SlideShare a Scribd company logo

Continuous Security: Using Automation to Expand Security's Reach

M
Matt Tesauro

Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.

Technology
1 of 50
Download to read offline
Continuous Security: Using Automation to Expand Security’s Reach
I am Matt Tesauro I think AppSec needs to change and I’m going to tell you how I see it changing matt.tesauro@10Security.com / @matt_tesauro 2
Who is this guy? ✖ Reformed programmer and AppSec Engineer ✖ 11+ years in the OWASP community ○ OWASP AppSec Pipeline ○ OWASP DefectDojo ○ OWASP WTE ✖ 20+ years using Floss and Linux ✖ Currently a Go language fanbox ✖ Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) 3
The money shot 4
Not everything about completing a goal is sunshine and roses... The Anti-money shot 5
Quick Survey Raise your hand if you work in: ✖ AppSec ✖ Product Security ✖ Security Engineering ✖ DevOps aka DevSecOps, SecDevOps, DevOpsSec, OpsDevSec, OpsDevSecOpsDev...
Traditional AppSec Where all this started not so long ago 7
What Traditional AppSec Tooling feels like: 8
9
10 The purpose of an AppSec program is to evaluate the security status of the suite of apps for a business Basically, to provide a map to guide business decisions.
Do you have a full view of your Application landscape? 11
DevSecOps Automation What are the key things to be aware of 12
W Edward DemIng Spending time optimizing anything other than the critical resource is an illusion 13
Your people are the critical resource 14
There’s never enough people or time... ✖ AppSec team size is small vs Dev team ✖ Automate all those things that don’t take a human brain ✖ DefectDojo (and the rest API) is the heart of your automation efforts - your single source of truth
OWASP DefectDojo An open-source application vulnerability correlation and security orchestration tool. The source of truth for a security program that manages to make vulnerability management work ✖ Consolidating and dedup’ing findings ○ 66+ different tools supported ✖ Maintain product and app info/metadata ✖ Push findingst to defect trackers ✖ Automation with a REST API 16
The “Three Ways of DevOps” 1. Workflow “Look at your purpose and those processes which aid it” 2. Improve Feedback “Open yourself to upstream & downstream info” 3. Continual Experimentation and Learning “Create a culture of innovation and experimentation” 17
AppSec Personnelle They are the critical resource so optimize their work ✖ Automate the non-human brain things ✖ Drive up consistency ✖ Increase tracking of work status ✖ Increase flow through the system ✖ Increase visibility and metrics ✖ Reduce any friction with dev teams 18
Let’s be honest for a minute... 19
20 Talk to your constituency in the language that THEY speak, not the one you speak.
As as exercise for the student 21
AppSec Pipelines Why let dev teams own all the good ideas 22
What’s this AppSec pipeline all about? ✖ Better visibility into WIP ✖ Better understand/track/optimize flow of DevSecOps work ✖ Significant increase in consistency ○ Each step has a well defined interface ✖ Understanding the cost of switching ✖ Flexible enough for a range of skills & program maturity 24
Remember that DevOps stuff? For better or worse, DevOps is changing IT ✖ Smaller quicker iterations ○ CI/CD, Cloud, Serverless, Microservices ✖ More agility to meet customer needs and keep up with competitors ✖ Cost of experimentation goes down 25
Gen 1 AppSec Pipelines Look at your team’s purpose and those processes which aid it 26
Real-World AppSec Pipeline example
29 Get your house in order
Gen 2 AppSec Pipelines Look outside team’s purpose and those processes which aid it 30
Integrate with DevOpsTeams DevOps Pipeline AppSec Pipeline Drop tool(s) into their pipeline
Gen 3 AppSec Pipelines Scale your teams reach and dramatically increase speed and visibility 32
✖ A way to conduct automated testing ✖ Run by the AppSec team to ○ Provide visibility of software posture ○ Provide findings to the dev teams ✖ Means to scale AppSec team coverage ○ No in-depth testing, breadth ○ Pre-calculate testing ✖ Creates a security baseline 33 What does a Gen3 AppSec Pipeline get me?
✖ The one thing that will fix all your problems ✖ A gate that blocks deploys (especially at first) ✖ Pipeline create artifacts ○ CI/CD => deployed apps ○ AppSec Pipelines => Security Findings 34 What an AppSec Pipeline isn’t
37 So why should you build an AppSec Pipeline?
Another Real-World AppSec Pipeline
39 AppSec Pipeline Stats 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
Remember me?
2014 2015 2016 Number of Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107% 41
42 840.91% Percentage Increase
43
44
45
46 https://github.com/appsecpipeline/gasp-docker
47
48 Create an AppSec Pipeline and push visibility north Visibility
Thanks! Any questions? You can find me at: @matt_tesauro matt.tesauro@10Security.com 49
50 REferences ● Confused panda: https://openclipart.org/detail/69289/confusedpanda ● Jousting Snails - a random twitter post I lost the URL for, sorry ● Map image: https://openclipart.org/detail/823/two-harbours-map ● Gandoff “Shall pass”: https://shirt.woot.com/offers/halfling-height-requirement ● Pixie dust: http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-neck lace/ ● Iceberg of Ignorance: https://corporate-rebels.com/iceberg-of-ignorance/

