the need to shift left and what it means to securitythe new role of the security team! must not be a...
TRANSCRIPT
![Page 1: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/1.jpg)
QUALYS SECURITY CONFERENCE 2020
The Need to Shift Left and What It The Need to Shift Left and What It Means to Security
Alex MandernackSecurity Solution ArchitectProduct ManagementQualys, Inc
![Page 2: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/2.jpg)
Traditional World
Each app team builds their own image
(CentOS v1, v2, v3)
PenTest report to Dev (t0+1Mo)•Dev team dealing with out of date findings
•Not machine readable•Repeated work across apps 1, 2, 3 (OS level vulns)
•Not doing it often enough due to cost, efficient reasons
Deploy application
(1, 2, 3)
Scan in production (VM, WAS, PC etc.)•Findings for app 1, 2, 3•Separate patching workflows for running production workloads (v1, v2, v3
Inefficiencies, slows things down, no standardization across teams, repetition in security workflows
![Page 3: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/3.jpg)
The Driver: Scale, Elasticity & DevOps Pipeline
![Page 4: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/4.jpg)
Can Security Can Security Teams do Teams do
Better?
![Page 5: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/5.jpg)
Shifting Security to the Left
! Developers and security teams must think about security, sooner
! Get security tools into the process earlier! Automate! Leverage API’s, CI plugins! Golden images! Scan in the CI pipeline
! Vulnerability gates in the pipeline! Vulnerability information at the fingertips of Dev
![Page 6: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/6.jpg)
The New Role of the Security Team
! Must not be a roadblock! Provide security tooling that is self-service for DevOps,
Dev! CI Plugins! APIs! Scripting
! Verify and audit the process! Dashboards/live data! Trending
![Page 7: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/7.jpg)
Shift Left with Qualys!
!"#$%&'()*&+(,%*-*%&./&01$%*-&23(4*&561&'*&")*%&'7&3"$6#8$*&6*(3)9
:2;:<&/=(->?*-@#-)&AB>?*-@#-)&C:
D*'"#$%&E#6+&F#G*)&F,13&#))"*)&
#%*-6#F#*%&F,13&)6(4#-4
:2;:<&/=(-&H&0(6*>?*-@#-)&AB>?*-@#-)&C:
<*I&6*(3)&")*&
01$%*-&23(4*&(-%&'"#$%&(88&1-&618
:2;:<&/=(->?*-@#-)&AB>?*-@#-)&JK/>?*-@#-)&C:
D*'"#$%&E#6+&F#G*)&F,13&#))"*)&
#%*-6#F#*%&F,13&)6(4#-4
:2;:<&/=(-&H&0(6*>?*-@#-)&AB>?*-@#-)&JK/>?*-@#-)&C:
<*8$17> L"($7)&ABM&JK/M&C:&(=6#I*&&)=(-)>N#-%&$*))&)6"FF&%"*&61&)6(-%(,%#O(6#1-M&)+#F6&$*F6
Golden Image Build/Load Application Runtime
![Page 8: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/8.jpg)
Qualys Jenkins Plugin
Available on the Jenkins Marketplace! Vulnerability Management! Container Security! Web Application Scanning! API Security
![Page 9: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/9.jpg)
Secure the CI Pipeline
![Page 10: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/10.jpg)
Jenkins Vulnerability Management Plugin
![Page 11: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/11.jpg)
Jenkins WAS Plugin
![Page 12: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/12.jpg)
Jenkins Container Security Plugin
February 25, 2020
![Page 13: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/13.jpg)
!"#$
![Page 14: The Need to Shift Left and What It Means to SecurityThe New Role of the Security Team! Must not be a roadblock! Provide security tooling that is self-service for DevOps, Dev! CI Plugins!](https://reader036.vdocuments.us/reader036/viewer/2022071007/5fc485fcabbda5278746ccb4/html5/thumbnails/14.jpg)
Qualys GitHub
Automation scripts
Reporting scripts
Open Source community
+668)P;;4#6+"'Q=13;L"($7)