Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ......
Transcript of Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ......
![Page 1: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/1.jpg)
AchievingSecure ContinuousDelivery(cont..)--lightningtalk--
Nikos/Jesus/Lucian
April2018
![Page 2: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/2.jpg)
Typicaldiscussions…
X
![Page 3: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/3.jpg)
Painpoints
Sameproblemin2018!
Difficultaccessto(uncorrelated)vulnerabilitydata
Noclearviewonthesecurityriskofaspecificbuildorrelease
Norealagreedsecuritygate(notriggerthreshold)
Shortmemory!Toolsgeteasilyforgottenorabandoned…
ProducthasaRoadmapandSecurityis(always)not(always)partofit
Securityrequirementsappear(darkmagic!)whenprojectisalmostfinished
Securitysign-offisabottleneck[choke]
Securitytestingtools!Lotsoftools!!Andreports!!!
WhenamIfinallysecureenough?Never!saysMordac.
![Page 4: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/4.jpg)
Tools!!
LinkHERE
SASTlistHERE
DASTlistHERE
DependencyCheckingToolslistHERE
ContainerSecuritytoolsHERE
GooglelistHERE
OthersHERE
![Page 5: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/5.jpg)
TheWant
Automation¢ralisationofapplicationsecuritytesting
Riskbasedapproachtoapplicationdelivery&deployment
SecurityChampionsprocessandresponsibilities
![Page 6: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/6.jpg)
Existinginitiatives
Lots!!!OWASPAppSecPipelineOWASPOWTFOWASPDefectDojo
OtherstalkingaboutthisHEREHEREHEREHEREHEREHEREHEREHEREHERE
HEREHEREHEREHEREHERE
OWASPIsrael
OWASPAppSecPipeline
ChristianSchneider
STDD
SAMPLE
![Page 7: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/7.jpg)
Wherewearenow
Zed Attack Proxy
Security
![Page 8: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/8.jpg)
DeveloperJenkins
![Page 9: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/9.jpg)
SecurityJenkins
3.Checkmypolicy
2.HowdoesThreadfixreceiveresults4.Howweinform
1.HowdoesJenkinsruntools
![Page 10: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/10.jpg)
Threadfixpolicies
![Page 11: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/11.jpg)
Fixingthestuff
![Page 12: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/12.jpg)
Next?Whatisbestforyouandyourbusinesses‘appetite?
GetaDevSecOpsteamtobuildandmaintaintoolz&stuffforyou£££
OWASPproject(Pipelines?)tosupportallfreetoolinputsintoonecentralrepo
(Somehow)workwithcommercialtoolproviderstosupportthat
InspireandempoweryourSecurityChampions
![Page 13: Achieving Secure Continuous Delivery (cont..)...Apr 26, 2016 · Continuous Delivery (cont..) ... Product has a Roadmap and Security is (always) not (always) part of it Security requirements](https://reader035.fdocuments.in/reader035/viewer/2022071008/5fc693b4c6deca3048083ced/html5/thumbnails/13.jpg)
Q/A