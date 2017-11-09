DevSecOps for APIs Isabelle Mauny, 42Crunch
TITLE TEXTFAST APP DELIVERY 2 APPLICATION  DEVELOPMENT APPLICATION  SECURITY
“Security experts are going to have to ﬁgure out how to deliver ‘security as code’. Essentially, they have to translate ev...
4 RELIES ON STRONG COLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND BUSINESS TEAMS PROPER SECURITY
5 THE SOLUTION ? DEVOPS, BUT WITH SECURITY ON!
LET’S SHIFT SECURITY LEFT! 6 DeploymentTestingDevelopmentDesign
THREAT MODELLING 7 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
VULNERABILITY SCANS 8 Infrastructure TLS + Security Setup ✓ APIs Server, CDN, HTTP Server ✓ Security headers Code analysis...
IT’S ILLEGAL TO ATTACK SYSTEMS! UNLESS ALLOWED TO… 9
1. Use Threat Modelling to eval the APIs risk 2. Define security profiles by risk level 3. Apply security profiles automat...
1. Easy to deploy even on developer’s laptops 2. Can be deployed hundreds of times 3. Immutable    Verify image integrity ...
1. Constant monitoring at all stages 2. Automated Response when possible. 3. Apply security profiles automatically based o...
1. Secure Code reviews 2.Pen Testing 3.Bug Bounty 13 BONUS POINTS 6
FULL DEV-SEC-OPS CYCLE FOR APIS 14 Develop Assess Secure Test Document Deploy API is developed on platform of choice Conti...
15 EDUCATE YOURSELF AND OTHERS
IT’S NOT ABOUT IF, IT’S ABOUT WHEN. BE PREPARED. 16
LF_APIStrat17_Practical DevSecOps for APIs
Upcoming SlideShare
Loading in …5
×

LF_APIStrat17_Practical DevSecOps for APIs

36 views

Published on

In DevSecOps “shift left” applies to application security too: developers should commit to provide API security at the earliest stages of development.

In this session, Isabelle will propose an innovative strategy to address API security, in which developers collaborate with security teams and bring their business knowledge of the APIs to:

1/ Assess the API risk in terms of data and operation sensitivity
2/ Specify the input/output data formats
3/ Describe the application flow logic From the data gathered previously, tools can then generate automatically the appropriate security policies, respecting the rules set by the security teams.

Isabelle will also explain how the CI/CD pipeline can leverage a containerized PEP (Policy Enforcement Point) in the different testing / QA / Pre-Production / Production environments.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
no profile picture user

  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
36
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

LF_APIStrat17_Practical DevSecOps for APIs

  1. 1. DevSecOps for APIs Isabelle Mauny, 42Crunch
  2. 2. TITLE TEXTFAST APP DELIVERY 2 APPLICATION  DEVELOPMENT APPLICATION  SECURITY
  3. 3. “Security experts are going to have to ﬁgure out how to deliver ‘security as code’. Essentially, they have to translate every security requirement, every coding guideline, every ‘best practice,’ every threat model, and every security architecture into code that can run during the development, build, test, and deployment process. Even in operations, it’s critical that attack detection and response is fully automated.” Jeﬀ Williams OWASP Top 10 project creator, about the (ex) A10 entry in OWASP Top 10. https://sdtimes.com/owasp-adds-unprotected-apis-insuﬃcient-attack-protection-top-ten-2017-release/ 3
  4. 4. 4 RELIES ON STRONG COLLABORATION ACROSS OPERATIONS, DEVELOPMENT, SECURITY AND BUSINESS TEAMS PROPER SECURITY
  5. 5. 5 THE SOLUTION ? DEVOPS, BUT WITH SECURITY ON!
  6. 6. LET’S SHIFT SECURITY LEFT! 6 DeploymentTestingDevelopmentDesign
  7. 7. THREAT MODELLING 7 1 See: https://www.owasp.org/index.php/Application_Threat_Modeling
  8. 8. VULNERABILITY SCANS 8 Infrastructure TLS + Security Setup ✓ APIs Server, CDN, HTTP Server ✓ Security headers Code analysis (Static, Dynamic, Interactive) Third-party libs / frameworks Apps / APIs (e.g. OWASP ZAP) Authentication Authorization DevOps Scripts! Choose platforms/tools where   functionality is exposed as APIs/CLI. 2
  9. 9. IT’S ILLEGAL TO ATTACK SYSTEMS! UNLESS ALLOWED TO… 9
  10. 10. 1. Use Threat Modelling to eval the APIs risk 2. Define security profiles by risk level 3. Apply security profiles automatically based on risk. 10 IMPLEMENT ‘POLICY AS CODE’ 3
  11. 11. 1. Easy to deploy even on developer’s laptops 2. Can be deployed hundreds of times 3. Immutable    Verify image integrity ! 11 USE A CONTAINERIZED PEP 4
  12. 12. 1. Constant monitoring at all stages 2. Automated Response when possible. 3. Apply security profiles automatically based on risk. 12 MONITOR AND ANALYZE 5
  13. 13. 1. Secure Code reviews 2.Pen Testing 3.Bug Bounty 13 BONUS POINTS 6
  14. 14. FULL DEV-SEC-OPS CYCLE FOR APIS 14 Develop Assess Secure Test Document Deploy API is developed on platform of choice Continuous API testing including security testing Deploy to containerized PEP Configure and apply security policy from assessed risk Assess API description and evaluate risk level Document and annotate API with OpenAPI/Swagger
  15. 15. 15 EDUCATE YOURSELF AND OTHERS
  16. 16. IT’S NOT ABOUT IF, IT’S ABOUT WHEN. BE PREPARED. 16

×