CONTINUOUS SECURITY
THANK YOU!
@parker0phil
@parker0phil
How do we achieve Security in a
Continuous Delivery environment?
@parker0phil
3. Continuous Delivery IS MORE secure!
@parker0phil
2. Continuous Delivery IS MORE secure!
@parker0phil
2. Continuous Delivery IS MORE secure!
@parker0phil
2. Continuous Delivery IS MORE secure!
@parker0phil
1. Continuous Delivery IS MORE secure!
Mean
Time to
Detect
(MTTD)
Mean
Time to
Resolve
(MTTR)
RELEASE
FIND
VU...
@parker0phil
Continuous Delivery
IS MORE secure!
@parker0phil
3. Thinking about Security
@parker0phil
3. Thinking about Security
@parker0phil
2. Thinking about Security
Exploitability Impact
@parker0phil
1. Thinking about Security
1. Rely on developers and testers more than security
specialists.
2. Secure while ...
@parker0phil
Thinking
about Security
@parker0phil
Pet Hate #3
@parker0phil
Encoding Hashing
Encryption Signing
Pet Hate #2
b2JmdXNjYXRpb24=
%3Cscript%3Ealert(0)
%3C%2Fscript%3E
Integri...
@parker0phil
Pet Hate #1
@parker0phil
Pet Hates!
@parker0phil
3. Enumeration of Usernames
@parker0phil
3. Enumeration of Usernames
@parker0phil
2. Unvalidated Redirects
?queryString=param
Cookie:value
Persisted
@parker0phil
2. Unvalidated Redirects
?queryString=param
Cookie:value
Persisted
@parker0phil
1. Cross-Site Request Forgery (CSRF)
@parker0phil
BONUS. SelfXSS
@parker0phil
BONUS. SelfXSS
@parker0phil
My Favourite
attacks!
@parker0phil
Continuous Delivery IS MORE secure
How we achieve Security in a CD environment
Mental Models for Security
Pet...
@parker0phil
Security is HARD
#DevSecOpsDevSecOps#DevSecOps
CONTINUOUS
SECURITY
Upcoming SlideShare
Loading in …5
×

Continuous Security

394 views

Published on

Talk given by Phil Parker (Partner at Equal Experts) at London Continuous Delivery Meetup hosted at Financial Times, Monday 23rd May, 2016.

Published in: Software

Continuous Security

  1. 1. CONTINUOUS SECURITY THANK YOU!
  2. 2. @parker0phil
  3. 3. @parker0phil How do we achieve Security in a Continuous Delivery environment?
  4. 4. @parker0phil 3. Continuous Delivery IS MORE secure!
  5. 5. @parker0phil 2. Continuous Delivery IS MORE secure!
  6. 6. @parker0phil 2. Continuous Delivery IS MORE secure!
  7. 7. @parker0phil 2. Continuous Delivery IS MORE secure!
  8. 8. @parker0phil 1. Continuous Delivery IS MORE secure! Mean Time to Detect (MTTD) Mean Time to Resolve (MTTR) RELEASE FIND VULN FIX VULN Attack Window MTTD MTTE
  9. 9. @parker0phil Continuous Delivery IS MORE secure!
  10. 10. @parker0phil 3. Thinking about Security
  11. 11. @parker0phil 3. Thinking about Security
  12. 12. @parker0phil 2. Thinking about Security Exploitability Impact
  13. 13. @parker0phil 1. Thinking about Security 1. Rely on developers and testers more than security specialists. 2. Secure while we work more than after we’re done. 3. Implement features securely more than adding on security features. 4. Mitigate risks more than fix bugs.
  14. 14. @parker0phil Thinking about Security
  15. 15. @parker0phil Pet Hate #3
  16. 16. @parker0phil Encoding Hashing Encryption Signing Pet Hate #2 b2JmdXNjYXRpb24= %3Cscript%3Ealert(0) %3C%2Fscript%3E Integrity + Non-repudiation Confidentiality
  17. 17. @parker0phil Pet Hate #1
  18. 18. @parker0phil Pet Hates!
  19. 19. @parker0phil 3. Enumeration of Usernames
  20. 20. @parker0phil 3. Enumeration of Usernames
  21. 21. @parker0phil 2. Unvalidated Redirects ?queryString=param Cookie:value Persisted
  22. 22. @parker0phil 2. Unvalidated Redirects ?queryString=param Cookie:value Persisted
  23. 23. @parker0phil 1. Cross-Site Request Forgery (CSRF)
  24. 24. @parker0phil BONUS. SelfXSS
  25. 25. @parker0phil BONUS. SelfXSS
  26. 26. @parker0phil My Favourite attacks!
  27. 27. @parker0phil Continuous Delivery IS MORE secure How we achieve Security in a CD environment Mental Models for Security Pet Hates My Favourite attacks
  28. 28. @parker0phil Security is HARD
  29. 29. #DevSecOpsDevSecOps#DevSecOps
  30. 30. CONTINUOUS SECURITY

×