Dev opsandsecurity owasp

317 views
260 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
317
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dev opsandsecurity owasp

  1. 1. DevOps and Security: It’s Happening. Right Now.Helen BravoDirector of Product Management at CheckmarxHelen.bravo@checkmarx.com
  2. 2. • Intro to DevOps• Integrating security within DevOps– Problems with traditional controls– Steps to DevOps securityAgenda
  3. 3. What is DevOps About?An unstoppable deployment process… in small chunks of time
  4. 4. DevOps is HappeningCompanies that have adopted DevOps
  5. 5. Can TRADITIONALweb applicationsecurity controls fitin…… a DevOps environment?!
  6. 6. Traditional Web Application Security Controls• Penetration Testing• WAF (Web Application Firewall)• Code Analysis
  7. 7. Penetration Testing- Takes Time!
  8. 8. Penetration Testing– 300 pages report– 3 weeks assessment time– 2 weeks to get it into development
  9. 9. Web Application Firewall (WAF)Thinking ContinuousDeployment?Think ContinuousConfiguration!
  10. 10. Code Analysis• Setup time• Running time• Analysis time… just too slow!
  11. 11. … Do Nothing?
  12. 12. Required: A New Secure SDLC Approach
  13. 13. Step by Step
  14. 14. Step 1: Plan for Security
  15. 15. • Identify unsecured APIs and frameworks• Map security sensitive code portions. E.g. passwordchanges mechanism, user authenticationmechanism.• Anticipate regulatory problems, plan for it.Step 1: Plan for Security
  16. 16. Step 2: Engage the Developers.And Be Engaged
  17. 17. • Connect developers to security– Going to OWASP? Bring a developer with you!• Is your house on fire? Share the details with yourdevelopers.• Have an open door approach• Set up an online collaboration platform E.g. Jive,Confluence etc.Step 2: Engage the Developers. And Be Engaged
  18. 18. Step 3: Arm the Developers
  19. 19. • Secure frameworks:– Use a secure framework such as Spring Security, JAAS, ApacheShiro, Symfony2– ESAPI is a very useful OWASP security framework• SCA tools that can provide security feedback on pre-commit stage.– Rapid response– Small chunksStep 3: Arm the Developer
  20. 20. Step 3: Automate the Process
  21. 21. • Integrate within your build (Jenkins, Bamboo,TeamCity, etc.)– SAST– DAST• Fail the build if security does not pass the bar.Step 3: Automate the Process
  22. 22. DevelopCodeCommitSourceControlBuildTriggerUnit TestsDeploytoProductionDeploy toTest EnvReport&NotifyPublish toreleaserepositoryContinuous Deployment
  23. 23. DevelopCodeCommitSourceControlBuildTriggerTestsDeploytoProductionDeployto TestEnvReport&NotifyPublish toreleaserepositoryAutomaticsecuritytestSCATestSecurity within Continuous Deployment
  24. 24. Step 5: Use Old Tools Wisely
  25. 25. Step 5: Use Old Tools Wisely• Periodic pen testing• WAF on main functions• Code review for security sensitive code portions.
  26. 26. Summary
  27. 27. • DevOps is happening. Right Now.– During the time of this talk, Amazon has released75 features and bug fixes.• Security should not be compromised• Don’t be overwhelmed. Start smallSummary
  28. 28. The 3 Takeaways1. Plan from the ground2. Engage with your developers3. Integrate security into automatic buildprocess.
  29. 29. Questions?
  30. 30. Thank youHelen.bravo@checkmarx.com

×