Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How To Move Mountains - ToorCon 2017

304 views

Published on

Presenting a framework for building an AppSec program in a DevOps environment; specifically one that is moving towards CI/CD.

Abstract:
Pentesters are tired of breaking things, writing a report, and walking away. Security teams are caught in a backlog that prevents them from ever staying ahead. Developers curse security for slowing them down. How can we address these seemingly incompatible and insurmountable issues in an organization, especially at scale? The answer to this may be found in a practice called "DevSecOps" that has been gaining momentum in large organizations that need to move fast and ensure a high level of security across their applications and operations. It is a practice that attempts to address all of these issues through two core principles- automation and education. Using experience gained from working with several large fortune 500 companies, this talk will cover the basics of DevSecOps, and dive into specific tools and processes that organizations of any size can implement to immediately improve their speed of delivery while maintaining a strong and measurable security baseline.

Published in: Software
  • Be the first to comment

How To Move Mountains - ToorCon 2017

  1. 1. How To Move Mountains Aaron Hnatiw aaron@securitycompass.com Twitter: @insp3ctre www.securitycompass.com
  2. 2. Senior Security Researcher, Security Compass Aaron Hnatiw • College professor of application security • Developer • System administrator • Security consultant • Network security engineer Twitter: @insp3ctre
  3. 3. What is this talk about?
  4. 4. DevOps: the solution is the problem (for security)
  5. 5. DevOps: The solution
  6. 6. Speed of business
  7. 7. Developers == QA, operations, security
  8. 8. Waterfall SDLC > agile > CI/CD
  9. 9. DevOps: The problem
  10. 10. Security as gatekeepers
  11. 11. 100:10:1
  12. 12. DevOps && Security
  13. 13. Gatekeepers
  14. 14. Implementation
  15. 15. Education
  16. 16. Belt Program
  17. 17. Security Champions
  18. 18. Centre of Excellence
  19. 19. Continuous Learning
  20. 20. 1. Threat modelling
  21. 21. 2. Regular check-ins
  22. 22. 3. Open office
  23. 23. 4. Maintain interest
  24. 24. Continuous Learning 1.Threat modelling 2.Regular check-ins 3.Open office 4.Maintain interest
  25. 25. Automation
  26. 26. Build custom tooling
  27. 27. + Application Security Engineer
  28. 28. Start small
  29. 29. Modular tools
  30. 30. Fool me twice...
  31. 31. Unit tests
  32. 32. Infrastructure as code
  33. 33. Pentests++
  34. 34. Tuning
  35. 35. API
  36. 36. WHERE DO I START?
  37. 37. WHERE TO START ▸ SD Elements ▸ OWASP Top 10 Cheat Sheet ▸ CWE/SANS Top 25 Most Dangerous Software Errors ▸ Again- old findings and mistakes
  38. 38. WHERE TO START (OTHER TOOLS) ▸ Lemur (Netflix): https://github.com/Netflix/lemur ▸ Repokid (Netflix): https://github.com/Netflix/repokid ▸ Simian Army (Netflix): https://github.com/Netflix/SimianArmy ▸ Phan (Etsy): https://github.com/etsy/phan ▸ Elastalert (Yelp): https://github.com/Yelp/elastalert ▸ Brakeman: http://brakemanscanner.org/ ▸ Twitter uses this and hired the developer
  39. 39. WHERE TO START (AWS) ▸ AWS CodePipeline ▸ AWS Inspector ▸ CloudFormation ▸ AWS Config ▸ AWS CloudWatch Events ▸ Action with Lambda
  40. 40. ▸ Education ▸ Developers are being asked to write code securely. Enable this through Continuous Learning (CI/CD... CL!) ▸ Automation ▸ Build an integrated system that finds security issues easily and automatically, with actionable results ▸ Remediation ▸ CI/CD allows us to push out security fixes faster than ever before Education + Automation = Remediation Aaron Hnatiw aaron@securitycompass.com Twitter: @insp3ctre www.securitycompass.com

×