SlideShare a Scribd company logo

DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)

R
Rich Mills

As we embrace Agile/DevOps with rapid, continuous deployment of software, we need to alter the way we integrate security into the process. We need ways to integrate tooling and practices into our continuous delivery pipelines to ensure that our applications are "secure enough" to defend themselves every day. We need continuous security.

Software
1 of 20
Download to read offline
DevSecOps: Essential Tooling to Enable Continuous Security Richard Mills DevOps Solution Architect, Coveros Inc. rich.mills@coveros.com @armillz
Who is this guy? ●Me: Mad-Software-Developer turned Mad-Software-Engineer turned DevOps-Solution-Architect. Pragmatist. Particular focus on tools and automation. CI, CD, DevOps … what’s next? ○ PS: Thanks for inventing the term “DevOps” to describe what I like to do. ○ … and then DevSecOps, DevSecQaEntFinBizOps, etc. ●Pays my bills: Coveros helps organizations accelerate the delivery of secure, reliable software using agile methods. ○ Agile transformations, development, and testing ○ Dev(Sec)Ops implementations ○ Training courses in Agile, DevOps, Application Security ●Keeps me intrigued: SecureCI ○ Open-source DevOps product ○ Integrated CI/CD stack with security flavor
Modern Agile/DevOps software delivery is outpacing compliance-driven, late-lifecycle security processes How do we solve it? ● Integrate security actions into sprint-ly delivery process ● Integrate security team members into development and operations (not police) ● Integrate “Quality Gates” into CI/CD pipeline Goal: confidence that software is “secure enough” to defend itself every day Need “continuous security” integrated into our delivery process DevSecOps to match agile delivery Security! Dev (Sec) Ops
Pipeline defines delivery process The software delivery process is automated through a CI/CD pipeline to deliver application microservices into various test (and eventually production) environments
Tools, tools, and too many tools https://xebialabs.com/periodic-table-of-devops-tools/
Essential security tooling categories ● Static application scanning ○ analyze the source code, application structure, or platform as it is built to detect defects or vulnerabilities ○ In security space: SAST, software composition analysis, vulnerability scanning ● Dynamic functional testing ○ variety of sub-categories of functional testing to verify that the software behaves according to its functional requirements. ● Non-functional testing ○ verify software against sub-categories of cross-cutting, non-functional requirements (security, performance, accessibility, …) ○ In security space: DAST ● Real time monitoring ○ once the software is operating, monitor its operation and look for issues. (not necessarily a "quality gate" but it does ensure that software remains healthy) ○ In security space: may include IAST and RASP
Static application scanning ● Static application scanning - run before we launch/run software ○ Static code analysis - quality, maintainability, security (frequently referred to as Static Application Security Testing, SAST). ○ Software Composition Analysis - performs 3rd party dependency checks ○ Platform vulnerability scanning - scan OS, middleware, configuration for known weaknesses ○ Docker container scanning - scan container images as they are built to detect whether vulnerable container layers are being used or misconfigured ● Tools: ○ SonarQube, FindBugs, PMD, Fortify, Veracode, … ○ OWASP Dependency Check, RetireJS, … ○ Nessus, OpenVAS, OpenSCAP, … ○ Twistlock, Falco, Aqua, ...
• Code scanning and quality dashboards • Includes quality, security, and maintainability scans for many languages • Continuous view of static code health, unit tests, coverage, … • Inexpensive alternative to commercial tools such as Fortify, Veracode, etc. Static analysis: start with SonarQube
● Ensure that you aren’t using someone else’s vulnerable code ● Software Composition Analysis against NVD with CVE ○ OWASP (Java), RetireJS (JavaScript), ... ○ Sonatype Nexus IQ Server, JFrog Xray, ... Dependency checks for supply chain
