re done.3. Implement features securely more than adding on
security features.4. Mitigate risks more than fix bugs.
@parker0phil
Pet Hates!
@parker0phil
Pet Hate #3
@parker0phil
Encoding Hashing
Encryption Signing
Pet Hate #2
b2JmdXNjYXRpb24=
https%3A%2F%2Fowasp.org%2F
Integrity +Non-repudiation
Confidentiality
@parker0phil
Pet Hate #1
@parker0phil
My Favouriteattacks!
@parker0phil
My Favouriteattacks!
@parker0phil
Enumeration of Usernames
@parker0phil
Enumeration of Usernames
@parker0phil
Unvalidated Redirects
?queryString=param
Cookie:value
Persisted
@parker0phil
Cross-Site Request Forgery (CSRF)
@parker0phil
SelfXSS
@parker0phil
SelfXSS
@parker0phil
How we achieve Security in a Traditional Delivery environment.
How we achieve Security in a Continuous Delivery environment.
How we achieve security.
LOSE IT!
BETTER!
@parker0phil
Continuous Delivery IS MORE secure!
@parker0phil
Batch Size
@parker0phil
Isolation of Cause and Effect
@parker0phil
Isolation of Cause and Effect
@parker0phil
Continuous Delivery IS MORE secure!
Mean Time toDetect(MTTD)
Mean Time toResolve(MTTR)
RELEASE
FINDVULN
FIXVULN
Attack Window
MTTD MTTE
@parker0phil
How do we achieve Security in aContinuous Delivery environment?
@parker0phil
CONTINUOUS SECURITY
THANK YOU!