SlideShare a Scribd company logo

How the Cloud Shifts the Burden of Security to Development

Erika Barron
Erika Barron

The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Developers are extremely well-poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome. [Presented at Cloud Expo - November 2014]

Software
1 of 27
Download to read offline
Paraso& Copyright © 2014 1 Cloud Shi*s the Burden of Security to Development Paraso& -­‐ Arthur Hicken Evangelist / Security Specialist 11/4/14
Paraso& Copyright © 2014 2 Agenda The problem: The porous nature of clouds Types of security tesGng Divide and conquer with service virtualizaGon ProacGve prevenGon
Paraso& Copyright © 2014 3 Security Problems are Growing § ANacks are on the rise § It’s beNer to fix it BEFORE than a&er
Paraso& Copyright © 2014 4 The castle has been breached § Enterprise network protected by firewall § ApplicaGon is the only way in § Must keep applicaGon open for business § User (potenGal hackers) must have access to the applicaGon
Paraso& Copyright © 2014 5
Paraso& Copyright © 2014 6 General IT System Security § Network firewall § AuthenGcaGon and access control systems § Network Intrusion DetecGon System (NIDS) § Network Intrusion PrevenGon System (NIPS) § AnG-­‐virus § AnG-­‐spyware § Secure Sockets Layer (SSL) § “Defense in depth”
Paraso& Copyright © 2014 7 Security is vital § Suddenly there are openings everywhere § Can’t rely on “it was checked elsewhere in the applicaGon” § Input validaGon covers wide swath of potenGal problems § OWASP Top 10 § CWE Top 25
Paraso& Copyright © 2014 8 One weak spot is all it takes
Paraso& Copyright © 2014 9 PenetraGon TesGng for Security • Verify that security policy is being met CapabiliGes • Outside-­‐in tesGng Benefits • Validates against known aNack scenarios • Not a complete system • Late stage technology • ReacGve Drawbacks
Paraso& Copyright © 2014 10 ConGnuous Regression TesGng • Runs all exisGng test on a conGnuous basis • Alerts CapabiliGes team of failures • Ensures that the applicaGon remains secure Benefits • Ensures stability during change Drawbacks • Must keep test cases in sync
Paraso& Copyright © 2014 11 StaGc Analysis for Security • Find real security bugs CapabiliGes • Low cost method • Detects problems early • Trains developers by idenGfying problemaGc code Benefits • Requires proper configuraGon Drawbacks • Flow-­‐analysis alone cannot prevent
Paraso& Copyright © 2014 12 Peer Code Review • Facilitates high-­‐level analysis of security CapabiliGes and design • IdenGfies complex vulnerabiliGes Benefits • Keeps team in sync • Peer code review is mostly talked about Drawbacks and easily delayed
Paraso& Copyright © 2014 13 Unit TesGng • Starts tesGng validaGon methods and verifying security funcGonality before the system is complete CapabiliGes • Reduces the Gme required for validaGon • Can expose potenGal vulnerabiliGes earlier than pre-­‐producGon Benefits • Test cases must be kept in sync with evolving Drawbacks applicaGon
Paraso& Copyright © 2014 14 ApplicaGon Tracing for Unit Tests Record internal method calls inside the running applicaGon as the problem occurs Replicate the problem in a JUnit test Alter the JUnit test to assert the correct behavior Possible soluGons can be tested quickly without redeploying the web applicaGon
Paraso& Copyright © 2014 15 RunGme Error DetecGon Check anG-­‐paNerns at runGme ViolaGons in context of real-­‐world data values RunGme error categories include: • Threads and SynchronizaGon • Performance and OpGmizaGon • ApplicaGon Crashes • FuncGonal Errors • Security
Paraso& Copyright © 2014 16 Divide & Conquer Separate criGcal components Move tesGng earlier Isolate aNack surfaces Run funcGonal tests vs. security scenarios
Leveraging application behavior virtualization the team can reduce the complexity and the costs of managing multiple environments while providing Paraso& Copyright © 2014 17 Virtualize to Divide and Conquer ubiquitous access for development, test and training Capture Initiated from the system under test, the user has the ability to capture detail from a live monitor that analyzes system traffic, from analyzing transaction logs or by modeling virtual behavior within the Parasoft Virtualized interface. Provision After the virtualized artifact has been captured, users can now instruct the details of the virtualized asset behavior. This includes: performance, data sources and conditional response criteria. The virtualized asset is then provisioned for simplified uniform access across teams and business partners. Test The virtualized asset can now be called for unit, functional and performance tests. The virtualized asset can be leveraged by any test suite – including Parasoft Test.