• Examine container structure and behavior before and during execution • Similar to vulnerability scanning of hosts • Two roles: ○ Scan newly build app container images for vulnerabilities ○ Monitor running containers for compliance • Others: Falco, Clair, Aqua, … • Platform: Nessus, OpenVAS, ... Container and platform scanning: Twistlock
Dynamic functional testing ● Unit testing - verify that code functions properly in isolation during a build (pre-deployment) ● Health Tests - quick API health check endpoint pings to ensure services are running ● API testing - REST tests divided into smoke tests, functional tests, regression tests, etc. ● UI testing - Selenium/selenified tests for UI organized as smoke, functional, etc. With Security: test your security functions (roles, auditing, encryption, …) Tools: ● Junit, Jest, TestNG, ... ● Selenium, Selenified, jBehave, Cucumber, ... ● REST Assured, Postman, JMeter, Taurus, … ● Security proxies: Zed Attack Proxy, Burp Proxy, ... Point: these are good places to start integrating dynamic security testing
Active Security ScanningPassive Security Monitoring Security pipeline with ZAP OWASP Zed Attack Proxy (ZAP) is an easy to use, open-source web scanning and penetration tool (Burp Suite and others can do this, as well) Two primary modes: Passive and Active
Non-functional testing ● Dynamic Application Security Testing (DAST) - automated web scanning, penetration testing, database testing, ... ● Performance testing - automated performance tests run manually with JMeter by QA Team ● 508 Accessibility testing - executed periodically to validate that the application is usable for all people ● Other compliance testing… Security Tools: ● ZAP, Burp Suite, HCL App Scan, Metasploit, Nmap, SQLmap, … ● NOTE: Need to be able to script these and integrate into pipeline!
Tying it together: pipeline flow
Eventually: real-time monitoring ● Various aspects ○ Log aggregation and scanning - use processing rules to detect anomalous behavior (information leakage, high error rates, attack detection) ○ Real-time container and host monitoring - security monitoring of running docker containers running in test environments for behavior, configuration ○ Container and host scanning - scan hosts against configuration benchmarks ○ Performance monitoring - monitor system resources, response times, etc. ● Wraps into Security Information & Event Management (SIEM) ● RASP and IAST tools fit here, as well ● Tools ○ Kibana/Logstash (ELK), Splunk, Tripwire, … ○ Nessus, OpenVAS, Twistlock, … ○ Prometheus, Graphana, Hawkular, New Relic, ...
Takeaways for continuous security ● Develop a product with security built in ● Find tools that fit each major category ○ Static analysis ○ Software Composition Analysis ○ Vulnerability scanning (platform, containers) ○ Dynamic testing ○ Monitoring ● Start with simple (free!) tools until you understand their value and cost ● Strive for continuous assessment ● Develop a culture of security
rich.mills@coveros.com @armillz https://www.coveros.com/services/devops/ Join us on Slack! https://hub.techwell.com Thank You! Questions?
Bonus Round: Integrating Teams
Integrate your development, security, quality, and ops teams to streamline your delivery process and enable success ● Use team structures that encourage collaboration of security engineers with developers ○ Need engineers who understand code, build, deployment, testing, automation ○ Can’t succeed with only compliance box checkers (yes, you need them too) ● Half the battle: getting teams to work together, not against each other ○ Security consultants, not security police ○ Contributors, not naysayers Build a culture of security. Expect every build to be secure. Integrating Dev, Sec, QA, Ops
Horizontal Technical Guilds ●Group of specialized professionals working together to solve cross-team problems ●Guild members in-team are focused on team-specific problems ●Dedicated guild members support cross-team needs ●Guild establishes cross-team standards and shared success ●Important: share knowledge across team members Cross-team function (vs. cross-functional team) Challenge: You will never have enough security engineers for every team

