SlideShare a Scribd company logo

Agile AppSec DevOps

Robert Grupe, CSSLP CISSP PE PMP
Robert Grupe, CSSLP CISSP PE PMP

This document discusses integrating application security (AppSec) into agile development processes like DevOps. It begins with an overview of moving from traditional waterfall development with separate AppSec to integrating AppSec into agile feature-driven development (FDD) and test-driven development (TDD). The rest of the document details a two-phase approach: first, implementing security FDD by adding AppSec activities to each stage of FDD; second, implementing DevSecOps by adding automated security testing and monitoring throughout TDD. Key aspects covered include threat modeling, static/dynamic testing, monitoring and response.

Technology
1 of 14
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 1 AGILE APPSEC DEVOPS Secure Software Development with Agile DevOps robertGrupe, CISSP, CSSLP, PE, PMP Tags :: Application, Software, Security, Development, AppSec, DevOps, DevSecOps OWASP, Agile, Kanban, Scrum, Best Practices, Feature Driven Development, FDD, Test Driven Development , TDD
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 2 Presentation Summary How ... Application Security (AppSec), Secure Software Development Life Cycle (SSDLC) is applied to Development and IT Operations (DevOps) in Agile, rapid software development and delivery. Moving from 1. Waterfall/Agile: AppSec 2. Feature Driven Development: AppSec with DevOps 3. Test Driven Development (TDD): DevSecOps
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 3 Table of Contents 1. AppSec with DevOps: Feature Diven Development 1. Foundational Elements 2. DevSecOps: Security Driven Development
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 4 I FOUNDATION Security Feature Driven Development
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 5 DevOps Dev • Plan: Requirements, Architecture, Schedule • Create: Design, Coding, Build • Verify: Test • Package: Pre-Production Staging Ops • Release: Coordinating, Deploying • Configure: Infrastructure, Applications • Monitor: Performance, Use, Metrics DevOps Collaboration of software delivery teams: • Developers; • Operations; • Quality Assurance: Testers • Management; • ... etc. Continuous Development automate delivery, focuses on • Bringing together different processes; • Executing them more quickly and more frequently.
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 6 SSDLC (SDLC with AppSec) Requirements (Scoping) Design Implementation (Development) Verification (Test) Release • AppSec Requirements (User Stories with Acceptance Criteria) • Security & Regulatory Risk Assessment • Frameworks Patterns • Analyze Attack Surface • Threat Modeling • Approved Tools • Deprecate Unsafe Functions • Static Analysis • Unit Tests/ User Story Acceptance • Dynamic Analysis • Fuzz Testing • Attack Surface Review • Penetration Testing • Deferred Defects Risk Acceptance • Go/No-Go
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 7 Application Security Requirement Foundation • AppSec Requirements Library • Use Cases with Acceptance Criteria • Compliance Traceability • Feature Use Case Process Flow Diagrams • Architecture, Components, Patterns • Prototypes • Risk Assessment Threat Modeling Intake • Context Diagram • Data Flow Diagram • Data Map & Model • Process Flow Diagrams
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 8 Agile: Scrumban FDD* • Kanban workflow† • Scrum development Ideas Features w/User Stories Design Dev Test Static Test Dynamic Final Approval Release WIP Limit * Feature Driven Development † Adaptive Software Development
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 9 Phase 1 (Foundational) AppSec DevOps: Security Feature Driven Development • User Stories • Assess Risks • Frameworks/Patterns • Attack Analysis • Threat Modeling • Approved Tools • Deprecate Functions • Static Analysis • Unit Tests • Dynamic Analysis • Fuzz Testing • Attack Review • Penetration Testing • Risk Acceptance • Go/No-Go • Logs • Alerts • Management • Usage • Changes • Vulnerabilities • Dashboards & Reports
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 10 II DEVSECOPS Security Test Driven Development
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 11 Host Platform Prerequisites 0.01 Minimum required platform components 0.02 Fully patched and up-to-date platform 0.03 Vulnerability free Components & Development Framework 0.04 Host firewall-ing: only required ports 0.05 Anti-malware scanning 0.06 Load balancing 0.07 Resiliency – failover 0.08 Backups – encrypted 0.09 Certificate Management 0.10 Key Management 0.11 Access Management: least privilege roles for admin & maintenance
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 12 Application Defense • Inside-Out (the network is porous) • 1. Design Threat Analysis • 2. SAST (Static Security Testing) in IDE • 3. SAST in builds • 4. Secure Code Reviews (optional / out-of-band) • 5. DAST (Dynamic Security Testing) • 6. QA of requirements (white box) • 7. Fuzzing (As required, based on risk: QA Pen Test) • Outside-In • 8. Pen Test Suite • 9. Public Bug Bounty Program • Responsive/Active Defense - detection & response • 10. RASP (Runtime Application Self-Protection Security): Logging, with automated response • 11. SIEM (Security Information and Event Management: Dashboards with auto alerts • 12. Training (reducing detected vulnerabilites)
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 13 Phase 2 DevSecOps: Security Test Driven Development • Threat Analysis • CI Training • SAST in IDE • SAST in build mgmt • Automated Security Requirements QA • DAST • RASP • SIEM • Secure Code Review • Fuzzing (PenT) • Bug Bounty
Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 14 Finis • Robert Grupe, CISSP, CSSLP, PE, PMP • robert@rgrupe.com • +1.314.278.7901

