Imagine a world where a developer can have her/his code pushed into production a few minutes after its checked in. How do you engrain web application security in such a development pipeline? How do you keep track of the security issues? In this talk we'll discuss some of the security challenges for this paradigm shift and how OWASP can help development teams navigate some of these challenges.
Boost PC performance: How more available memory can improve productivity
Security in a Continuous Delivery World - 2015 - Sherif Mansour
1. Security in a Continuous
Delivery World
Sherif Mansour
2. “Give me six hours to chop down a tree and I will spend
the first four sharpening the axe.”
-Abraham Lincoln
3. Two things about Automation
1. Automation applied to an efficient operation will
magnify its efficiency
2. Automation applied to an inefficient operation will
magnify its inefficiency
-Bill Gates
7. Overview
• Timeline - 1986
• Agile Security
• Bug Tracker
• Definition of Done
• App Sec Radar
• Continuous Delivery
• Security Testing
• How OWASP can help
8. Timeline - 1986
• HBR publishes an article: “The New New
Product Development Game”
• Computer Fraud and Abuse Act
9. The New New Product Development
Game
Leading companies show six characteristics in managing their new product
development processes:
1. Built-in instability
2. Self-organizing project teams
3. Overlapping development phases
4. “Multilearning”
5. Subtle control
6. Organizational transfer of learning
11. Computer Fraud and Abuse Act
• Enacted in 1986
• First Felony in 1988 - Morris Worm
• Mr. Robert Morris Sr. (his father) was the
Chief Scientist at NSA
• Comm-Sec & Compu-Sec merged Info-
Sec
• CERT was created in CMU
13. Stop me of you have seen this before
Applying controls without understanding its limitations.
14. Fast Forward to 2001
1.OWASP was formed :-)
2.Agile Manifesto was published :-) :-)
15. OWASP
• OWASP Top Ten
• OWASP Software Assurance Maturity Model
• OWASP Development Guide
• OWASP ZAP Project: The Zed Attack Proxy
(ZAP)
16. Agile Manifesto
• Individuals and Interactions over
processes and tools
• Working software over comprehensive
documentation
• Customer collaboration over contract
negotiation
• Responding to change over following a
plan
19. Security in an Agile Framework
• Communicate Security
Recommendations simply and clearly
• Identify the biggest risk and which ones
you teams are exposed to
• When you raise a security issue:
• Unique - No duplicates
• Useful - Improves the security and
quality of the software
• Actionable - All necessary
information is in the ticket
20. App Sec Issues Tracking and Metrics
For every security issue detected raise
a Jira bug ticket and include the
following attributes to the bug type:
1. Business risk
2. Attack vector
3. Priority
4. Components
5. Testing Method
6. Dev Team
22. App-Sec Radar
The Application Security Radar is a
site in forms the technology teams
on security technologies they should
embrace or move away from.
This ensures developers adopt
more secure technologies, there are
6 recommendation categories for
the app sec radar:
• Plan for Removal
• No New Use
• Evaluate
• Trial
• Adopt
• Hold
23. DoD - Definition of Done
• Security should include a reference quick
check list for developers on what to
avoid, and what to look out for during
code review.
24. Continuous Delivery
You’re doing continuous delivery when:
• Your software is deployable throughout its lifecycle
• Your team prioritises keeping the software deployable
over working on new features
• Anybody can get fast, automated feedback on the
production readiness of their systems any time
somebody makes a change to them
• You can perform push-button deployments of any
version of the software to any environment on demand
27. How OWASP Can Help
• If you solve a problem and I solve a
problem, each of us has two solutions.
• Guidance
• Security Libraries
• Developer tools
• Training
• etc..