Recommended

The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat Security Conference
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
The Science of Compliance - Early Code to Secure your Node (11/6/19)
The Science of Compliance - Early Code to Secure your Node (11/6/19)The Science of Compliance - Early Code to Secure your Node (11/6/19)
The Science of Compliance - Early Code to Secure your Node (11/6/19)judy (fink) johnson
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 

Recommended

The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat Security Conference
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceAbdessamad TEMMAR
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
The Science of Compliance - Early Code to Secure your Node (11/6/19)
The Science of Compliance - Early Code to Secure your Node (11/6/19)The Science of Compliance - Early Code to Secure your Node (11/6/19)
The Science of Compliance - Early Code to Secure your Node (11/6/19)judy (fink) johnson
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Christian Schneider
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_finalŠumadin Šumić
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapMatteo Emili
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowEnov8
 

More Related Content

What's hot

Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Christian Schneider
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_finalŠumadin Šumić
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 

What's hot (13)

Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
 

Similar to DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapMatteo Emili
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowEnov8
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 

Similar to DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO) (20)

DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trapHow not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 

Recently uploaded

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 

Recently uploaded (20)

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 

DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)

  • 1. DevSecOps: Essential Tooling to Enable Continuous Security Richard Mills DevOps Solution Architect, Coveros Inc. rich.mills@coveros.com @armillz
  • 2. Who is this guy? ●Me: Mad-Software-Developer turned Mad-Software-Engineer turned DevOps-Solution-Architect. Pragmatist. Particular focus on tools and automation. CI, CD, DevOps … what’s next? ○ PS: Thanks for inventing the term “DevOps” to describe what I like to do. ○ … and then DevSecOps, DevSecQaEntFinBizOps, etc. ●Pays my bills: Coveros helps organizations accelerate the delivery of secure, reliable software using agile methods. ○ Agile transformations, development, and testing ○ Dev(Sec)Ops implementations ○ Training courses in Agile, DevOps, Application Security ●Keeps me intrigued: SecureCI ○ Open-source DevOps product ○ Integrated CI/CD stack with security flavor
  • 3. Modern Agile/DevOps software delivery is outpacing compliance-driven, late-lifecycle security processes How do we solve it? ● Integrate security actions into sprint-ly delivery process ● Integrate security team members into development and operations (not police) ● Integrate “Quality Gates” into CI/CD pipeline Goal: confidence that software is “secure enough” to defend itself every day Need “continuous security” integrated into our delivery process DevSecOps to match agile delivery Security! Dev (Sec) Ops
  • 4. Pipeline defines delivery process The software delivery process is automated through a CI/CD pipeline to deliver application microservices into various test (and eventually production) environments
  • 5. Tools, tools, and too many tools https://xebialabs.com/periodic-table-of-devops-tools/
  • 6. Essential security tooling categories ● Static application scanning ○ analyze the source code, application structure, or platform as it is built to detect defects or vulnerabilities ○ In security space: SAST, software composition analysis, vulnerability scanning ● Dynamic functional testing ○ variety of sub-categories of functional testing to verify that the software behaves according to its functional requirements. ● Non-functional testing ○ verify software against sub-categories of cross-cutting, non-functional requirements (security, performance, accessibility, …) ○ In security space: DAST ● Real time monitoring ○ once the software is operating, monitor its operation and look for issues. (not necessarily a "quality gate" but it does ensure that software remains healthy) ○ In security space: may include IAST and RASP
  • 7. Static application scanning ● Static application scanning - run before we launch/run software ○ Static code analysis - quality, maintainability, security (frequently referred to as Static Application Security Testing, SAST). ○ Software Composition Analysis - performs 3rd party dependency checks ○ Platform vulnerability scanning - scan OS, middleware, configuration for known weaknesses ○ Docker container scanning - scan container images as they are built to detect whether vulnerable container layers are being used or misconfigured ● Tools: ○ SonarQube, FindBugs, PMD, Fortify, Veracode, … ○ OWASP Dependency Check, RetireJS, … ○ Nessus, OpenVAS, OpenSCAP, … ○ Twistlock, Falco, Aqua, ...
