Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes to secure your DevOps tool chain by Abdessamad Temmar

222 views

Published on

DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes to secure your DevOps tool chain by Abdessamad Temmar

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes to secure your DevOps tool chain by Abdessamad Temmar

  1. 1. BOSTON 10-11 SEPT 2018 Automated DevSecOps infrastructure deployment recipes to secure your DevOps tool chain ABDESSAMAD TEMMAR
  2. 2. BOSTON 10-11 SEPT 2018 About me • Abdessamad TEMMAR • Head of Offensive and R&D Activities • OWASP Contributor • CEH, CEI & OSCP Marrakech. Morocco
  3. 3. BOSTON 10-11 SEPT 2018 About me Marrakech. Morocco
  4. 4. BOSTON 10-11 SEPT 2018 About me Atlas Mountains and Three Valleys. Morocco
  5. 5. BOSTON 10-11 SEPT 2018 About me “I AM A NICE SECURITY PROFESSIONAL, NOT MINDELESS VULNERABILITY SPEWING MACHINE. IF I AM TO CHANGE THIS IMAGE, I MUST FIRST CHNAGE MYSELF. DEVELOPERS ARE FRIENDS, NOT FOOLS.” - Bruce, Aaron and Matt
  6. 6. BOSTON 10-11 SEPT 2018 AST challenges • Communication : provide metrics (and evidence) about the security level of each/every stage/sprint of the application’s life cycle. • Integration : appropriate (and Efficient) investment for application security (Improvise, adapt, overcome !) • Ease of use : the ability to transform the current pipeline without forcing the developers to change the way they work (or the tools they used). • Accuracy : continuously work on filtering FP and writing custom scanning rules • Speed : automate everything ! be FAST (and FURIOUIS) !
  7. 7. BOSTON 10-11 SEPT 2018 Securing your pipeline : agile approach Identifying the app sec requirements and environment Sprint Working increment of the sec pipeline Assessing application security risks Define your app. sec. controls and associated sec. Gates 1 2 3 4 Convert Scanning output to training topics 5 Filter FP, re configure scanning tool 6
  8. 8. BOSTON 10-11 SEPT 2018 Our initial pipeline (1/2) DeployTestBuildCheckout
  9. 9. BOSTON 10-11 SEPT 2018 Our initial pipeline (2/2) Development Master Production Commit Commit Merge Commit Merge Commit Merge Commit
  10. 10. BOSTON 10-11 SEPT 2018 Our recipe to build a secure pipeline :p INGREDIENTS TOOLS NEEDED DIRECTIONS TIME TO PREPARE • Static code analysis tool (SAST) • Web application scanner tool (DAST) • Environment compliance check • Vulnerability management system OPTIONAL : • Continuous security monitoring • Redteaming exercices • Secret management See the following slides It depends ! Exsiting DevOps Tools SAST DAST MAST IAST
  11. 11. BOSTON 10-11 SEPT 2018 Task 1 : Static code analysis tool
  12. 12. BOSTON 10-11 SEPT 2018 Task 2 : Web application scanner tool
  13. 13. BOSTON 10-11 SEPT 2018 Task 3 : Inspect Your Infrastructure
  14. 14. BOSTON 10-11 SEPT 2018 Task 4 : Vunerability management system
  15. 15. BOSTON 10-11 SEPT 2018 Task 4 : Vunerability management system
  16. 16. BOSTON 10-11 SEPT 2018 THANKS! Any questions? You can find me at : MAIL : ATEMMAR@ABCIT.FR TWITTER : @T333333R

×