Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DEVsec
OPsec
Tampere Goes Agile 2017
Antti.virtanen@solita.fi --//-- @Anakondantti
“THEY” ARE AFTER YOU
WHO? WHY?
BECAUSE LULZ
BECAUSE MONEY
HOW DO “THEY” GET IN?
CYBER CRIME 2010-­2020
.. FUNNY LIKE NPM INSTALL
http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
WAT ?
CLOUD! AWESOME! AGILE!
A FIX IS
IMMINENT,
I PRESUME
RED TEAMING
IDS & SIEM
WAF
JUST
#DEVSEC +
#OPSEC =
#DEVSECOPS ?
DEVSEC MATURITY –
SOLITA SCALE (1-­5)
LEVEL 1, INTRO 👣
› Clear responsibility for security.
› Controlled process for access.
› Define policy and process.
› Asce...
LEVEL 2, BEGINNER 👣
› Tackle OWASP Top 10.
› Perform threat analysis.
› Invest in learning and
education.
› Practice.
› In...
LEVEL 3, DANCING 👣
› Audit logs.
› Process & env audit.
› Secure Programming
• Especially system integrations.
› Define pr...
PRO TIP: ATTACK YOURSELF TODAY!
LEVEL 4, TOOLS 👣 👞 👢
› Penetration testing.
› Automated vulnerability scans.
› Automated test cases for
security.
› Get ha...
PRO TIP:
GROW HACKERS!
HIRING IS DIFFICULT
LEVEL 5, LIKE A PRO 🐾
› Practice incident response.
› Hardened environments.
› Start Bug Bounty.
• (if appropriate)
› Form...
DEVSEC –
BUILD SECURITY IN!
Let’s get technical!
DEVSEC IS A TEAM EFFORT
https://github.com/lokori/docker-devsec-demo
Dev
Sec
Ops
Fix your processes!
Find developers with hacker mind.
Invest in people, not tools.
Leverage DevOps & automate....
FURTHER MATERIAL
› Security Pipeline PoC: https://github.com/lokori/docker-devsec-demo
› OWASP Top 10: https://www.owasp.o...
TOOLS AND PLATFORMS
› HackerOne (Bug Bounty platform): https://www.hackerone.com/
› BugCrowd (Bug Bounty platfrom): https:...
DevSec - build security in and dance like a pro!
Upcoming SlideShare
Loading in …5
×

DevSec - build security in and dance like a pro!

376 views

Published on

How to build security in? How to perform the DevSec dance? Presentation from Tampere Goes Agile 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DevSec - build security in and dance like a pro!

  1. 1. DEVsec OPsec Tampere Goes Agile 2017 Antti.virtanen@solita.fi --//-- @Anakondantti
  2. 2. “THEY” ARE AFTER YOU WHO? WHY?
  3. 3. BECAUSE LULZ BECAUSE MONEY
  4. 4. HOW DO “THEY” GET IN?
  5. 5. CYBER CRIME 2010-­2020
  6. 6. .. FUNNY LIKE NPM INSTALL
  7. 7. http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry WAT ?
  8. 8. CLOUD! AWESOME! AGILE!
  9. 9. A FIX IS IMMINENT, I PRESUME
  10. 10. RED TEAMING IDS & SIEM WAF
  11. 11. JUST #DEVSEC + #OPSEC = #DEVSECOPS ?
  12. 12. DEVSEC MATURITY – SOLITA SCALE (1-­5)
  13. 13. LEVEL 1, INTRO 👣 › Clear responsibility for security. › Controlled process for access. › Define policy and process. › Ascertain people follow it. › Motivate. Explain the reasons.
  14. 14. LEVEL 2, BEGINNER 👣 › Tackle OWASP Top 10. › Perform threat analysis. › Invest in learning and education. › Practice. › Involve customers. 👣👣
  15. 15. LEVEL 3, DANCING 👣 › Audit logs. › Process & env audit. › Secure Programming • Especially system integrations. › Define processes. Improve. › Create templates. › Involve customers.
  16. 16. PRO TIP: ATTACK YOURSELF TODAY!
  17. 17. LEVEL 4, TOOLS 👣 👞 👢 › Penetration testing. › Automated vulnerability scans. › Automated test cases for security. › Get hackers. › Get tools. › Practice.
  18. 18. PRO TIP: GROW HACKERS! HIRING IS DIFFICULT
  19. 19. LEVEL 5, LIKE A PRO 🐾 › Practice incident response. › Hardened environments. › Start Bug Bounty. • (if appropriate) › Form incident response team. › Go easy with bug bounty first.
  20. 20. DEVSEC – BUILD SECURITY IN! Let’s get technical!
  21. 21. DEVSEC IS A TEAM EFFORT
  22. 22. https://github.com/lokori/docker-devsec-demo
  23. 23. Dev Sec Ops Fix your processes! Find developers with hacker mind. Invest in people, not tools. Leverage DevOps & automate. Client Manager
  24. 24. FURTHER MATERIAL › Security Pipeline PoC: https://github.com/lokori/docker-devsec-demo › OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project › Kybertestaus, referenssi : https://github.com/solita/kyberoppi › Why and how web app security fails: https://www.slideshare.net/Solita_Oy/webapp-securitytut2017 › MOOC course on hacking and security: https://cybersecuritybase.github.io/ › Microsoft SDL: https://www.microsoft.com/en-us/sdl/
  25. 25. TOOLS AND PLATFORMS › HackerOne (Bug Bounty platform): https://www.hackerone.com/ › BugCrowd (Bug Bounty platfrom): https://www.bugcrowd.com/ › OSCP (proof of skills): https://www.offensive-security.com/information-security-certifications/oscp-offensive- security-certified-professional/ › Kali Linux: https://www.kali.org/ › ZAP Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project › Burp Proxy: https://portswigger.net/burp › Metasploit: https://www.metasploit.com/

×