SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolvedores
•
2 likes•220 views
As aplicações são agora o perímetro de segurança mais atacado. A crescente complexidade do software tornou-se o alvo de mais da metade de todos os ataques bem-sucedidos. É fácil ver o porquê: 80% das aplicações falham em seu primeiro teste de segurança. Ao mesmo tempo, há pressão por entrega de software cada vez mais rápido – sempre em busca de time-to-market. A resposta todos já sabem: SecDevOps, mas como colocar em prática sem complicar a vida dos desenvolvedores?
![© 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2
O que [não] é
SecDevOps?
Não precisa ser
assim…
Security visto por DevOps
http://dilbert.com/strip/2007-11-16
DevOps visto por Security
https://xkcd.com/1629/](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolvedores
Similar to SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolvedores (20)
Recently uploaded
Recently uploaded (20)
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolvedores
- 1. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES1 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.
- 2. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES2 O que [não] é SecDevOps? Não precisa ser assim… Security visto por DevOps http://dilbert.com/strip/2007-11-16 DevOps visto por Security https://xkcd.com/1629/
- 3. © 2017 CA. Confidential. All rightsreserved.3 ProductConcept THE MODERN SOFTWARE FACTORY A blueprint for success. AND DO IT AT SCALE • Deliveringtrustin identity, authorization andaccess control • Confirmingtrust in applications • Reducing operationalrisk • Controllingcyber exposure risk and regulatoryrisk BUILDING TRUST in
- 4. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES4 State of Software Security 2017 • Largest quantitative study of application security risk • Based on data from over 400,000 actual application testing results, representing 250 billionlines of code, over 12 months • Historical data: 2017 vs. 2016, and vulnerability category trends going back 5 reports • 7 major industry verticals; new industry vertical: Infrastructure (Energy, Utilities, Transportation) Disponível em: http://veracode.com/soss
- 5. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES5 Top line trends
- 6. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES6 Applications are vulnerable to attack
- 7. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES7 The percentage of applications passing OWASP Top 10 policy on first scan is consistent over time
- 8. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES8 Developers are making the same coding mistakes as several years ago
- 9. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES9 Components increase speed of development at the cost of increased risk
- 10. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES10 Component case study: Apache Commons Collections https://arstechnica.com/information-technology/2016/11/san- francisco-transit-ransomware-attacker-likely-used-year-old-java- exploit/
- 11. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES11 Developer skills gap
- 12. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES12 Developers aren’t getting security training in college or from employers Veja também: 2017 DevSecOps Global Skills Survey https://www.veracode.com/sites/default/files/pdf/resources/analystreports/the-devsecops- global-skills-survey-veracode-analyst-report.pdf
- 13. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES13 Skills training has measurable results >19% de no aumento no Fix Rate para os que adotam eLearning >87% de aumento no Fix Rate para os que adotam Consultoria em Remediação
- 14. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES14 What works
- 15. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES15 What Makes Something Great? Seatbelts Anti-lock breaks Airbags Stability control
- 16. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES16 E deixar para arrumar/proteger mais tarde pode ser menos eficaz….
- 17. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES17 DevOps – Process: Where is security? Security
- 18. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES18 DevSecOps: Uniting Development and Security Os Desenvolvedores passam a contar com mecanismos para incorporar segurança em seus requerimentos funcionais. E a área de Segurança direciona os esforços em Governança e Proteção
- 19. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES19 DevSecOps: More frequent scanning increases fix rates
- 20. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES20 6 Check In Veracode Plugin Automático 1 Develop 8 Policy Scan 7 Build 9 Import Veracode Platform Sandbox Scan 5 Mid to late Dev 4 Greenlight Scan 3 Early Dev 2 E como não atrapalhar os desenvolvedores? Automação - Exemplo
- 21. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES21 Como ajudar os desenvolvedores? Exemplo: Veracode Greenlight Avaliando a segurança do código enquanto ele é construído https://www.youtube.com/watch?v=i72A9Nxvzrg
- 22. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES22 CA Veracode Platform: Security Throughout the SLC Code Commit Build Test Release Deploy Operate CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Runtime Protection CA Veracode Software Composition Analysis CA Veracode Integrations, APIs CA Veracode eLearning Code RepositoriesIDEs GRCs SIEMs WAFs Security Assurance Operational SecurityDevelopment Integration Bug Tracking Build and Deploy Systems
- 23. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES23
- 24. © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES24 © 2017 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES.