SlideShare a Scribd company logo

August 2018: DevSecOps - London Gathering

M
Michael Man

Rolling slides to kick of the event. *** Description of the main talk *** Threat Modelling can be a laborious and time-consuming exercise, which is not a happy marriage with CI and DevOps methodologies. In this talk, I shall outline my Rapid Threat Model Prototyping paradigm, which I have successfully been using both at Visa and Photobox. My method enables automation and inclusion into fast-moving development cycles and is well-suited for today's IT environments.

Technology
1 of 12
Download to read offline
DevSecOps – London Gathering 4th July 2018
TONIGHT’S PRESENTATION “Bringing Rapid Prototyping To The Threat Model Process” Geoffrey Hill @Tutamantic_Sec geoff@tutamantic.com
WAYS TO STAY IN TOUCH https://www.meetup.com/DevSecOps-London-Gathering https://twitter.com/DevSecOps_LG https://www.linkedin.com/groups/8630205
THE JOURNEY SO FAR … 1 • September 2017 • DevSecOps Engineer http://slides.com/chossrutter/securing#/17 • Project Management Experience: Security in Agile https://www.slideshare.net/MichaelMan11/project-management-experience-security-in-agile-1309 • October 2017 • Practical Threat Modelling http://slides.com/chossrutter/securing-6 • Threat Modelling Automation http://slides.com/mattjoyce/automatetm#/ • December 2017 • Security Automation in DevOps https://www.slideshare.net/MichaelMan11/dev-secops-testautomation https://www.slideshare.net/MichaelMan11/dynaminet-devsecops
THE JOURNEY SO FAR … 2 • February 2018 • DevSecOps: The Evolution of DevOps https://www.slideshare.net/MichaelMan11/devsecops-the-evolution-of-devops • March 2018 • The mechanics behind how attackers exploit simple programming mistakes https://www.slideshare.net/MichaelMan11/the-mechanics-behind-how-attackers-exploit-simple- programming-mistakes • April 2018 Secret Dragons – Harder To Execute • https://www.slideshare.net/MichaelMan11/vulnerability-management-in-devsecops-easy- concept-but-harder-to-execute • https://www.slideshare.net/MichaelMan11/secret-management-journey-here-be-dragons-aka- secret-dragons
THE JOURNEY SO FAR … 3 • May 2018 • Continuous Security: From tins to containers - now what! https://www.slideshare.net/MichaelMan11/continuous-security-from-tins-to-containers-now-what • June 2018 • The Bastion Server That Isn't There ... https://www.slideshare.net/MichaelMan11/the-bastion-server-that-isnt-there-joshua-kite • July 2018 • Scale Security For A Dollar Or Less https://www.slideshare.net/secfigo/scale-security-for-a-dollar-or-less/ • Threat Modelling: The Ultimate DevSecOps https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops • Practical Steps For Securing Containers https://www.slideshare.net/MichaelMan11/practical-steps-for-securing-containers-liz-rice
WHAT’S HAPPENING IN SEPTEMBER 1200 – Doors Open: Location CONFIRMED Session 1 1230 - Culture, People and Workflow CONFIRMED 1330 - Real life experience implementing SAST – MM J CONFIRMED 1430 - Refreshments & Network Session 2 1500 - Repeat A Past Presentation CONFIRMED 1600 – Supporters of this community (30min each) CONFIRMED Session 3 1730 - Food & Network 1800 - DevSecOps Maturity 1 CONFIRMED 1845 - DevSecOps Maturity 2 1930 - DevSecOps Maturity 3 CLOSING 2015 - Network 2100 - Crash the other conference J
DISCOUNTS: CONFERENCES 20% Off Discount Code: PCDSOL20
DevSecOps – People & Culture • Break down the silo; no change here, just like the original DevOps movement • Not aware of what is going on – likely you are not part of the “DevSecOps” team; leave your ivory tower and build relationships • Conduct a Value Stream Mapping exercise to optimize your delivery (rinse and repeat) • Drill down and sketch out the details of each workflow before solutionising • Try new checks/controls as part of the pipeline
IDE Static Code Analysis SCM Dynamic Analysis Open Source Software Security Security Testing Framework Binary Repository Define Security Test Cases Threat Modeling Security Standards Automation Tools: Passing Criteria Risk Management Out of Band Security Testing Security Champions DevSecOps Engineer Security Audit Artifacts CI Build Server DevSecOps – Tooling & Assurance Examples (Shift Left) curl nmap sslyze sqlmap Interactive Testing Reporting Dashboard Infrastructure Assurance Threat Modeling
Dev Workstation Build Server Centralize Report (Vulnerability Management) Server SCM Static Code Analysis (SAST) Dynamic Testing (DAST) Interactive Testing (IAST) Open Source Component Security Manual Penetration Testing – Out of Band Scope: Application and Network layer – White/Black box Defect Management AUTOMATION INTEGRATION POINTS SECURITYASSURANCEMODEL Legend Black Box: Development Stack Blue Box: Automation - Integration Red Box: Security Tools and Controls Infrastructure Scanning
REMINDER – I KEEP FORGETTING • Are you a Developer • Are you from Security • Are you from Operations • Other roles • First time here at The Gathering • Take a group picture • What other prizes or stuff would you like