Paraso& Copyright © 2014 18 Database Mainframe Application Service Web ERP Service VirtualizaGon Example Application Under Test 1 Define 4 Provision Partner Partner Testing Application Cloud Resource Bus Bus Bus Dependent Architecture 2 Capture 3 Instruct 5 Consume
Service Virtualization delivers a simulated dev / test environment allowing an organization to test anytime or anywhere Paraso& Copyright © 2014 19 Service VirtualizaGon Examples Mobile ApplicaGon development and extension Agile/Parallel development limited by system dependencies Capacity Constrained staged environments Limited access to mainframes, ERPs, or 3rd party systems Test data management for complex transacGons
Paraso& Copyright © 2014 20 Security prevenGon criteria • Naming/Formalng • Quality ImplementaGon Best-­‐PracGces (Java, C++, HTML, XML, WSI, etc.) • DocumentaGon Coding Standards • Language Security (“cloning”, private member classes, etc.) • PenetraGon VulnerabiliGes (SQL injecGons, cross-­‐site scripGng, XML bombs, etc.) • SecGon 508 Policies • Code Coverage (>80%) • Performance (<100ms) • Memory Issues (leaks, overwrites, etc.) RunGme Analysis • Load CapabiliGes (how many users?) • ConnecGon CapabiliGes (how many System RunGme db connecGons?) Others ..
Paraso& Copyright © 2014 21 Web applicaGon prevenGon example Detect the error • Load tesGng shows leaking connecGons to the database Find the cause • Open connecGons aren’t being closed, causing resource leaks Locate the point in producGon that caused the error • Developer has forgoNen to close db connecGons upon client terminaGon Implement preventaGve process • Use a coding standard to ensure each open connecGon is closed before exit Monitor the process • Use staGc analysis to enforce the standard Add regression test • Add a test to see the problem was fixed and doesn’t return
Paraso& Copyright © 2014 22 MisconcepGons… § Security can be tested into the applicaGon at the end of the cycle § Checks only common known exploits § Requires coverage of all paths and possible inputs § End of cycle penetraGon tesGng may overlook: § Backdoor access § A difficult to reach secGon of code in the error handling rouGne that performs an unsafe database query § The lack of an effecGve audit trail for monitoring security funcGons § End of cycle staGc analysis does not consider nuances of actual operaGon, reports false posiGves
Paraso& Copyright © 2014 23 Security Policy Development Make security-­‐relevant decisions so individuals don’t have to Centralize and reuse security mechanisms Coordinate security efforts
Paraso& Copyright © 2014 24 Securing An ApplicaGon § Determine risks/threats § Develop countermeasures § Security policy development § Implement security policy process at code level § Eliminate security vulnerabiliGes in code § StaGc analysis § Test applicaGon from outside § PenetraGon tesGng § Fix code to address problems found § Prevent recurring problems § Regression tesGng
Paraso& Copyright © 2014 25 Current Standards OWASP CWE/SANS Cigital HIPAA SAMATE Oracle CERT Microso& Secure Coding
Paraso& Copyright © 2014 26 Security Resources CWE – Common Weakness EnumeraGon • hNp://cwe.mitre.org OWASP -­‐ Open Web ApplicaGon Security Project • hNp://www.owasp.org PCI – Payment Card Industry Security Standards • hNps://www.pcisecuritystandards.org Hack.me – Community based security learning project • hNps://hack.me SAMATE -­‐ So&ware Assurance Metrics And Tool EvaluaGon • hNp://samate.nist.gov Build Security In – CollaboraGve security effort • hNps://buildsecurityin.us-­‐cert.gov
Paraso& Copyright © 2014 27 § Web § hNp://www.paraso&.com/jsp/resources § Blog § hNp://alm.paraso&.com § Social § Facebook: hNps://www.facebook.com/paraso&corporaGon § TwiNer: @Paraso& @MustRead4Dev @CodeCurmudgeon § LinkedIn: hNp://www.linkedin.com/company/paraso& § Google+ Community: StaGc Analysis for Fun and Profit

Recommended

Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 

Recommended

Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Identity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsIdentity-Based Security and Privacy for the Internet of Things
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programPriyanka Aash
 
