Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Learns to Sprint

367 views

Published on

This talk will argue that DevOps could be the best thing to happen to application security since OWASP, if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products, instead of trying to do it all themselves like they did in days past. We must build security into each of “The Three Ways”; automating and/or improving efficiency of all security activities to ensure we don’t slow down developers, speeding up feedback loops for security related activities so that we fix the bugs faster and sooner, and providing continuous learning opportunities in relation to security, for both teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps!

Published in: Technology
  • Be the first to comment

Security Learns to Sprint

  1. 1. @SheHacksPurple
  2. 2. @SheHacksPurple
  3. 3. @SheHacksPurple
  4. 4. @SheHacksPurple
  5. 5. @SheHacksPurpleSlide Credit: Pete Cheslock
  6. 6. @SheHacksPurpleSlide Credit: DevSecCon
  7. 7. This is me. I’m Tanya Janca. @SheHacksPurple AKA: @SheHacksPurple
  8. 8. This is me. I’m a Senior Cloud Developer Advocate at: What does THAT mean? @SheHacksPurple
  9. 9. This is me. I’m a Senior Cloud Developer Advocate I work to make security features easier to use. I help developers use our products more securely. I provide feedback to internal teams so they can make our products more secure. @SheHacksPurple I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.
  10. 10. This is me. Application Security Evangelist @SheHacksPurple
  11. 11. This is me. Application Security Evangelist @SheHacksPurple
  12. 12. This is me. Ethical hacker I want to know how things work. @SheHacksPurple
  13. 13. This is me. I’m obsessed with OWASP! @SheHacksPurple Open Web Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.
  14. 14. This is me. OWASP Ottawa Chapter Leader @SheHacksPurple
  15. 15. This is me. OWASP DevSlop Project Leader @SheHacksPurple
  16. 16. @SheHacksPurple This is me. Software Developer (since the late 90’s) That’s over 20 years! AHHHHHHHHHHHH! @SheHacksPurple
  17. 17. This is me. Goal: to change the way we make software so that the easiest way to do something is also the most secure way. @SheHacksPurplePhoto: DevSecCon, Singapore, 2018
  18. 18. Let’s do this. @SheHacksPurple
  19. 19. @SheHacksPurple
  20. 20. @SheHacksPurple
  21. 21. Verizon Data Breach Investigation Report (DBIR) for 2017 and 2016. @SheHacksPurple
  22. 22. @SheHacksPurple
  23. 23. @SheHacksPurplePhoto: #WOCTechChat
  24. 24. @SheHacksPurple 100 / 10 / 1
  25. 25. @SheHacksPurplePhoto: Winged Beast
  26. 26. @SheHacksPurple
  27. 27. @SheHacksPurple
  28. 28. @SheHacksPurple
  29. 29. @SheHacksPurple
  30. 30. @SheHacksPurple
  31. 31. @SheHacksPurple
  32. 32. @SheHacksPurple
  33. 33. @SheHacksPurple The Three Ways
  34. 34. Left -> Right = speed @SheHacksPurple
  35. 35. @SheHacksPurple Requirements Design Code Testing Release
  36. 36. @SheHacksPurplePhoto: #WOCTechChat
  37. 37. • Assisting in tuning SAST and DAST tools • Reusing known good code • Using up-to-date images • Using the Security Pipeline • Making negative unit tests • Severe security bugs break the build • We cannot do it without them on board @SheHacksPurple
  38. 38. @SheHacksPurplePhoto: #WOCTechChat Ensure Dev and Ops are not waiting on you. We CANNOT be a bottleneck. Make processes that WORK.
  39. 39. @SheHacksPurplePhoto: #WOCTechChat Breaking security activities into smaller pieces
  40. 40. • Ensure Dev & Ops are not waiting on you • Tuning security tools so they do not produce false positives • Breaking security activities into smaller pieces so that they fit into the “sprints” • Make processes that work , and match pace • Providing secure templates and code samples that a known-secure (sec code library) @SheHacksPurple
  41. 41. @SheHacksPurplePhoto: #WOCTechChat Create a security pipeline. For more in- depth testing.
  42. 42. @SheHacksPurplePhoto: #WOCTechChat Write your own code libraries, for your business’ specific needs.
