Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Security: In the World of Cloud & CI-CD

OWASP Delhi November Meet - Software Security: In the World of Cloud & CI-CD by Aniket Kulkarni

Related Books

Free with a 30 day trial from Scribd

See all
  • Login to see the comments

Software Security: In the World of Cloud & CI-CD

  1. 1. 26 Nov 2015 Venue: Akamai, Singapore OWASP Singapore. 28 Nov 2015 Venue: Airtel, Delhi-India. OWASP, Delhi-India. Remote WebEx From Singapore. Software Security: “In The World Of, Cloud & CI-CD” -Aniket Kulkarni Software Security Architect (BigdataCloudMobileWeb)
  2. 2. Agenda  Cloud & It’s Snapshots  Definition Of Todays Client’s  Users Angle To cloud  Changing Landscape Of Customer Requirements  CI, CD  An Era Of Dashboards  Secure SDLC: CI-CD Way
  3. 3. Cloud Computing? Cloud computing: Also known as on-demand computing, is a kind of internet-based computing, where shared resources and information are provided to computers and other devices on-demand.
  4. 4. Cloud Snapshots
  5. 5. Client’s Today ? CLOUD
  6. 6. Continuous Integration-CI.  Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day.  Each check-in is then verified by an automated build, allowing teams to detect problems early.
  7. 7. Continuous Delivery-CD.  Continuous Delivery (CD): is a software engineering approach in which teams keep producing valuable software in short cycles and ensure that the software can be reliably released at any time.  It aims at, building, testing, and releasing software, faster and more frequently.
  8. 8. Continuous Deployment-CD.  Continuous Deployment (CD): Is next phase to continuous delivery.  Every change that passes the automated tests get deployed on production automatically.
  9. 9. Users Angle To Cloud. Client Side Subscribed USER1 Free USER3 Subscribed USER2 Application Server Storage ServiceI & AM Notification Service
  10. 10. An Era Of Dashboards.
  11. 11. Changing Landscape Of Requirements  On Going Customer Demands  Associated Market Competitions  Product Research Outcomes “Constant Rotating Eyeball On Product In Production, Hosted On Cloud, with constant changes”
  12. 12. Challenges For Business Stakeholders  How to manage security posture of 150+ cloud products ?  Shall we invest for Security (Yes/NO) ?  If yes, how much ? Confused for decision ?  Invested $X million. How much secure we are ?  We are 100% Compliance done! Are We Secure now?  Are we satisfying customer demands ?
  13. 13. S-SDLC (CI-CD): Component Repository External Repositories Internal ComponentsOrganization Repository (Ex:NexusArtifactory)
  14. 14. S-SDLC (CI-CD): 3rd Party External Component Security External Repositories Internal Components Organization Repository (Ex: Nexus Artifactory) 3rd Party Component Security Tools (Ex: Sonatype CLM) Continuous Dashboard Update
  15. 15. S-SDLC (CI-CD): Development External Repositories Internal Components Organization Repository (Ex: Nexus Artifactory) Static Source Code Analysis Tool (Ex: Fortify) Continuous Dashboard Update
  16. 16. S-SDLC (CI-CD): QA • Internal Automation Frameworks • Mostly Python Scripts Actual Web Product Hosted On Staging Dynamic Analysis Tool Run Manual Dashboard Update InternalExternal Penetration Tests Continuous Dashboard Update Interactive Application Security Testing (Ex: Contrast)
  17. 17. S-SDLC (CI-CD): SASTDASTIAST SAST DAST IAST • Uses source code to find vulnerabilities without running the application. • Misses run time vulnerabilities. • Many false positives • Analyzes application in its running state by fuzzing with malicious payloads from outside • Misses business logic vulnerabilities • Many false positives • Analyzes application in its running state by deploying sensors inside the app. • Finds most of the things which SAST and DAST misses • Almost NoLess false positives
  18. 18. S-SDLC (CI-CD): Typical IAST Deployment Custom Code Java Runtime Application Server Frameworks Libraries IAST Engine Security Information To Dashboard Web Application Data From Passive Sensors
  19. 19. S-SDLC (CI-CD): Compact View DEVELOPMENTCOMPONENT SELECTION QA IASTSTAGING All Set For Product Release ? 
  20. 20. Rethinking challenges! How we appear on challenges now ?  How to manage security posture of 150+ cloud products?  Shall we invest for Security (Yes/NO) ?  If yes, how much ? Confused for decision ?  Invested $X million. How much secure we are ?  We are 100% Compliance done! Are We Secure now?  Are we satisfying customer demands ?
  21. 21. Key Points Take Away  Cloud & CI,CD  Software product Business challenges  Pitching security in fast pace environment: -3rd party component security -Security at Development -Security at QA -Security at StagingProduction  Solutions that we have for this fast pace environment  Security an input for business decisions  Deciding factor for security investment & ROI
  22. 22. Q & A
  23. 23. Thank you, Aniket Kulkarni - Software Security Architect (BigdataCloudMobileWeb) Autodesk Singapore Research & Development Center Singapore.

×