Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

August 2018: DevSecOps - London Gathering


Published on

Rolling slides to kick of the event.

*** Description of the main talk ***
Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.

Published in: Technology
  • Be the first to comment

August 2018: DevSecOps - London Gathering

  1. 1. DevSecOps – London Gathering 4th July 2018
  2. 2. TONIGHT’S PRESENTATION “Bringing Rapid Prototyping To The Threat Model Process” Geoffrey Hill @Tutamantic_Sec
  4. 4. THE JOURNEY SO FAR … 1 • September 2017 • DevSecOps Engineer • Project Management Experience: Security in Agile • October 2017 • Practical Threat Modelling • Threat Modelling Automation • December 2017 • Security Automation in DevOps
  5. 5. THE JOURNEY SO FAR … 2 • February 2018 • DevSecOps: The Evolution of DevOps • March 2018 • The mechanics behind how attackers exploit simple programming mistakes programming-mistakes • April 2018 Secret Dragons – Harder To Execute • concept-but-harder-to-execute • secret-dragons
  6. 6. THE JOURNEY SO FAR … 3 • May 2018 • Continuous Security: From tins to containers - now what! • June 2018 • The Bastion Server That Isn't There ... • July 2018 • Scale Security For A Dollar Or Less • Threat Modelling: The Ultimate DevSecOps • Practical Steps For Securing Containers
  7. 7. WHAT’S HAPPENING IN SEPTEMBER 1200 – Doors Open: Location CONFIRMED Session 1 1230 - Culture, People and Workflow CONFIRMED 1330 - Real life experience implementing SAST – MM J CONFIRMED 1430 - Refreshments & Network Session 2 1500 - Repeat A Past Presentation CONFIRMED 1600 – Supporters of this community (30min each) CONFIRMED Session 3 1730 - Food & Network 1800 - DevSecOps Maturity 1 CONFIRMED 1845 - DevSecOps Maturity 2 1930 - DevSecOps Maturity 3 CLOSING 2015 - Network 2100 - Crash the other conference J
  8. 8. DISCOUNTS: CONFERENCES 20% Off Discount Code: PCDSOL20
  9. 9. DevSecOps – People & Culture • Break down the silo; no change here, just like the original DevOps movement • Not aware of what is going on – likely you are not part of the “DevSecOps” team; leave your ivory tower and build relationships • Conduct a Value Stream Mapping exercise to optimize your delivery (rinse and repeat) • Drill down and sketch out the details of each workflow before solutionising • Try new checks/controls as part of the pipeline
  10. 10. IDE Static Code Analysis SCM Dynamic Analysis Open Source Software Security Security Testing Framework Binary Repository Define Security Test Cases Threat Modeling Security Standards Automation Tools: Passing Criteria Risk Management Out of Band Security Testing Security Champions DevSecOps Engineer Security Audit Artifacts CI Build Server DevSecOps – Tooling & Assurance Examples (Shift Left) curl nmap sslyze sqlmap Interactive Testing Reporting Dashboard Infrastructure Assurance Threat Modeling
  11. 11. Dev Workstation Build Server Centralize Report (Vulnerability Management) Server SCM Static Code Analysis (SAST) Dynamic Testing (DAST) Interactive Testing (IAST) Open Source Component Security Manual Penetration Testing – Out of Band Scope: Application and Network layer – White/Black box Defect Management AUTOMATION INTEGRATION POINTS SECURITYASSURANCEMODEL Legend Black Box: Development Stack Blue Box: Automation - Integration Red Box: Security Tools and Controls Infrastructure Scanning
  12. 12. REMINDER – I KEEP FORGETTING • Are you a Developer • Are you from Security • Are you from Operations • Other roles • First time here at The Gathering • Take a group picture • What other prizes or stuff would you like