  • 8. • Code scanning and quality dashboards • Includes quality, security, and maintainability scans for many languages • Continuous view of static code health, unit tests, coverage, … • Inexpensive alternative to commercial tools such as Fortify, Veracode, etc. Static analysis: start with SonarQube
  • 9. ● Ensure that you aren’t using someone else’s vulnerable code ● Software Composition Analysis against NVD with CVE ○ OWASP (Java), RetireJS (JavaScript), ... ○ Sonatype Nexus IQ Server, JFrog Xray, ... Dependency checks for supply chain
  • 10. • Examine container structure and behavior before and during execution • Similar to vulnerability scanning of hosts • Two roles: ○ Scan newly build app container images for vulnerabilities ○ Monitor running containers for compliance • Others: Falco, Clair, Aqua, … • Platform: Nessus, OpenVAS, ... Container and platform scanning: Twistlock
  • 11. Dynamic functional testing ● Unit testing - verify that code functions properly in isolation during a build (pre-deployment) ● Health Tests - quick API health check endpoint pings to ensure services are running ● API testing - REST tests divided into smoke tests, functional tests, regression tests, etc. ● UI testing - Selenium/selenified tests for UI organized as smoke, functional, etc. With Security: test your security functions (roles, auditing, encryption, …) Tools: ● Junit, Jest, TestNG, ... ● Selenium, Selenified, jBehave, Cucumber, ... ● REST Assured, Postman, JMeter, Taurus, … ● Security proxies: Zed Attack Proxy, Burp Proxy, ... Point: these are good places to start integrating dynamic security testing
  • 12. Active Security ScanningPassive Security Monitoring Security pipeline with ZAP OWASP Zed Attack Proxy (ZAP) is an easy to use, open-source web scanning and penetration tool (Burp Suite and others can do this, as well) Two primary modes: Passive and Active
  • 13. Non-functional testing ● Dynamic Application Security Testing (DAST) - automated web scanning, penetration testing, database testing, ... ● Performance testing - automated performance tests run manually with JMeter by QA Team ● 508 Accessibility testing - executed periodically to validate that the application is usable for all people ● Other compliance testing… Security Tools: ● ZAP, Burp Suite, HCL App Scan, Metasploit, Nmap, SQLmap, … ● NOTE: Need to be able to script these and integrate into pipeline!
  • 14. Tying it together: pipeline flow
  • 15. Eventually: real-time monitoring ● Various aspects ○ Log aggregation and scanning - use processing rules to detect anomalous behavior (information leakage, high error rates, attack detection) ○ Real-time container and host monitoring - security monitoring of running docker containers running in test environments for behavior, configuration ○ Container and host scanning - scan hosts against configuration benchmarks ○ Performance monitoring - monitor system resources, response times, etc. ● Wraps into Security Information & Event Management (SIEM) ● RASP and IAST tools fit here, as well ● Tools ○ Kibana/Logstash (ELK), Splunk, Tripwire, … ○ Nessus, OpenVAS, Twistlock, … ○ Prometheus, Graphana, Hawkular, New Relic, ...
  • 16. Takeaways for continuous security ● Develop a product with security built in ● Find tools that fit each major category ○ Static analysis ○ Software Composition Analysis ○ Vulnerability scanning (platform, containers) ○ Dynamic testing ○ Monitoring ● Start with simple (free!) tools until you understand their value and cost ● Strive for continuous assessment ● Develop a culture of security
  • 17. rich.mills@coveros.com @armillz https://www.coveros.com/services/devops/ Join us on Slack! https://hub.techwell.com Thank You! Questions?
  • 19. Integrate your development, security, quality, and ops teams to streamline your delivery process and enable success ● Use team structures that encourage collaboration of security engineers with developers ○ Need engineers who understand code, build, deployment, testing, automation ○ Can’t succeed with only compliance box checkers (yes, you need them too) ● Half the battle: getting teams to work together, not against each other ○ Security consultants, not security police ○ Contributors, not naysayers Build a culture of security. Expect every build to be secure. Integrating Dev, Sec, QA, Ops
  • 20. Horizontal Technical Guilds ●Group of specialized professionals working together to solve cross-team problems ●Guild members in-team are focused on team-specific problems ●Dedicated guild members support cross-team needs ●Guild establishes cross-team standards and shared success ●Important: share knowledge across team members Cross-team function (vs. cross-functional team) Challenge: You will never have enough security engineers for every team