Recommended

Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
Bsides Delhi Security Automation for Red and Blue Teams
Bsides Delhi Security Automation for Red and Blue TeamsBsides Delhi Security Automation for Red and Blue Teams
Bsides Delhi Security Automation for Red and Blue TeamsSuraj Pratap
 

Recommended

Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
Bsides Delhi Security Automation for Red and Blue Teams
Bsides Delhi Security Automation for Red and Blue TeamsBsides Delhi Security Automation for Red and Blue Teams
Bsides Delhi Security Automation for Red and Blue TeamsSuraj Pratap
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseOpsta
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
DevOps & SRE at Google Scale
DevOps & SRE at Google ScaleDevOps & SRE at Google Scale
DevOps & SRE at Google ScaleKaushik Bhattacharya
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+OpsShalu Ahuja
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...Simplilearn
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise DevsecopsEnov8
 

More Related Content

What's hot

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseOpsta
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+OpsShalu Ahuja
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...Simplilearn
 

What's hot (20)

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 
DevOps & SRE at Google Scale
DevOps & SRE at Google ScaleDevOps & SRE at Google Scale
DevOps & SRE at Google Scale
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
 

Similar to Continuous Security: Using Automation to Expand Security's Reach

AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise DevsecopsEnov8
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Amazon Web Services
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
Top DevOps Best Practices for a Successful Transition in 2023
Top DevOps Best Practices for a Successful Transition in 2023Top DevOps Best Practices for a Successful Transition in 2023
Top DevOps Best Practices for a Successful Transition in 2023SofiaCarter4
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineEnov8
 
Enhance Software Testing with DevOps Practices.pdf
Enhance Software Testing with DevOps Practices.pdfEnhance Software Testing with DevOps Practices.pdf
Enhance Software Testing with DevOps Practices.pdfCiente
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfTechugo
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Continuous testing & devops with @petemar5hall
Continuous testing & devops with @petemar5hallContinuous testing & devops with @petemar5hall
Continuous testing & devops with @petemar5hallPeter Marshall
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfEnov8
 
8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps EffortsLucy Zeniffer
 
SAP Development Object Testing
SAP Development Object TestingSAP Development Object Testing
SAP Development Object TestingShivani Thakur
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 

Similar to Continuous Security: Using Automation to Expand Security's Reach (20)

AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
Top DevOps Best Practices for a Successful Transition in 2023
Top DevOps Best Practices for a Successful Transition in 2023Top DevOps Best Practices for a Successful Transition in 2023
Top DevOps Best Practices for a Successful Transition in 2023
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
 
Enhance Software Testing with DevOps Practices.pdf
Enhance Software Testing with DevOps Practices.pdfEnhance Software Testing with DevOps Practices.pdf
Enhance Software Testing with DevOps Practices.pdf
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Continuous testing & devops with @petemar5hall
Continuous testing & devops with @petemar5hallContinuous testing & devops with @petemar5hall
Continuous testing & devops with @petemar5hall
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts8 Ways to Boost Your DevOps Efforts
8 Ways to Boost Your DevOps Efforts
 
SAP Development Object Testing
SAP Development Object TestingSAP Development Object Testing
SAP Development Object Testing
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 

More from Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 

More from Matt Tesauro (20)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Continuous Security: Using Automation to Expand Security's Reach

