Talk about application security in an agile world. How can security be integrated into agile and how can DevSecOps be leveraged to achieve security at scale at speed.
4. 3
What is Application Security?
Let’s start with what it is not:
• Firewalls, secure network protocols,
• Antivirus and Phishing attacks
• Intrusion Detection
• SoCs, ...
6. 5
What is Application Security?
Application Security is:
• A quality aspect of your application
• And contributes to the business success
the same way UX Design, Usability and
Performance do.
• In other words, is my application used the
way it is intended to.
7. 6
Why is AppSec associated with pain?
• Poor communication of sec requirements
• Results in lots of re-work
• Security feedback provided at the end
• Results in stress and missed deadlines
• Audit-like properties
• Results in a false sense of security
10. 9
How PT changed in the last decade
• PT around 2005
• AppSec, what do you mean?
• Here is our network range – hack it
• PT around 2010
• More focus on business critical apps
• Hacking an app once a year
• PT now
• We have made changes to our app, please hack them
19. 18
Some general hygiene
• Security intrinsically understands dev cycle
• and uses the same language as the dev team.
• Security as part of existing
environments/workflows.
• No more pdf/doc/xls!
• Security work is completed in-cycle.
• Not all apps have the same security requirements.
20. 19
Relative cost to fix
0x
5x
10x
15x
20x
25x
30x
35x
Requirements/Design Coding Integration Testing Acceptance Testing Production
Relative Cost to fix, based on time of…
Penetration Testing
Source: NIST
24. 23
(Security) Tests
Unit Testing - Code coverage is key aspect of quality
• Achieving 100% is just the beginning
Security related acceptance criteria makes a difference
• Unit tests will be created containing the abuse cases
• Manual test suits will consider security relevant test cases
• Collaboration between security experts and QA
Goal is to continuously increase the coverage through automation
32. 31
Summary
• Security in Agile and DevOps requires a different mindset
• Security becomes the enabler for the business
• Collaboration between Sec & Dev & Ops
• Start by supporting the development process
• Empathy is key
• Continue with automation
• 80/20 rule
• Continuous improvement through iterative approach
• No blame culture, fail often