DevOps - Fast, Furious, Secure
We don't make the money, we save the money for the company.
Traditional approach to security like the TSA, Gate-based waterfall methodology
Embedding security earlier - "move it to the left" Doesn't work with iterative process.
So it has to be embedded across each step
-
Plan
- Agile stories
- Secure Coding Guidelines
- Security Engineers - having engineers in the dev team
- Technical Training
- AppSecTutorialSeries (YouTube)
- www.safecode.org
- Labs
- WebGoat
- HackMeBank
- DVWA (Damn Vulnerable Web App)
- Facebook Capture the Flag
- Threat Modeling - difficult to scale
-
Code
- IDE Plugins, self-service
- Open Source is the bottom of the iceberg; OSS community health is key
- Components and Frameworks
- OWASP Depednency check
- Google Search Diggity
- ESAPI
- .Net AntiXSS
- Conceal
- Nexus?
-
Build
- Smart Automation
- Hudson/Jenkins
- Controlled Scanning
- On-demand
- Time-based
- Change-based
- Static
- Findbugs-Security
- FxCop
- Brakeman - Ruby
- SonarQube
- Dynamic
- nogotofail - checks SSL/TLS
- OWASP ZAP
- W2af/Nikto - webapp scanner
- OpenVAS
- Chaos Monkey
- Smart Automation
-
Test
- Penetration Testing
- Target Abuse Cases
- Risk Based Testing
- Feature Based Assessment
- Penetration Testing
-
Deploy
- Hardened Images Enable Faster Deployment
- Build automation
- CIS Benchmarks, etc.
- Docker security scanning (company with duck logo, can do it for free)
- Hardened Images Enable Faster Deployment
-
Monitor
- Sonar
- Hygieia
- API Everything!
-
Takeaways
- Development Operations + Security = DevOps
- Key security practices need SMEs, but many can be automated
- Security doesn't have to be expensive
- Full Stack Ownership includes Security