26 Nov 2015
Venue: Akamai, Singapore
OWASP Singapore.
28 Nov 2015
Venue: Airtel, Delhi-India.
OWASP, Delhi-India.
Remote WebEx From Singapore.
Software Security:
“In The World Of, Cloud & CI-CD”
-Aniket Kulkarni
Software Security Architect (BigdataCloudMobileWeb)

Agenda
 Cloud & It’s Snapshots
 Definition Of Todays Client’s
 Users Angle To cloud
 Changing Landscape Of Customer Requirements
 CI, CD
 An Era Of Dashboards
 Secure SDLC: CI-CD Way

Cloud Computing?
Cloud computing:
Also known as on-demand computing, is a kind of
internet-based computing, where shared resources and
information are provided to computers and other devices
on-demand.

Cloud Snapshots

Client’s Today ?
CLOUD

Continuous Integration-CI.
 Continuous Integration (CI)
is a development practice
that requires developers to
integrate code into a shared
repository several
times a day.
 Each check-in is then verified
by an automated build,
allowing teams to detect
problems early.

Continuous Delivery-CD.
 Continuous Delivery (CD): is a
software engineering approach in which teams keep producing
valuable software in short cycles and ensure that
the software can be reliably released at
any time.
 It aims at, building, testing, and
releasing software, faster and
more frequently.

Continuous Deployment-CD.
 Continuous Deployment (CD): Is next phase to continuous
delivery.
 Every change that passes the automated tests get deployed on
production automatically.

Users Angle To Cloud.
Client Side
Subscribed
USER1
Free
USER3
Subscribed
USER2
Application
Server
Storage
ServiceI & AM
Notification
Service

An Era Of Dashboards.

Changing Landscape Of Requirements
 On Going Customer Demands
 Associated Market Competitions
 Product Research Outcomes
“Constant Rotating Eyeball On Product In Production, Hosted On Cloud, with
constant changes”

Challenges For Business Stakeholders
 How to manage security posture of 150+ cloud
products ?
 Shall we invest for Security (Yes/NO) ?
 If yes, how much ? Confused for decision ?
 Invested $X million. How much secure we are ?
 We are 100% Compliance done! Are We Secure
now?
 Are we satisfying customer demands ?

S-SDLC (CI-CD): Component Repository
External
Repositories
Internal
ComponentsOrganization Repository
(Ex:NexusArtifactory)

S-SDLC (CI-CD): 3rd Party External Component Security
External
Repositories
Internal
Components
Organization Repository (Ex:
Nexus Artifactory)
3rd Party Component Security
Tools (Ex: Sonatype CLM)
Continuous Dashboard Update

S-SDLC (CI-CD): Development
External
Repositories
Internal
Components
Organization Repository (Ex:
Nexus Artifactory)
Static Source Code Analysis Tool
(Ex: Fortify)
Continuous Dashboard Update

S-SDLC (CI-CD): QA
• Internal Automation Frameworks
• Mostly Python Scripts
Actual Web Product Hosted On
Staging
Dynamic Analysis Tool Run
Manual Dashboard Update
InternalExternal Penetration Tests
Continuous Dashboard
Update
Interactive Application Security Testing
(Ex: Contrast)

S-SDLC (CI-CD): SASTDASTIAST
SAST
DAST
IAST
• Uses source code to find vulnerabilities without running the
application.
• Misses run time vulnerabilities.
• Many false positives
• Analyzes application in its running state by fuzzing with
malicious payloads from outside
• Misses business logic vulnerabilities
• Many false positives
• Analyzes application in its running state by deploying
sensors inside the app.
• Finds most of the things which SAST and DAST misses
• Almost NoLess false positives

S-SDLC (CI-CD): Typical IAST Deployment
Custom Code
Java Runtime
Application Server
Frameworks
Libraries
IAST
Engine
Security
Information To
Dashboard
Web Application
Data
From
Passive
Sensors

S-SDLC (CI-CD): Compact View
DEVELOPMENTCOMPONENT
SELECTION
QA IASTSTAGING
All Set For Product Release ? 

Rethinking challenges!
How we appear on challenges now ?
 How to manage security posture of 150+ cloud products?
 Shall we invest for Security (Yes/NO) ?
 If yes, how much ? Confused for decision ?
 Invested $X million. How much secure we are ?
 We are 100% Compliance done! Are We Secure now?
 Are we satisfying customer demands ?

Key Points Take Away
 Cloud & CI,CD
 Software product Business challenges
 Pitching security in fast pace environment:
-3rd party component security
-Security at Development
-Security at QA
-Security at StagingProduction
 Solutions that we have for this fast pace environment
 Security an input for business decisions
 Deciding factor for security investment & ROI

Q & A

Thank you,
Aniket Kulkarni - Software Security Architect (BigdataCloudMobileWeb)
Autodesk Singapore Research & Development Center
Singapore.