Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including:
- How do we ensure that the code we deploy is secure when it was only written just this morning?
- How can we provide the security our customers expect without impacting our speed and agility?
- How can we insert security into an SDLC when there is no formal SDLC?
- How do you deal with auditors that don't understand DevOps and Continuous Deployment?
At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

  1. 1. AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13
  2. 2. Wednesday, November 6, 13
  3. 3. Speed Wednesday, November 6, 13
  4. 4. Speed Security Wednesday, November 6, 13
  5. 5. Speed vs. Security Wednesday, November 6, 13
  6. 6. Wednesday, November 6, 13
  7. 7. Accelerating Development Cycles Wednesday, November 6, 13
  8. 8. Accelerating Development Cycles Boxed Software Waterfall 1 Year Wednesday, November 6, 13
  9. 9. Accelerating Development Cycles Web 1.0 3 months Waterfall Wednesday, November 6, 13
  10. 10. Accelerating Development Cycles 4 week Wednesday, November 6, 13 Web 2.0 Agile
  11. 11. Accelerating Development Cycles 2x week DevOps Wednesday, November 6, 13
  12. 12. Accelerating Development Cycles daily Continuous Deployment DevOps Wednesday, November 6, 13
  13. 13. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  14. 14. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  15. 15. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  16. 16. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  17. 17. Accelerating Development Cycles daily hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  18. 18. Traditional (Waterfall) SDLC Requirements Wednesday, November 6, 13 Design Development Tes2ng Release Produc2on
  19. 19. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Define functional (features) and nonfunctional requirements (capabilities) Wednesday, November 6, 13 Produc2on
  20. 20. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Translate requirements into architecture and detailed design Wednesday, November 6, 13 Produc2on
  21. 21. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Build it! Wednesday, November 6, 13 Release Produc2on
  22. 22. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Produc2on Ensure functional and non-functional requirements Wednesday, November 6, 13
  23. 23. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Ship or push live Wednesday, November 6, 13 Release Produc2on
  24. 24. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Maintain and patch as needed Wednesday, November 6, 13 Produc2on
  25. 25. Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  26. 26. Checkpoints Controls Formal Processes Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  27. 27. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  28. 28. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  29. 29. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  30. 30. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  31. 31. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  32. 32. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  33. 33. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  34. 34. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  35. 35. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  36. 36. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  37. 37. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  38. 38. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  39. 39. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  40. 40. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  41. 41. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  42. 42. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  43. 43. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  44. 44. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  45. 45. Continuous Deployment Security Wednesday, November 6, 13
  46. 46. Continuous Deployment Security Requirements Low to No friction (can’t slow us down) Transparent No significant changes to development processes Make us More Secure Wednesday, November 6, 13
  47. 47. Continuous Deployment Security Requirements Strategies & Tactics Low to No friction (can’t slow us down) Automation Transparent Training & Empowerment No significant changes to development processes Lightweight Processes Make us More Secure Triage Quickly Detect & Respond Wednesday, November 6, 13
  48. 48. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  49. 49. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  50. 50. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  51. 51. Continuous Deployment Security Requirements Design Requirements & Design • Functional & Non-Functional security requirement • Architectural • Review Threat Modeling Development Development, Testing & Release Release Testing, • Secure Coding • • Practices Static Analysis White Box Testing • Dynamic • • Separation Analysis Requirements Testing • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  52. 52. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  53. 53. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  54. 54. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  55. 55. Required Security Evaluation < 25 Minute Meeting 1.Technical Overview 2.Business Context 3.Developer Concerns Wednesday, November 6, 13
  56. 56. Security Evaluation Outcomes Wednesday, November 6, 13
  57. 57. Security Evaluation Outcomes • Low Risk • Simple Guidance Wednesday, November 6, 13
  58. 58. Security Evaluation Outcomes • Higher Risk • Deep Dive • Whiteboarding • Threat Model Wednesday, November 6, 13
  59. 59. Security Evaluation Follow-Up Wednesday, November 6, 13
  60. 60. Security Evaluation Follow-Up • Document • Follow Up Wednesday, November 6, 13
  61. 61. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  62. 62. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  63. 63. Threat Modeling Wednesday, November 6, 13
  64. 64. Threat Modeling Identify your assets and the threats against them Wednesday, November 6, 13
  65. 65. Threat Modeling Identify your assets and the threats against them Focus your resources on the greatest risks Wednesday, November 6, 13
  66. 66. Threat Modeling @ New Relic Wednesday, November 6, 13
  67. 67. Threat Modeling @ New Relic Decompose your Application Wednesday, November 6, 13
  68. 68. Threat Modeling @ New Relic Decompose your Application Identify your Assets Wednesday, November 6, 13
  69. 69. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Wednesday, November 6, 13
  70. 70. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Wednesday, November 6, 13
  71. 71. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Address or Accept Wednesday, November 6, 13
  72. 72. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  73. 73. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  74. 74. Secure Libraries & Services Authentication Service Security Event Logging Service Input Validation Regex Patterns Encryption Libraries Wednesday, November 6, 13
  75. 75. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  76. 76. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  77. 77. Brakeman + Jenkins brakemanscanner.org Wednesday, November 6, 13
  78. 78. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  79. 79. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  80. 80. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  81. 81. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  82. 82. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  83. 83. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  84. 84. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  85. 85. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  86. 86. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  87. 87. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  88. 88. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  89. 89. Triage Process Dangerous Methods Sensitive Modules Security Keywords Wednesday, November 6, 13
  90. 90. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  91. 91. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  92. 92. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  93. 93. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  94. 94. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  95. 95. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  96. 96. Wednesday, November 6, 13
  97. 97. Wednesday, November 6, 13
  98. 98. Wednesday, November 6, 13
  99. 99. Two Sets of (masked) eyes on every change Wednesday, November 6, 13
  100. 100. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  101. 101. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  102. 102. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  103. 103. Continuous Deployment Security Requirements & Design • • Required Security Evaluation Lightweight Targeted Threat Modeling Development, Testing, & Release • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Automated • Penetration Commit Triage Testing Quick Detection • & Recovery • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production
  104. 104. Powered By... Wednesday, November 6, 13
  105. 105. Powered By... Automation Training & Empowerment Lightweight Processes Triage Quick Detection & Response Wednesday, November 6, 13
  106. 106. Auditors Wednesday, November 6, 13
  107. 107. Auditors Compensating Controls Wednesday, November 6, 13
  108. 108. Auditors Compensating Controls Tell the Story Wednesday, November 6, 13
  109. 109. Thank You! Wednesday, November 6, 13
  110. 110. Thank You! shaun@newrelic.com security@newrelic.com Wednesday, November 6, 13
  111. 111. Image Attribution Slide  14 Checkpoint  Rheinpark  by   h1p://www.flickr.com/photos/kecko/3179561892/ Wednesday, November 6, 13

    Be the first to comment

    Login to see the comments

  • secfigo

    Aug. 15, 2014

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including: - How do we ensure that the code we deploy is secure when it was only written just this morning? - How can we provide the security our customers expect without impacting our speed and agility? - How can we insert security into an SDLC when there is no formal SDLC? - How do you deal with auditors that don't understand DevOps and Continuous Deployment? At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Views

Total views

1,075

On Slideshare

0

From embeds

0

Number of embeds

16

Actions

Downloads

21

Shares

0

Comments

0

Likes

1

×