Download - Continuous Security - Thunderplains 2016
![Page 1: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/1.jpg)
Continuous Security
![Page 2: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/2.jpg)
adam_baldwinevilpacket
![Page 3: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/3.jpg)
![Page 4: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/4.jpg)
Node Security Project
![Page 5: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/5.jpg)
![Page 6: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/6.jpg)
![Page 7: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/7.jpg)
![Page 8: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/8.jpg)
![Page 9: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/9.jpg)
![Page 10: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/10.jpg)
![Page 11: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/11.jpg)
![Page 12: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/12.jpg)
![Page 13: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/13.jpg)
What is Continuous Security?
![Page 14: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/14.jpg)
![Page 15: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/15.jpg)
![Page 16: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/16.jpg)
![Page 17: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/17.jpg)
-Keep Vulnerabilities out of Production
-Don't ignore Production Code
-Shift Security Culture
![Page 18: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/18.jpg)
Keep Vulnerabilities out of Production
![Page 19: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/19.jpg)
productiondevelopment risk
![Page 20: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/20.jpg)
productiondevelopment risk
![Page 21: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/21.jpg)
![Page 22: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/22.jpg)
![Page 23: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/23.jpg)
Design / Threat ModelingTHREAT PROPERTY VIOLATED
Spoofing Authentication
Tampering Integrity
Repudiation Non-Repudiation
Info Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
Threat Modeling -Designing for Security, 2014
![Page 24: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/24.jpg)
The 100% Test Coverage MythThinking Beyond Tests
![Page 25: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/25.jpg)
Challenge assumptions
![Page 26: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/26.jpg)
![Page 27: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/27.jpg)
Demo?
![Page 28: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/28.jpg)
Pull Request Reviews- What sources & sinks were added - What new dependencies - What new technologies were added - What new behaviors are introduced / change
![Page 29: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/29.jpg)
Automation
![Page 30: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/30.jpg)
npm i nsp -g cd your-fantastic-project nsp check(+) 1 vulnerability found ┌───────────────┬───────────────────────────────────────────────────────────────────────────┐ │ │ SQL Injection due to unescaped object keys │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Name │ mysql │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Installed │ 2.0.0-alpha3 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Vulnerable │ <=v2.0.0-alpha7 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Patched │ >=v2.0.0-alpha8 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Path │ [email protected] > [email protected] > [email protected] │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/66 │ └───────────────┴───────────────────────────────────────────────────────────────────────────┘
![Page 31: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/31.jpg)
Stay in your workflow
![Page 32: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/32.jpg)
![Page 33: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/33.jpg)
![Page 34: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/34.jpg)
Production CodeDevSecOps
![Page 35: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/35.jpg)
Actively engage production code
![Page 36: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/36.jpg)
Monitoring
![Page 37: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/37.jpg)
Monitoring
![Page 38: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/38.jpg)
Tools.
http://pre14.deviantart.net/4b02/th/pre/i/2013/352/6/4/shaving_cream_from_jurassic_park_by_aleg8r-d6yfj5i.png
![Page 39: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/39.jpg)
SSL Labs
![Page 40: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/40.jpg)
securityheaders.io
![Page 41: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/41.jpg)
securityheaders.io
![Page 42: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/42.jpg)
Internal Bug Hunts
![Page 43: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/43.jpg)
Penetration Testing
![Page 44: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/44.jpg)
Penetration Testing
![Page 45: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/45.jpg)
Shifting Security Culturepain & persistance
![Page 46: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/46.jpg)
It usually happens when pain is felt
![Page 47: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/47.jpg)
Improvement Resistance
Threat Modeling Complicated, Time consuming
Deeper Pull Request Reviews Complacency
Automation Cost, Time
Penetration Testing Cost, What if's
???
![Page 48: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/48.jpg)
It has to happen from within *
![Page 49: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/49.jpg)
It has to have
support from the
right people
![Page 50: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/50.jpg)
Top down security
![Page 51: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/51.jpg)
Be patientIt does not happen over over night.
![Page 52: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/52.jpg)
![Page 53: Continuous Security - Thunderplains 2016](https://reader036.vdocuments.us/reader036/viewer/2022070605/58f176d81a28ab58288b4621/html5/thumbnails/53.jpg)
</presentation>adam_baldwinevilpacket