Recommended

A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneySonatype
 
Painless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps PipelinePainless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps PipelineTasktop
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
Be a User first; then a Tester
Be a User first; then a TesterBe a User first; then a Tester
Be a User first; then a TesterYOGESH KHAIRNAR, CTFL, CSM, SFC, CP-MAT, TKP
 
ATAGTR2017 Security Test Driven Development (STDD)
ATAGTR2017 Security Test Driven Development (STDD)ATAGTR2017 Security Test Driven Development (STDD)
ATAGTR2017 Security Test Driven Development (STDD)Agile Testing Alliance
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.Vitaly Balashov
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 

Recommended

A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneySonatype
 
Painless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps PipelinePainless DevSecOps: Building Security Into Your DevOps Pipeline
Painless DevSecOps: Building Security Into Your DevOps PipelineTasktop
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
Be a User first; then a Tester
Be a User first; then a TesterBe a User first; then a Tester
Be a User first; then a TesterYOGESH KHAIRNAR, CTFL, CSM, SFC, CP-MAT, TKP
 
ATAGTR2017 Security Test Driven Development (STDD)
ATAGTR2017 Security Test Driven Development (STDD)ATAGTR2017 Security Test Driven Development (STDD)
ATAGTR2017 Security Test Driven Development (STDD)Agile Testing Alliance
 
Ast in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorAst in CI/CD by Ofer Maor
Ast in CI/CD by Ofer MaorDevSecCon
 
Dev secops. Real experience.
Dev secops. Real experience.Dev secops. Real experience.
Dev secops. Real experience.Vitaly Balashov
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
ATAGTR2017 Test the REST
ATAGTR2017 Test the REST ATAGTR2017 Test the REST
ATAGTR2017 Test the REST Agile Testing Alliance
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
Design Microservice Architectures the Right Way
Design Microservice Architectures the Right WayDesign Microservice Architectures the Right Way
Design Microservice Architectures the Right WayMichael Bryzek
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
ATAGTR2017 Performance Automation in Dev-Ops
ATAGTR2017 Performance Automation in Dev-OpsATAGTR2017 Performance Automation in Dev-Ops
ATAGTR2017 Performance Automation in Dev-OpsAgile Testing Alliance
 
NYC Continuous Delivery Meetup - Introducing delta
NYC Continuous Delivery Meetup - Introducing deltaNYC Continuous Delivery Meetup - Introducing delta
NYC Continuous Delivery Meetup - Introducing deltaMichael Bryzek
 
Production - Designing for Testability
Production - Designing for TestabilityProduction - Designing for Testability
Production - Designing for TestabilityMichael Bryzek
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Sri monthly presentation 2015
Sri monthly presentation 2015Sri monthly presentation 2015
Sri monthly presentation 2015Akash Rajguru
 
Sri monthly presentation 2016
Sri monthly presentation 2016Sri monthly presentation 2016
Sri monthly presentation 2016Akash Rajguru
 
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps_Fest
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteJohn Willis
 
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testingATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testingAgile Testing Alliance
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementPerforce
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepoGit in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepoGina Bustos
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 

More Related Content

What's hot

Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDag Rowe
 
Design Microservice Architectures the Right Way
Design Microservice Architectures the Right WayDesign Microservice Architectures the Right Way
Design Microservice Architectures the Right WayMichael Bryzek
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
ATAGTR2017 Performance Automation in Dev-Ops
ATAGTR2017 Performance Automation in Dev-OpsATAGTR2017 Performance Automation in Dev-Ops
ATAGTR2017 Performance Automation in Dev-OpsAgile Testing Alliance
 
