Rolling slides to kick of the event.
*** Description of the main talk ***
Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.
3. WAYS TO STAY IN TOUCH
https://www.meetup.com/DevSecOps-London-Gathering
https://twitter.com/DevSecOps_LG
https://www.linkedin.com/groups/8630205
4. THE JOURNEY SO FAR … 1
• September 2017
• DevSecOps Engineer
http://slides.com/chossrutter/securing#/17
• Project Management Experience: Security in Agile
https://www.slideshare.net/MichaelMan11/project-management-experience-security-in-agile-1309
• October 2017
• Practical Threat Modelling
http://slides.com/chossrutter/securing-6
• Threat Modelling Automation
http://slides.com/mattjoyce/automatetm#/
• December 2017
• Security Automation in DevOps
https://www.slideshare.net/MichaelMan11/dev-secops-testautomation
https://www.slideshare.net/MichaelMan11/dynaminet-devsecops
5. THE JOURNEY SO FAR … 2
• February 2018
• DevSecOps: The Evolution of DevOps
https://www.slideshare.net/MichaelMan11/devsecops-the-evolution-of-devops
• March 2018
• The mechanics behind how attackers exploit simple programming mistakes
https://www.slideshare.net/MichaelMan11/the-mechanics-behind-how-attackers-exploit-simple-
programming-mistakes
• April 2018
Secret Dragons – Harder To Execute
• https://www.slideshare.net/MichaelMan11/vulnerability-management-in-devsecops-easy-
concept-but-harder-to-execute
• https://www.slideshare.net/MichaelMan11/secret-management-journey-here-be-dragons-aka-
secret-dragons
6. THE JOURNEY SO FAR … 3
• May 2018
• Continuous Security: From tins to containers - now what!
https://www.slideshare.net/MichaelMan11/continuous-security-from-tins-to-containers-now-what
• June 2018
• The Bastion Server That Isn't There ...
https://www.slideshare.net/MichaelMan11/the-bastion-server-that-isnt-there-joshua-kite
• July 2018
• Scale Security For A Dollar Or Less
https://www.slideshare.net/secfigo/scale-security-for-a-dollar-or-less/
• Threat Modelling: The Ultimate DevSecOps
https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops
• Practical Steps For Securing Containers
https://www.slideshare.net/MichaelMan11/practical-steps-for-securing-containers-liz-rice
7. WHAT’S HAPPENING IN SEPTEMBER
1200 – Doors Open: Location CONFIRMED
Session 1
1230 - Culture, People and Workflow CONFIRMED
1330 - Real life experience implementing SAST – MM J CONFIRMED
1430 - Refreshments & Network
Session 2
1500 - Repeat A Past Presentation CONFIRMED
1600 – Supporters of this community (30min each) CONFIRMED
Session 3
1730 - Food & Network
1800 - DevSecOps Maturity 1 CONFIRMED
1845 - DevSecOps Maturity 2
1930 - DevSecOps Maturity 3
CLOSING
2015 - Network
2100 - Crash the other conference J
9. DevSecOps – People & Culture
• Break down the silo; no change here, just like the original DevOps movement
• Not aware of what is going on – likely you are not part of the “DevSecOps” team; leave
your ivory tower and build relationships
• Conduct a Value Stream Mapping exercise to optimize your delivery (rinse and repeat)
• Drill down and sketch out the details of each workflow before solutionising
• Try new checks/controls as part of the pipeline
10. IDE Static Code
Analysis
SCM
Dynamic
Analysis
Open Source
Software Security
Security Testing
Framework
Binary
Repository
Define Security
Test Cases
Threat
Modeling
Security
Standards
Automation Tools:
Passing Criteria
Risk
Management
Out of Band
Security Testing
Security
Champions
DevSecOps
Engineer
Security Audit
Artifacts
CI Build Server
DevSecOps – Tooling & Assurance Examples (Shift Left)
curl
nmap
sslyze
sqlmap
Interactive
Testing
Reporting
Dashboard
Infrastructure
Assurance
Threat
Modeling
11. Dev Workstation Build Server
Centralize Report (Vulnerability Management) Server
SCM
Static Code Analysis
(SAST)
Dynamic Testing
(DAST)
Interactive Testing
(IAST)
Open Source Component Security
Manual Penetration Testing – Out of Band
Scope: Application and Network layer – White/Black box
Defect
Management
AUTOMATION
INTEGRATION POINTS
SECURITYASSURANCEMODEL
Legend
Black Box: Development Stack
Blue Box: Automation - Integration
Red Box: Security Tools and Controls
Infrastructure Scanning
12. REMINDER – I KEEP FORGETTING
• Are you a Developer
• Are you from Security
• Are you from Operations
• Other roles
• First time here at The Gathering
• Take a group picture
• What other prizes or stuff would you like