Security as Code: A DevSecOps Approach

VMware Tanzu
VMware TanzuVMware Tanzu
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
1 of 38

Security as Code: A DevSecOps Approach

Download to read offline
Software

SpringOne 2021 Session Title: Security as Code: A DevSecOps Approach Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub

VMware Tanzu
VMware TanzuVMware Tanzu

Recommended

How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
852 views27 slides
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
1.2K views20 slides
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
835 views37 slides
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
1.6K views32 slides
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
3.5K views19 slides
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
8.2K views35 slides

More Related Content

What's hot

What's hot(20)

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK1.2K views
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services6.1K views
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype 10K views
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK645 views
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.272 views
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype 4.9K views
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque1.4K views
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro241 views
DevSecOpsDevSecOps
DevSecOps
Joel Divekar299 views
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
DevOps.com949 views
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie1.2K views
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf904 views
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia227 views
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
Michael Man1.1K views
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK802 views
DevSecOps - Workshop do BemDevSecOps - Workshop do Bem
DevSecOps - Workshop do Bem
Bruno Dantas900 views
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi1.9K views
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS408 views
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
Knoldus Inc.297 views
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com1.9K views

Similar to Security as Code: A DevSecOps Approach

Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
208 views35 slides

Similar to Security as Code: A DevSecOps Approach(20)

HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch493 views
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer508 views
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon128 views
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson208 views
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars481 views
Epistemological Problem of Application SecurityEpistemological Problem of Application Security
Epistemological Problem of Application Security
James Wickett1.3K views
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz3K views
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent346 views
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett125.7K views
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁412 views
Seacon Continuous Delivery Pipeline Tools TrackSeacon Continuous Delivery Pipeline Tools Track
Seacon Continuous Delivery Pipeline Tools Track
Mark Rendell263 views
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
Dinis Cruz1.1K views
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier846 views
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays178 views
APIs in production - we built it, can we fix it?APIs in production - we built it, can we fix it?
APIs in production - we built it, can we fix it?
Martin Gutenbrunner285 views
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash128 views
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
VMware Tanzu273 views
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
Carlos Andrés García18 views
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
Priyanka Raghavan202 views
Stackato v6Stackato v6
Stackato v6
Jonas Brømsø1.2K views

More from VMware Tanzu

More from VMware Tanzu(20)

What AI Means For Your Product Strategy And What To Do About ItWhat AI Means For Your Product Strategy And What To Do About It
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu71 views
Make the Right Thing the Obvious Thing at Cardinal Health 2023Make the Right Thing the Obvious Thing at Cardinal Health 2023
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu61 views
Enhancing DevEx and Simplifying Operations at ScaleEnhancing DevEx and Simplifying Operations at Scale
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu52 views
Spring Update | July 2023Spring Update | July 2023
Spring Update | July 2023
VMware Tanzu68 views
Platforms, Platform Engineering, & Platform as a ProductPlatforms, Platform Engineering, & Platform as a Product
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu74 views
Building Cloud Ready AppsBuilding Cloud Ready Apps
Building Cloud Ready Apps
VMware Tanzu54 views
Spring Boot 3 And BeyondSpring Boot 3 And Beyond
Spring Boot 3 And Beyond
VMware Tanzu130 views
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdfSpring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu69 views
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu64 views
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu43 views
tanzu_developer_connect.pptxtanzu_developer_connect.pptx
tanzu_developer_connect.pptx
VMware Tanzu153 views
Tanzu Virtual Developer Connect Workshop - FrenchTanzu Virtual Developer Connect Workshop - French
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu32 views
Tanzu Developer Connect Workshop - EnglishTanzu Developer Connect Workshop - English
Tanzu Developer Connect Workshop - English
VMware Tanzu90 views
Virtual Developer Connect Workshop - EnglishVirtual Developer Connect Workshop - English
Virtual Developer Connect Workshop - English
VMware Tanzu26 views
Tanzu Developer Connect - FrenchTanzu Developer Connect - French
Tanzu Developer Connect - French
VMware Tanzu13 views
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu77 views
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring BootSpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu112 views
SpringOne Tour: The Influential Software EngineerSpringOne Tour: The Influential Software Engineer
SpringOne Tour: The Influential Software Engineer
VMware Tanzu39 views
SpringOne Tour: Domain-Driven Design: Theory vs PracticeSpringOne Tour: Domain-Driven Design: Theory vs Practice
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu22 views
SpringOne Tour: Spring Recipes: A Collection of Common-Sense SolutionsSpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
SpringOne Tour: Spring Recipes: A Collection of Common-Sense Solutions
VMware Tanzu36 views