NYC Continuous Delivery Meetup - Introducing delta
NYC Continuous Delivery Meetup - Introducing deltaNYC Continuous Delivery Meetup - Introducing delta
NYC Continuous Delivery Meetup - Introducing deltaMichael Bryzek
 
Production - Designing for Testability
Production - Designing for TestabilityProduction - Designing for Testability
Production - Designing for TestabilityMichael Bryzek
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Sri monthly presentation 2015
Sri monthly presentation 2015Sri monthly presentation 2015
Sri monthly presentation 2015Akash Rajguru
 
Sri monthly presentation 2016
Sri monthly presentation 2016Sri monthly presentation 2016
Sri monthly presentation 2016Akash Rajguru
 
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps_Fest
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteJohn Willis
 
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testingATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testingAgile Testing Alliance
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementPerforce
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepoGit in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepoGina Bustos
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 

What's hot (20)

ATAGTR2017 Test the REST
ATAGTR2017 Test the REST ATAGTR2017 Test the REST
ATAGTR2017 Test the REST
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Design Microservice Architectures the Right Way
Design Microservice Architectures the Right WayDesign Microservice Architectures the Right Way
Design Microservice Architectures the Right Way
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
ATAGTR2017 Performance Automation in Dev-Ops
ATAGTR2017 Performance Automation in Dev-OpsATAGTR2017 Performance Automation in Dev-Ops
ATAGTR2017 Performance Automation in Dev-Ops
 
NYC Continuous Delivery Meetup - Introducing delta
NYC Continuous Delivery Meetup - Introducing deltaNYC Continuous Delivery Meetup - Introducing delta
NYC Continuous Delivery Meetup - Introducing delta
 
Production - Designing for Testability
Production - Designing for TestabilityProduction - Designing for Testability
Production - Designing for Testability
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Sri monthly presentation 2015
Sri monthly presentation 2015Sri monthly presentation 2015
Sri monthly presentation 2015
 
Sri monthly presentation 2016
Sri monthly presentation 2016Sri monthly presentation 2016
Sri monthly presentation 2016
 
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CDDevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
You build it - Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteYou build it - Cyber Chicago Keynote
You build it - Cyber Chicago Keynote
 
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testingATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
ATAGTR2017 Machine Learning telepathy for Shift Right approach of testing
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change Management
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepoGit in the Enterprise: How to succeed at DevOps using Git and a monorepo
Git in the Enterprise: How to succeed at DevOps using Git and a monorepo
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 

Similar to August 2018: DevSecOps - London Gathering

Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
Cross Platform Angular 2 and TypeScript Development
Cross Platform Angular 2 and TypeScript DevelopmentCross Platform Angular 2 and TypeScript Development
Cross Platform Angular 2 and TypeScript DevelopmentJeremy Likness
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesDevOps Indonesia
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementDefconRussia
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Secview
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018Michael Man
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Dinis Cruz
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2Dinis Cruz
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 

Similar to August 2018: DevSecOps - London Gathering (20)

Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
Cross Platform Angular 2 and TypeScript Development
Cross Platform Angular 2 and TypeScript DevelopmentCross Platform Angular 2 and TypeScript Development
Cross Platform Angular 2 and TypeScript Development
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試Modern Web 2019 從零開始加入自動化資安測試
Modern Web 2019 從零開始加入自動化資安測試
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)Scaling security in a cloud environment v0.5 (Sep 2017)
Scaling security in a cloud environment v0.5 (Sep 2017)
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 

More from Michael Man

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam CramMichael Man
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...Michael Man
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...Michael Man
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesMichael Man
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019Michael Man
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickMichael Man
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Michael Man
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Michael Man
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...Michael Man
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractMichael Man
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOpsMichael Man
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test AutomationMichael Man
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309Michael Man
 

More from Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Chris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security BrickChris Rutter: Avoiding The Security Brick
Chris Rutter: Avoiding The Security Brick
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test Automation
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