  43. 43. • Create a security pipeline • Buy licenses for dev and ops for sec tools • This does not mean doing 100% of the work yourself, it means making it possible for Dev & Ops to perform security as part of their daily work. • Writing your own tools and libraries, see RepoKid from Netflix • Enable Dev and Ops, in every way you can. @SheHacksPurple
  44. 44. @SheHacksPurple
  45. 45. @SheHacksPurple Requirements Design Code Testing Release
  46. 46. Fixing costs of quality & security issues rises significantly as the development cycle advances CODING PRODUCTION QA & SECURITY BUILD Source: Ponemon Institute Research $80/defect $240/defect $960/defect $7,600/defect @SheHacksPurple
  47. 47. @SheHacksPurplePhoto: #WOCTechChat Providing feedback to the security team what they are concerned about. The security team listening and taking action. Participating in security activities.
  48. 48. @SheHacksPurplePhoto: #WOCTechChat Providing feedback earlier, and more often. Pushing Left
  49. 49. @SheHacksPurple
  50. 50. @SheHacksPurplePhoto: #WOCTechChat
  51. 51. • Automate as much as humanly possible, then teach dev and ops to understand the results • Tune the tools, so they don’t waste anyone’s time • Add security into each phrase of the SDLC, including requirements and design • Insist that the build breaks if a large security vulnerability is introduced, security is a part of quality • Rename functions you want to phase out • Check out Netflix’s RepoKid! @SheHacksPurple
  52. 52. @SheHacksPurplePhoto: #WOCTechChat Positive testing determines that your application works as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior.
  53. 53. @SheHacksPurplePhoto: #WOCTechChat Inviting Dev and Ops to participate in Security Activities. Incidents Threat Modelling Security Sprints Etc.
  54. 54. @SheHacksPurplePhoto: #WOCTechChat Use Metrics to track trends Create unit tests out of PenTest Results
  55. 55. • If a PenTest is done, check all apps for those vulns • Use tools like OWASP DefectDojo to provide feedback on metrics and trends to Dev & Ops • Invite Dev & Ops to participate in Security activities, for feedback and teaching • Don’t be afraid to try new things and get creative, writing your own tools likely is to provide your best results. • Add negative use cases as unit tests, not just positive use cases (Morgan Roman, @Hackimedes) @SheHacksPurple
  56. 56. @SheHacksPurple
  57. 57. @SheHacksPurplePhoto: #WOCTechChat
  58. 58. @SheHacksPurplePhoto: #WOCTechChat
  59. 59. @SheHacksPurplePhoto: #WOCTechChat
  60. 60. • Offer security training to Dev & Ops. Pay for it. • Share information widely when you fix or find new security issues, • Run Security Exercises or Incident Simulations • Provide and analyze metrics from security testing, look for patterns or systemic issues • Checkout Netflix Chaos Monkey • Never forget that your focus is to enable Dev and Ops to get their jobs done, securely. @SheHacksPurple
  61. 61. @SheHacksPurplePhoto: #WOCTechChat
  62. 62. @SheHacksPurplePhoto: #WOCTechChat
  63. 63. • Share information widely when you fix something • EVERYTHING goes into a knowledge base. * • Ensure you perform blameless post mortems • Talk about security incidents after they are over • Teaching developers and ops what the output from security tools actually mean • Create formal lessons and learning opportunities, if at all possible (lunch and learns, white papers, formal training, job shadowing) @SheHacksPurple
  64. 64. Culture Change @SheHacksPurple
  65. 65. @SheHacksPurplePhoto: #WOCTechChat
  66. 66. @SheHacksPurplePhoto: #WOCTechChat
  67. 67. @SheHacksPurplePhoto: #WOCTechChat
  68. 68. @SheHacksPurplePhoto: #WOCTechChat
  69. 69. @SheHacksPurplePhoto: #WOCTechChat
  70. 70. @SheHacksPurple
  71. 71. @SheHacksPurple https://stories.visualstudio.com/
  72. 72. @SheHacksPurple https://www.owasp.org/index.php/OWASP_DevSlop_Project
  73. 73. @SheHacksPurple https://aka.ms/GettingStartedWithAppSec
  74. 74. @SheHacksPurple
  75. 75. @SheHacksPurple Twitter: @SheHacksPurple https://medium.com/@SheHacksPurple https://www.slideshare.net/TanyaJanca https://DevSlop.co
  76. 76. @SheHacksPurple
  77. 77. @SheHacksPurple
  78. 78. @SheHacksPurple Thank You Cloud Developer Advocate, Microsoft OWASP Ottawa Chapter Leader OWASP DevSlop Project Leader Tanya Janca Tanya.Janca@Microsoft.com Tanya.Janca@owasp.org @SheHacksPurple

×