  • 1. Continuous Security: Using Automation to Expand Security’s Reach
  • 2. I am Matt Tesauro I think AppSec needs to change and I’m going to tell you how I see it changing matt.tesauro@10Security.com / @matt_tesauro 2
  • 3. Who is this guy? ✖ Reformed programmer and AppSec Engineer ✖ 11+ years in the OWASP community ○ OWASP AppSec Pipeline ○ OWASP DefectDojo ○ OWASP WTE ✖ 20+ years using Floss and Linux ✖ Currently a Go language fanbox ✖ Ee Dan in Tang Soo Do Mi Guk Kwan (2nd degree black belt) 3
  • 5. Not everything about completing a goal is sunshine and roses... The Anti-money shot 5
  • 6. Quick Survey Raise your hand if you work in: ✖ AppSec ✖ Product Security ✖ Security Engineering ✖ DevOps aka DevSecOps, SecDevOps, DevOpsSec, OpsDevSec, OpsDevSecOpsDev...
  • 7. Traditional AppSec Where all this started not so long ago 7
  • 8. What Traditional AppSec Tooling feels like: 8
  • 9. 9
  • 10. 10 The purpose of an AppSec program is to evaluate the security status of the suite of apps for a business Basically, to provide a map to guide business decisions.
  • 11. Do you have a full view of your Application landscape? 11
  • 12. DevSecOps Automation What are the key things to be aware of 12
  • 13. W Edward DemIng Spending time optimizing anything other than the critical resource is an illusion 13
  • 14. Your people are the critical resource 14
  • 15. There’s never enough people or time... ✖ AppSec team size is small vs Dev team ✖ Automate all those things that don’t take a human brain ✖ DefectDojo (and the rest API) is the heart of your automation efforts - your single source of truth
  • 16. OWASP DefectDojo An open-source application vulnerability correlation and security orchestration tool. The source of truth for a security program that manages to make vulnerability management work ✖ Consolidating and dedup’ing findings ○ 66+ different tools supported ✖ Maintain product and app info/metadata ✖ Push findingst to defect trackers ✖ Automation with a REST API 16
  • 17. The “Three Ways of DevOps” 1. Workflow “Look at your purpose and those processes which aid it” 2. Improve Feedback “Open yourself to upstream & downstream info” 3. Continual Experimentation and Learning “Create a culture of innovation and experimentation” 17
  • 18. AppSec Personnelle They are the critical resource so optimize their work ✖ Automate the non-human brain things ✖ Drive up consistency ✖ Increase tracking of work status ✖ Increase flow through the system ✖ Increase visibility and metrics ✖ Reduce any friction with dev teams 18
  • 19. Let’s be honest for a minute... 19
  • 20. 20 Talk to your constituency in the language that THEY speak, not the one you speak.
  • 21. As as exercise for the student 21
  • 22. AppSec Pipelines Why let dev teams own all the good ideas 22
  • 23.
  • 24. What’s this AppSec pipeline all about? ✖ Better visibility into WIP ✖ Better understand/track/optimize flow of DevSecOps work ✖ Significant increase in consistency ○ Each step has a well defined interface ✖ Understanding the cost of switching ✖ Flexible enough for a range of skills & program maturity 24
  • 25. Remember that DevOps stuff? For better or worse, DevOps is changing IT ✖ Smaller quicker iterations ○ CI/CD, Cloud, Serverless, Microservices ✖ More agility to meet customer needs and keep up with competitors ✖ Cost of experimentation goes down 25
  • 26. Gen 1 AppSec Pipelines Look at your team’s purpose and those processes which aid it 26
  • 27.
  • 29. 29 Get your house in order
  • 30. Gen 2 AppSec Pipelines Look outside team’s purpose and those processes which aid it 30
  • 31. Integrate with DevOpsTeams DevOps Pipeline AppSec Pipeline Drop tool(s) into their pipeline
  • 32. Gen 3 AppSec Pipelines Scale your teams reach and dramatically increase speed and visibility 32
  • 33. ✖ A way to conduct automated testing ✖ Run by the AppSec team to ○ Provide visibility of software posture ○ Provide findings to the dev teams ✖ Means to scale AppSec team coverage ○ No in-depth testing, breadth ○ Pre-calculate testing ✖ Creates a security baseline 33 What does a Gen3 AppSec Pipeline get me?
  • 34. ✖ The one thing that will fix all your problems ✖ A gate that blocks deploys (especially at first) ✖ Pipeline create artifacts ○ CI/CD => deployed apps ○ AppSec Pipelines => Security Findings 34 What an AppSec Pipeline isn’t
  • 35.
  • 36.
  • 37. 37 So why should you build an AppSec Pipeline?
  • 39. 39 AppSec Pipeline Stats 15 Repos 4 Months 5,100 Runs 25,000+ Container Executions
  • 41. 2014 2015 2016 Number of Assessments 44 224 414 Headcount N/A -3.5 -2 Percentage Increase N/A 450% 107% 41
  • 43. 43
  • 44. 44
  • 45. 45
  • 47. 47
  • 48. 48 Create an AppSec Pipeline and push visibility north Visibility
  • 49. Thanks! Any questions? You can find me at: @matt_tesauro matt.tesauro@10Security.com 49
  • 50. 50 REferences ● Confused panda: https://openclipart.org/detail/69289/confusedpanda ● Jousting Snails - a random twitter post I lost the URL for, sorry ● Map image: https://openclipart.org/detail/823/two-harbours-map ● Gandoff “Shall pass”: https://shirt.woot.com/offers/halfling-height-requirement ● Pixie dust: http://www.disneyeveryday.com/bottle-of-tinker-bells-pixie-dust-neck lace/ ● Iceberg of Ignorance: https://corporate-rebels.com/iceberg-of-ignorance/