August 2018: DevSecOps - London Gathering

  • 1. DevSecOps – London Gathering 4th July 2018
  • 2. TONIGHT’S PRESENTATION “Bringing Rapid Prototyping To The Threat Model Process” Geoffrey Hill @Tutamantic_Sec geoff@tutamantic.com
  • 3. WAYS TO STAY IN TOUCH https://www.meetup.com/DevSecOps-London-Gathering https://twitter.com/DevSecOps_LG https://www.linkedin.com/groups/8630205
  • 4. THE JOURNEY SO FAR … 1 • September 2017 • DevSecOps Engineer http://slides.com/chossrutter/securing#/17 • Project Management Experience: Security in Agile https://www.slideshare.net/MichaelMan11/project-management-experience-security-in-agile-1309 • October 2017 • Practical Threat Modelling http://slides.com/chossrutter/securing-6 • Threat Modelling Automation http://slides.com/mattjoyce/automatetm#/ • December 2017 • Security Automation in DevOps https://www.slideshare.net/MichaelMan11/dev-secops-testautomation https://www.slideshare.net/MichaelMan11/dynaminet-devsecops
  • 5. THE JOURNEY SO FAR … 2 • February 2018 • DevSecOps: The Evolution of DevOps https://www.slideshare.net/MichaelMan11/devsecops-the-evolution-of-devops • March 2018 • The mechanics behind how attackers exploit simple programming mistakes https://www.slideshare.net/MichaelMan11/the-mechanics-behind-how-attackers-exploit-simple- programming-mistakes • April 2018 Secret Dragons – Harder To Execute • https://www.slideshare.net/MichaelMan11/vulnerability-management-in-devsecops-easy- concept-but-harder-to-execute • https://www.slideshare.net/MichaelMan11/secret-management-journey-here-be-dragons-aka- secret-dragons
  • 6. THE JOURNEY SO FAR … 3 • May 2018 • Continuous Security: From tins to containers - now what! https://www.slideshare.net/MichaelMan11/continuous-security-from-tins-to-containers-now-what • June 2018 • The Bastion Server That Isn't There ... https://www.slideshare.net/MichaelMan11/the-bastion-server-that-isnt-there-joshua-kite • July 2018 • Scale Security For A Dollar Or Less https://www.slideshare.net/secfigo/scale-security-for-a-dollar-or-less/ • Threat Modelling: The Ultimate DevSecOps https://speakerdeck.com/zeroxten/threat-modeling-the-ultimate-devsecops • Practical Steps For Securing Containers https://www.slideshare.net/MichaelMan11/practical-steps-for-securing-containers-liz-rice
  • 7. WHAT’S HAPPENING IN SEPTEMBER 1200 – Doors Open: Location CONFIRMED Session 1 1230 - Culture, People and Workflow CONFIRMED 1330 - Real life experience implementing SAST – MM J CONFIRMED 1430 - Refreshments & Network Session 2 1500 - Repeat A Past Presentation CONFIRMED 1600 – Supporters of this community (30min each) CONFIRMED Session 3 1730 - Food & Network 1800 - DevSecOps Maturity 1 CONFIRMED 1845 - DevSecOps Maturity 2 1930 - DevSecOps Maturity 3 CLOSING 2015 - Network 2100 - Crash the other conference J
  • 9. DevSecOps – People & Culture • Break down the silo; no change here, just like the original DevOps movement • Not aware of what is going on – likely you are not part of the “DevSecOps” team; leave your ivory tower and build relationships • Conduct a Value Stream Mapping exercise to optimize your delivery (rinse and repeat) • Drill down and sketch out the details of each workflow before solutionising • Try new checks/controls as part of the pipeline
  • 10. IDE Static Code Analysis SCM Dynamic Analysis Open Source Software Security Security Testing Framework Binary Repository Define Security Test Cases Threat Modeling Security Standards Automation Tools: Passing Criteria Risk Management Out of Band Security Testing Security Champions DevSecOps Engineer Security Audit Artifacts CI Build Server DevSecOps – Tooling & Assurance Examples (Shift Left) curl nmap sslyze sqlmap Interactive Testing Reporting Dashboard Infrastructure Assurance Threat Modeling
  • 11. Dev Workstation Build Server Centralize Report (Vulnerability Management) Server SCM Static Code Analysis (SAST) Dynamic Testing (DAST) Interactive Testing (IAST) Open Source Component Security Manual Penetration Testing – Out of Band Scope: Application and Network layer – White/Black box Defect Management AUTOMATION INTEGRATION POINTS SECURITYASSURANCEMODEL Legend Black Box: Development Stack Blue Box: Automation - Integration Red Box: Security Tools and Controls Infrastructure Scanning
  • 12. REMINDER – I KEEP FORGETTING • Are you a Developer • Are you from Security • Are you from Operations • Other roles • First time here at The Gathering • Take a group picture • What other prizes or stuff would you like