Recently uploaded

Recently uploaded(20)

Citi Tech Talk: Event Driven Kafka MicroservicesCiti Tech Talk: Event Driven Kafka Microservices
Citi Tech Talk: Event Driven Kafka Microservices
confluent13 views
Building a Bridge between Terraform and ArgoCDBuilding a Bridge between Terraform and ArgoCD
Building a Bridge between Terraform and ArgoCD
Carlos Santana87 views
Green Cloud - Measure cloud emissionsGreen Cloud - Measure cloud emissions
Green Cloud - Measure cloud emissions
Green Software Development14 views
MAXQDA-24-Features-EN.pdfMAXQDA-24-Features-EN.pdf
MAXQDA-24-Features-EN.pdf
Cheer Chain Enterprise Co., Ltd.132 views
Using the power of OpenAI with your own data: what's possible and how to start?Using the power of OpenAI with your own data: what's possible and how to start?
Using the power of OpenAI with your own data: what's possible and how to start?
Maxim Salnikov21 views
AI and Software consultants: friends or foes?AI and Software consultants: friends or foes?
AI and Software consultants: friends or foes?
Jordi Cabot190 views
IBM MQ Whats new - up to 9.3.4.pptxIBM MQ Whats new - up to 9.3.4.pptx
IBM MQ Whats new - up to 9.3.4.pptx
Matt Leming9 views
Overcoming CMake Configuration Issues WebinarOvercoming CMake Configuration Issues Webinar
Overcoming CMake Configuration Issues Webinar
ICS80 views
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón5 views
AutoMailX PremiumAutoMailX Premium
AutoMailX Premium
GhouseMohiddin1613 views
Critical Control Leadership & Verifications: Operationalising Critical Contro...Critical Control Leadership & Verifications: Operationalising Critical Contro...
Critical Control Leadership & Verifications: Operationalising Critical Contro...
myosh team19 views
3 AI Tools for Live Streamers3 AI Tools for Live Streamers
3 AI Tools for Live Streamers
ontheflystream9 views
Blue turns green! Approaches and technologies for sustainable K8s clusters #C...Blue turns green! Approaches and technologies for sustainable K8s clusters #C...
Blue turns green! Approaches and technologies for sustainable K8s clusters #C...
Green Software Development11 views
Streamlined CMS - DrupalCon SessionStreamlined CMS - DrupalCon Session
Streamlined CMS - DrupalCon Session
Smile I.T is open13 views
The Case Against Frameworks - JFall 2023The Case Against Frameworks - JFall 2023
The Case Against Frameworks - JFall 2023
Jan-Hendrik Kuperus12 views
Q&A with Confluent Professional Services: Confluent Service MeshQ&A with Confluent Professional Services: Confluent Service Mesh
Q&A with Confluent Professional Services: Confluent Service Mesh
confluent10 views
The Power of AI Transcription in Audio to Text ConversionThe Power of AI Transcription in Audio to Text Conversion
The Power of AI Transcription in Audio to Text Conversion
Ecango8 views
Amazon EKS multi-cluster gitops-bridgeAmazon EKS multi-cluster gitops-bridge
Amazon EKS multi-cluster gitops-bridge
Carlos Santana59 views
HTMX: Web 1.0 with the benefits of Web 2.0 without the grift of Web 3.0HTMX: Web 1.0 with the benefits of Web 2.0 without the grift of Web 3.0
HTMX: Web 1.0 with the benefits of Web 2.0 without the grift of Web 3.0
Martijn Dashorst997 views
Unleashing the Power of Generative AI.pdfUnleashing the Power of Generative AI.pdf
Unleashing the Power of Generative AI.pdf
TomHalpin920 views

