1. Security in a Continuous
Delivery World
Sherif Mansour
2. “Give me six hours to chop down a tree and I will spend
the first four sharpening the axe.”
-Abraham Lincoln
3. Two things about Automation
1. Automation applied to an efficient operation will
magnify its efficiency
2. Automation applied to an inefficient operation will
magnify its inefficiency
-Bill Gates
7. Overview
• Timeline - 1986
• Agile Security
• Bug Tracker
• Definition of Done
• App Sec Radar
• Continuous Delivery
• Security Testing
• How OWASP can help
8. Timeline - 1986
• HBR publishes an article: “The New New
Product Development Game”
• Computer Fraud and Abuse Act
9. The New New Product Development
Game
Leading companies show six characteristics in managing their new product
development processes:
1. Built-in instability
2. Self-organizing project teams
3. Overlapping development phases
4. “Multilearning”
5. Subtle control
6. Organizational transfer of learning
11. Computer Fraud and Abuse Act
• Enacted in 1986
• First Felony in 1988 - Morris Worm
• Mr. Robert Morris Sr. (his father) was the
Chief Scientist at NSA
• Comm-Sec & Compu-Sec merged Info-
Sec
• CERT was created in CMU
13. Stop me of you have seen this before
Applying controls without understanding its limitations.
14. Fast Forward to 2001
1.OWASP was formed :-)
2.Agile Manifesto was published :-) :-)
15. OWASP
• OWASP Top Ten
• OWASP Software Assurance Maturity Model
• OWASP Development Guide
• OWASP ZAP Project: The Zed Attack Proxy
(ZAP)
16. Agile Manifesto
• Individuals and Interactions over
processes and tools
• Working software over comprehensive
documentation
• Customer collaboration over contract
negotiation
• Responding to change over following a
plan
19. Security in an Agile Framework
• Communicate Security
Recommendations simply and clearly
• Identify the biggest risk and which ones
you teams are exposed to
• When you raise a security issue:
• Unique - No duplicates
• Useful - Improves the security and
quality of the software
• Actionable - All necessary
information is in the ticket
20. App Sec Issues Tracking and Metrics
For every security issue detected raise
a Jira bug ticket and include the
following attributes to the bug type:
1. Business risk
2. Attack vector
3. Priority
4. Components
5. Testing Method
6. Dev Team
22. App-Sec Radar
The Application Security Radar is a
site in forms the technology teams
on security technologies they should
embrace or move away from.
This ensures developers adopt
more secure technologies, there are
6 recommendation categories for
the app sec radar:
• Plan for Removal
• No New Use
• Evaluate
• Trial
• Adopt
• Hold
23. DoD - Definition of Done
• Security should include a reference quick
check list for developers on what to
avoid, and what to look out for during
code review.
24. Continuous Delivery
You’re doing continuous delivery when:
• Your software is deployable throughout its lifecycle
• Your team prioritises keeping the software deployable
over working on new features
• Anybody can get fast, automated feedback on the
production readiness of their systems any time
somebody makes a change to them
• You can perform push-button deployments of any
version of the software to any environment on demand
27. How OWASP Can Help
• If you solve a problem and I solve a
problem, each of us has two solutions.
• Guidance
• Security Libraries
• Developer tools
• Training
• etc..