Content Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionContent Analysis System and Advanced Threat Protection
Content Analysis System and Advanced Threat ProtectionBlue Coat
 
L27
L27L27
L27NathannyabvureMapisa
 
CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineExamcollection
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectivessombat nirund
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSmmiznoni
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsLarry Suto
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityCisco
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014Amazon Web Services
 

More Related Content

What's hot

CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineExamcollection
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectivessombat nirund
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSmmiznoni
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsLarry Suto
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityCisco
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingPriyanka Aash
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
 

What's hot (20)

L27
L27L27
L27
 
CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE Outline
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectives
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPSSourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
Analyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application FirewallsAnalyzing the Effectivess of Web Application Firewalls
Analyzing the Effectivess of Web Application Firewalls
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application Frewall
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-security
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
 

Similar to How the Cloud Shifts the Burden of Security to Development

Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014Amazon Web Services
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Sqreen
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallAli Kapucu
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceGaurav "GP" Pal
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsERPScan
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!Parasoft
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxtmbainjr131
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowTechWell
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...Risk Analysis Consultants, s.r.o.
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
 

Similar to How the Cloud Shifts the Burden of Security to Development (20)

Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)Tune your App Perf (and get fit for summer)
Tune your App Perf (and get fit for summer)
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Types of Non Functional Testing
Types of Non Functional TestingTypes of Non Functional Testing
Types of Non Functional Testing
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Practical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applicationsPractical pentesting of ERPs and business applications
Practical pentesting of ERPs and business applications
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to Know
 
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Applica...
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 

More from Erika Barron

Parasoft PIE infographic
Parasoft PIE infographicParasoft PIE infographic
Parasoft PIE infographicErika Barron
 
Parasoft Case Study: Wipro
Parasoft Case Study: WiproParasoft Case Study: Wipro
Parasoft Case Study: WiproErika Barron
 
Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Erika Barron
 
Real World Static Analysis Boot Camp
Real World Static Analysis Boot CampReal World Static Analysis Boot Camp
Real World Static Analysis Boot CampErika Barron
 
Service Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandService Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandErika Barron
 
Static Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareStatic Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareErika Barron
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudErika Barron
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareErika Barron
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding ErrorsErika Barron
 
APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013Erika Barron
 
Cloud migration slides
Cloud migration slidesCloud migration slides
Cloud migration slidesErika Barron
 
Complex End-to-End Testing
Complex End-to-End TestingComplex End-to-End Testing
Complex End-to-End TestingErika Barron
 
How the Grinch Stole Software Testing
How the Grinch Stole Software TestingHow the Grinch Stole Software Testing
How the Grinch Stole Software TestingErika Barron
 
Service Virtualization
Service VirtualizationService Virtualization
Service VirtualizationErika Barron
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Erika Barron
 
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...Erika Barron
 
Software Development Graveyard
Software Development GraveyardSoftware Development Graveyard
Software Development GraveyardErika Barron
 
The Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects DieThe Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects DieErika Barron
 
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Erika Barron
 

More from Erika Barron (20)

Parasoft PIE infographic
Parasoft PIE infographicParasoft PIE infographic
Parasoft PIE infographic
 
Parasoft Case Study: Wipro
Parasoft Case Study: WiproParasoft Case Study: Wipro
Parasoft Case Study: Wipro
 
Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?
 
Real World Static Analysis Boot Camp
Real World Static Analysis Boot CampReal World Static Analysis Boot Camp
Real World Static Analysis Boot Camp
 
Service Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandService Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on Demand
 
Static Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareStatic Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device Software
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the Cloud
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding Errors
 
APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013
 
Cloud migration slides
Cloud migration slidesCloud migration slides
Cloud migration slides
 
Complex End-to-End Testing
Complex End-to-End TestingComplex End-to-End Testing
Complex End-to-End Testing
 
How the Grinch Stole Software Testing
How the Grinch Stole Software TestingHow the Grinch Stole Software Testing
How the Grinch Stole Software Testing
 
Service Virtualization
Service VirtualizationService Virtualization
Service Virtualization
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
 
Java Defects
Java DefectsJava Defects
Java Defects
 
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
 
Software Development Graveyard
Software Development GraveyardSoftware Development Graveyard
Software Development Graveyard
 
The Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects DieThe Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects Die
 
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
 

Recently uploaded

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyviewmasabamasaba
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 