Security as Code: A DevSecOps Approach

  • 1. SpringOne @pwntester / @atorralba A DevSecOps approach Security as code SpringOne @pwntester / @atorralba
  • 2. > whoami Alvaro Muñoz @pwntester Staff Security Researcher Tony Torralba @_atorralba CodeQL Software Engineer
  • 3. https://securitylab.github.com GitHub Security Lab
  • 4. Let’s start with a space odyssey SpringOne @pwntester / @atorralba
  • 5. 9 years ago in our galaxy double vectors[12] does not actually prevent to pass an array of different size as argument Unpredictable behaviour if this code is called with an array that is too short Pseudo-code. Not the actual NASA code
  • 6. 9 years ago in our galaxy
  • 9. The specific challenges of shifting security left SpringOne @pwntester / @atorralba
  • 10. Shifting Left
  • 11. #1 — It’s not just “automate and run earlier” #2 — Go left(er), don’t stop at coding! Requirements, design, architecture … SpringOne @pwntester / @atorralba
  • 12. What motivates us? ● Autonomy ● Mastery ● Purpose SpringOne @pwntester / @atorralba
  • 13. What motivates us? Autonomy You are in control Another team runs the tool and generates a deluge of Jira issues for you Mastery You are good at what you’re doing! The expertise stays in that team, you don’t learn anything in the process Purpose You know why you are doing it! You are just fixing a bug because the experts said so in the issue 👍 👎 SpringOne @pwntester / @atorralba
  • 14. DevSecOps specificities ➢ What is common? ○ Misalignment, different goals ○ Antagonism SpringOne @pwntester / @atorralba
  • 15. DevSecOps specificities ➢ What is common? ○ Misalignment, different goals ○ Antagonism ➢ What is specific? ○ Criticality / urgency of the bugs ○ Scarcity of security researchers ○ Perception that security researchers have bad intentions SpringOne @pwntester / @atorralba
  • 16. DevSecOps specificities The divide is at another level SpringOne @pwntester / @atorralba
  • 17. Lessons learned from DevOps SpringOne @pwntester / @atorralba
  • 18. Lesson #1: Align goals SpringOne @pwntester / @atorralba
  • 19. Lesson #2: Autonomy, Mastery SpringOne @pwntester / @atorralba
  • 20. Security as Code SpringOne @pwntester / @atorralba
  • 21. SpringOne @pwntester / @atorralba What is SaC • Everyone should be responsible for security • Provide developers with policies and tools integrated into their IDEs and pipelines • More Guardrails and fewer Gates Security as Code is the methodology of codifying security and policy decisions and socializing them with other teams. https://cyral.com/white-papers/what-is-security-as-code/
  • 22. SpringOne @pwntester / @atorralba What can be covered with SaC • Security policies • (e.g. https://github.com/ossf/allstar) • Security testing • (Unit/Integration/Functional tests focused on security) • Vulnerability scanning • We’ll be focusing on this!
  • 23. SpringOne @pwntester / @atorralba Benefits of SaC • Uses the developer’s same language (code), encouraging collaboration and boosting morale • Easily auditable/reviewable (more visibility, changes can be tracked) • Automates checks, allowing self-assessments
  • 24. • CodeQL lets you query code as though it were data. • CodeQL extracts your code into a special database - AST - Semantics - Control Flow Graph • You can query this DB with an optimized OO declarative language CodeQL
  • 25. Demo
  • 26. SpringOne @pwntester / @atorralba Demo repository https://github.com/atorralba/springone-demo
  • 32. Taint tracking SpringOne @pwntester / @atorralba SOURCE POST /users username={payload} &pasword=secret &repeatedPassword=secret APPLICATION UserForm userForm parseExpression( expression ); UserController SINK
  • 34. Security As Code: Code Scanning ✓ Automation ✓ Developer tool ✓ Sharing knowledge ✓ Bonus: Community-powered SpringOne @pwntester / @atorralba
  • 35. Support SpringOne @pwntester / @atorralba ● Sources of taint: ○ Web ○ MVC ○ REST ● Specific Spring Sinks: ○ Spring Web: Open Redirects, Open Forwards, XSS, CSRF disabling ○ Spring REST: SSRF ○ Spring LDAP: LDAP manipulation ○ Spring JDBC: SQL Injection ● Specific Spring categories: ○ Spring View manipulation ○ Spring EL Injection
  • 36. Contribute your own queries and make some 💰 https://securitylab.github.com/get-involved SpringOne @pwntester / @atorralba
  • 37. Thank you! Reach out on twitter: @pwntester @_atorralba @ghsecuritylab SpringOne @pwntester / @atorralba