IT companies that do heavy software development have been shifting their paradigm from a traditional monolithic waterfall development lifecycle to a fully heterogeneous 24/7 devops culture. This implies more software deployment and more code developed. The traditional security approach, besides not being enough, is clearly outdated and non-applicable. This talk will tell how MercadoLibre evolved to a DevOps company, how information security was perceived and tackled then and now, what challenges we faced, what we made to drive change to a 15 years old company’s mindset, and how we are transforming into a SecDevOps culture and the way we envision that culture of work.
28. Premises
Security follows the business
Explain impact in their words
Be open and friendly!
Choose your battles: Tradeoffs!
Get feedback & iterate more effective
29. Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis
Security Testing
Internal
Security Testing
External
Vulnerability Fixing
Vulnerability
Tracking
WAF
How we envision AppSec
30. How we envision AppSec
Security Training
Culture
Development
31. Train every developer! (Mandatory)
8 hour Theory/Practical Training
Developer oriented
Examples in dev language they use
Security Training
Culture
Development
40. Threat Modeling
AppSec can’t be everywhere
Define criteria for critical projects
Set SFP in each of those
Appsec participates in threat models of
Critical Projects
41. Secure Coding Security Features
Training!
Security Checklists (Pre/Post) OWASP
TOP 10
Security Advisor position
42. How we envision AppSec
Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis
Security Testing
Internal
46. Centralized
+ InfoSec view
+ All Source code
- Another tool developers need to add to their routine.
Decentralized
+ Integrated with CI
+ Developers don’t have to look at another tool, it’s in their
every day.
- Different CI solutions, sometimes not available.
- Non centralized view of InfoSec
Static Code Analysis
47. Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis
Security Testing
Internal
Security Testing
External
Vulnerability Fixing
Vulnerability
Tracking
How we envision AppSec