Recently uploaded (20)

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 

How the Cloud Shifts the Burden of Security to Development

  • 1. Paraso& Copyright © 2014 1 Cloud Shi*s the Burden of Security to Development Paraso& -­‐ Arthur Hicken Evangelist / Security Specialist 11/4/14
  • 2. Paraso& Copyright © 2014 2 Agenda The problem: The porous nature of clouds Types of security tesGng Divide and conquer with service virtualizaGon ProacGve prevenGon
  • 3. Paraso& Copyright © 2014 3 Security Problems are Growing § ANacks are on the rise § It’s beNer to fix it BEFORE than a&er
  • 4. Paraso& Copyright © 2014 4 The castle has been breached § Enterprise network protected by firewall § ApplicaGon is the only way in § Must keep applicaGon open for business § User (potenGal hackers) must have access to the applicaGon
  • 6. Paraso& Copyright © 2014 6 General IT System Security § Network firewall § AuthenGcaGon and access control systems § Network Intrusion DetecGon System (NIDS) § Network Intrusion PrevenGon System (NIPS) § AnG-­‐virus § AnG-­‐spyware § Secure Sockets Layer (SSL) § “Defense in depth”
  • 7. Paraso& Copyright © 2014 7 Security is vital § Suddenly there are openings everywhere § Can’t rely on “it was checked elsewhere in the applicaGon” § Input validaGon covers wide swath of potenGal problems § OWASP Top 10 § CWE Top 25
  • 8. Paraso& Copyright © 2014 8 One weak spot is all it takes
  • 9. Paraso& Copyright © 2014 9 PenetraGon TesGng for Security • Verify that security policy is being met CapabiliGes • Outside-­‐in tesGng Benefits • Validates against known aNack scenarios • Not a complete system • Late stage technology • ReacGve Drawbacks
  • 10. Paraso& Copyright © 2014 10 ConGnuous Regression TesGng • Runs all exisGng test on a conGnuous basis • Alerts CapabiliGes team of failures • Ensures that the applicaGon remains secure Benefits • Ensures stability during change Drawbacks • Must keep test cases in sync
  • 11. Paraso& Copyright © 2014 11 StaGc Analysis for Security • Find real security bugs CapabiliGes • Low cost method • Detects problems early • Trains developers by idenGfying problemaGc code Benefits • Requires proper configuraGon Drawbacks • Flow-­‐analysis alone cannot prevent
  • 12. Paraso& Copyright © 2014 12 Peer Code Review • Facilitates high-­‐level analysis of security CapabiliGes and design • IdenGfies complex vulnerabiliGes Benefits • Keeps team in sync • Peer code review is mostly talked about Drawbacks and easily delayed
  • 13. Paraso& Copyright © 2014 13 Unit TesGng • Starts tesGng validaGon methods and verifying security funcGonality before the system is complete CapabiliGes • Reduces the Gme required for validaGon • Can expose potenGal vulnerabiliGes earlier than pre-­‐producGon Benefits • Test cases must be kept in sync with evolving Drawbacks applicaGon
  • 14. Paraso& Copyright © 2014 14 ApplicaGon Tracing for Unit Tests Record internal method calls inside the running applicaGon as the problem occurs Replicate the problem in a JUnit test Alter the JUnit test to assert the correct behavior Possible soluGons can be tested quickly without redeploying the web applicaGon
  • 15. Paraso& Copyright © 2014 15 RunGme Error DetecGon Check anG-­‐paNerns at runGme ViolaGons in context of real-­‐world data values RunGme error categories include: • Threads and SynchronizaGon • Performance and OpGmizaGon • ApplicaGon Crashes • FuncGonal Errors • Security
  • 16. Paraso& Copyright © 2014 16 Divide & Conquer Separate criGcal components Move tesGng earlier Isolate aNack surfaces Run funcGonal tests vs. security scenarios
  • 17. Leveraging application behavior virtualization the team can reduce the complexity and the costs of managing multiple environments while providing Paraso& Copyright © 2014 17 Virtualize to Divide and Conquer ubiquitous access for development, test and training Capture Initiated from the system under test, the user has the ability to capture detail from a live monitor that analyzes system traffic, from analyzing transaction logs or by modeling virtual behavior within the Parasoft Virtualized interface. Provision After the virtualized artifact has been captured, users can now instruct the details of the virtualized asset behavior. This includes: performance, data sources and conditional response criteria. The virtualized asset is then provisioned for simplified uniform access across teams and business partners. Test The virtualized asset can now be called for unit, functional and performance tests. The virtualized asset can be leveraged by any test suite – including Parasoft Test.
