make security sprint along - 1’; drop table user; · make security sprint along | wtm meetup...
TRANSCRIPT
![Page 1: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/1.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
Make Security Sprint Along
DevSecOps Is a Thing
![Page 2: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/2.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# whoami ↳ Current
↳ Penetration Tester↳ Team Leader
↳ Experience↳ 2 years Software Developer↳ >8 years Linux System Engineer ↳ 1½ years Information Security Management
![Page 3: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/3.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more goals.txtIntegrate security into DevOps workflow
Bring security team up to speed with DevOps
Security + DevOps = <3
goals.txt {END}
![Page 4: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/4.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more agenda.txt⟹ State of the Teams
⟹ AppSec
⟹ DevOps
⟹ Integrating Security
⟹ Wrap Up
agenda.txt {END}
![Page 5: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/5.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
How Security sees DevOps[1][1]https://twitter.com/petecheslock/status/595617204273618944
![Page 6: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/6.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
How Security sees DevOps[2][2] Also some twitter.
![Page 7: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/7.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
How DevOps see Security[3][3]https://www.flickr.com/photos/philwolff/3788258352
![Page 8: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/8.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
Enterprise DevOps[4][4]https://twitter.com/pczarkowski/status/1006208448101535745?s=19
![Page 9: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/9.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
This is how it should be![5][5]me
![Page 10: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/10.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.meMake Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
AppSec
“Application Security is the art (or is that battle?) of making an application secure”
- Tanya Jance Senior Cloud Developer Advocate
![Page 11: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/11.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# cat AppSec.txt | column
↳ WebApplications account for ~18% (n=2,216) of breaches in 2018[6]
↳ 23.244 WebApplications compromised as a mean to attack something else[6]
[6]https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
![Page 12: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/12.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display education.pngVery little to no AppSec courses in higher education.
Biggest techn. uni in AT:
↳ 2 courses ↳ ~25% AppSec each↳ 1.5/180 ECTS↳ if elected
![Page 13: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/13.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.meMake Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
DevOps
![Page 14: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/14.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# cat speed.txt | columnDecrease time from implementation to deployment.
Security bugs can be fixed. NOW.
![Page 15: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/15.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# cat reliability.txt | columnLow Failure Rates Security win: Availability
![Page 16: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/16.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display cia.png
![Page 17: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/17.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# cat market.txt | columnNobody wins, if we don’t ship Security can’t win, if we do
not ship.
![Page 18: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/18.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.meMake Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
Integrating Security
How to integrate security into your development life cycle
![Page 19: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/19.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
0I assume this is the number of dedicated FTE security people
in your company
![Page 20: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/20.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display code.pngStatic and Dynamic Analyzers for Security Testing
![Page 21: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/21.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more sast.txtStatic Analyzers for Security Testing (SAST)
↳ Scale well↳ Often integrate into IDE↳ high
sast.txt {END}
![Page 22: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/22.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more sast_tools.txt↳ Highly Platform dependent!↳ Cross Platform
↳ SonarQube
↳ Java↳ FindSecBugs ↳ FindBugs
↳ Ruby↳ Brakeman
↳ Python↳ Bandit
sast_tools.txt {END}
![Page 23: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/23.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more sast_selection.txt↳ Must support your programming language↳ Types of vulnerabilities detected? (OWASP Top 10; more?)↳ Does it understand the Libraries you use?↳ Require fully buildable set of source?↳ Run against binaries or source?↳ Can it be run continuously?↳ License costs…
sast_selection.txt {END}
![Page 24: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/24.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more dast.txtDynamic Analyzers for Security Testing (DAST)
↳ Scan for vulnerabilities like↳ Cross-Site Scripting↳ SQL Injection↳ Command Injection↳ ....
↳ Mostly Web Applications
dast.txt {END}
![Page 25: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/25.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more dast_tools.txt↳ Nikto↳ OWASP ZAP↳ Burp Suite↳ …
dast_tools.txt {END}
![Page 26: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/26.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display approved.pngUse only up-to-date and approved images
![Page 27: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/27.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display unit_tests.pngMake negative unit-tests
![Page 28: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/28.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display ci.pngSevere security bugs break the build
![Page 29: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/29.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display sprint.pngFit activities in a sprint
![Page 30: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/30.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# display dependency_mgmt.png↳ Retire.js↳ Snyk.io↳ OWASP dependency check↳ ...
![Page 31: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/31.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more vuln_mgmt.txt
↳ Start managing early↳ Easier to convince management
For example: OWASP DefectDojo
vuln_mgmt.txt {END}
![Page 32: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/32.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more security_builtin.txt↳ Logging of security events↳ Monitoring of said events↳ Make APIs for security mechanisms ↳ Collect metrics
security_builtin.txt {END}
![Page 33: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/33.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.meMake Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
Wrap upLast key messages.
Me, Ex-Ops Guy
![Page 34: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/34.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more wrap_up.txt↳ No “throwing over the wall”
↳ Neither to security ↳ nor from
↳ There is no perfect time↳ Start now↳ Demand training
↳ You got reports rights?
wrap_up.txt {END}
![Page 35: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/35.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# sleep 2; clear; display last_pic.png
![Page 36: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/36.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
![Page 37: Make Security Sprint Along - 1’; drop table user; · Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | Make Security Sprint Along DevSecOps Is a Thing](https://reader033.vdocuments.us/reader033/viewer/2022050122/5f5225fbaf62bf559b730533/html5/thumbnails/37.jpg)
Make Security Sprint Along | WTM Meetup 12/06/18 | @droptableuser | https://droptableuser.me
~# more last_slide.txt
Thank you for your attention!
Questions?
last_slide.txt {END}