  • 18. Paraso& Copyright © 2014 18 Database Mainframe Application Service Web ERP Service VirtualizaGon Example Application Under Test 1 Define 4 Provision Partner Partner Testing Application Cloud Resource Bus Bus Bus Dependent Architecture 2 Capture 3 Instruct 5 Consume
  • 19. Service Virtualization delivers a simulated dev / test environment allowing an organization to test anytime or anywhere Paraso& Copyright © 2014 19 Service VirtualizaGon Examples Mobile ApplicaGon development and extension Agile/Parallel development limited by system dependencies Capacity Constrained staged environments Limited access to mainframes, ERPs, or 3rd party systems Test data management for complex transacGons
  • 20. Paraso& Copyright © 2014 20 Security prevenGon criteria • Naming/Formalng • Quality ImplementaGon Best-­‐PracGces (Java, C++, HTML, XML, WSI, etc.) • DocumentaGon Coding Standards • Language Security (“cloning”, private member classes, etc.) • PenetraGon VulnerabiliGes (SQL injecGons, cross-­‐site scripGng, XML bombs, etc.) • SecGon 508 Policies • Code Coverage (>80%) • Performance (<100ms) • Memory Issues (leaks, overwrites, etc.) RunGme Analysis • Load CapabiliGes (how many users?) • ConnecGon CapabiliGes (how many System RunGme db connecGons?) Others ..
  • 21. Paraso& Copyright © 2014 21 Web applicaGon prevenGon example Detect the error • Load tesGng shows leaking connecGons to the database Find the cause • Open connecGons aren’t being closed, causing resource leaks Locate the point in producGon that caused the error • Developer has forgoNen to close db connecGons upon client terminaGon Implement preventaGve process • Use a coding standard to ensure each open connecGon is closed before exit Monitor the process • Use staGc analysis to enforce the standard Add regression test • Add a test to see the problem was fixed and doesn’t return
  • 22. Paraso& Copyright © 2014 22 MisconcepGons… § Security can be tested into the applicaGon at the end of the cycle § Checks only common known exploits § Requires coverage of all paths and possible inputs § End of cycle penetraGon tesGng may overlook: § Backdoor access § A difficult to reach secGon of code in the error handling rouGne that performs an unsafe database query § The lack of an effecGve audit trail for monitoring security funcGons § End of cycle staGc analysis does not consider nuances of actual operaGon, reports false posiGves
  • 23. Paraso& Copyright © 2014 23 Security Policy Development Make security-­‐relevant decisions so individuals don’t have to Centralize and reuse security mechanisms Coordinate security efforts
  • 24. Paraso& Copyright © 2014 24 Securing An ApplicaGon § Determine risks/threats § Develop countermeasures § Security policy development § Implement security policy process at code level § Eliminate security vulnerabiliGes in code § StaGc analysis § Test applicaGon from outside § PenetraGon tesGng § Fix code to address problems found § Prevent recurring problems § Regression tesGng
  • 25. Paraso& Copyright © 2014 25 Current Standards OWASP CWE/SANS Cigital HIPAA SAMATE Oracle CERT Microso& Secure Coding
  • 26. Paraso& Copyright © 2014 26 Security Resources CWE – Common Weakness EnumeraGon • hNp://cwe.mitre.org OWASP -­‐ Open Web ApplicaGon Security Project • hNp://www.owasp.org PCI – Payment Card Industry Security Standards • hNps://www.pcisecuritystandards.org Hack.me – Community based security learning project • hNps://hack.me SAMATE -­‐ So&ware Assurance Metrics And Tool EvaluaGon • hNp://samate.nist.gov Build Security In – CollaboraGve security effort • hNps://buildsecurityin.us-­‐cert.gov
  • 27. Paraso& Copyright © 2014 27 § Web § hNp://www.paraso&.com/jsp/resources § Blog § hNp://alm.paraso&.com § Social § Facebook: hNps://www.facebook.com/paraso&corporaGon § TwiNer: @Paraso& @MustRead4Dev @CodeCurmudgeon § LinkedIn: hNp://www.linkedin.com/company/paraso& § Google+ Community: StaGc Analysis for Fun and Profit