Recommended

Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Robert Grupe, CSSLP CISSP PE PMP
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 

Recommended

Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Robert Grupe, CSSLP CISSP PE PMP
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
Robert Grupe, CSSLP CISSP PE PMP
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 
Red7 Product Portfolio Management
Red7 Product Portfolio ManagementRed7 Product Portfolio Management
Red7 Product Portfolio Management
Robert Grupe, CSSLP CISSP PE PMP
 
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a GameKaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
dtcroley
 

More Related Content

What's hot

Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Black Duck by Synopsys
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
Black Duck by Synopsys
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
Black Duck by Synopsys
 

What's hot (20)

Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 

Viewers also liked

Red7 Product Portfolio Management
Red7 Product Portfolio ManagementRed7 Product Portfolio Management
Red7 Product Portfolio Management
Robert Grupe, CSSLP CISSP PE PMP
 
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a GameKaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
dtcroley
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
dev2ops
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
SeniorStoryteller
 
Red7 Automating UAT Web Testing
Red7 Automating UAT Web TestingRed7 Automating UAT Web Testing
Red7 Automating UAT Web Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Software Planning Models
Red7 Software Planning ModelsRed7 Software Planning Models
Red7 Software Planning Models
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 Product Management Software Tools Overview
Red7 Product Management Software Tools OverviewRed7 Product Management Software Tools Overview
Red7 Product Management Software Tools Overview
Robert Grupe, CSSLP CISSP PE PMP
 
Technical debt sources and impacts
Technical debt sources and impactsTechnical debt sources and impacts
Technical debt sources and impacts
dtcroley
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
Boy Scouts STEM Nova Awards
Boy Scouts STEM Nova AwardsBoy Scouts STEM Nova Awards
Boy Scouts STEM Nova Awards
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models OverviewRed7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models Overview
Robert Grupe, CSSLP CISSP PE PMP
 
Venturing: Extending the Boy Scout Troop
Venturing: Extending the Boy Scout TroopVenturing: Extending the Boy Scout Troop
Venturing: Extending the Boy Scout Troop
Robert Grupe, CSSLP CISSP PE PMP
 
Boy Scout Parents Introduction
Boy Scout Parents IntroductionBoy Scout Parents Introduction
Boy Scout Parents Introduction
Robert Grupe, CSSLP CISSP PE PMP
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
Red7 Developing Product Requirements: Tools and Process
Red7 Developing Product Requirements: Tools and ProcessRed7 Developing Product Requirements: Tools and Process
Red7 Developing Product Requirements: Tools and Process
Robert Grupe, CSSLP CISSP PE PMP
 
Boy Scouts Introduction
Boy Scouts IntroductionBoy Scouts Introduction
Boy Scouts Introduction
Robert Grupe, CSSLP CISSP PE PMP
 

Viewers also liked (20)

Red7 Product Portfolio Management
Red7 Product Portfolio ManagementRed7 Product Portfolio Management
Red7 Product Portfolio Management
 
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a GameKaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
Kaa2015, Tech Debt: Understanding its Sources and Impacts Through a Game
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
 
Red7 Automating UAT Web Testing
Red7 Automating UAT Web TestingRed7 Automating UAT Web Testing
Red7 Automating UAT Web Testing
 
Red7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data ProtectionRed7 Medical Identity Security and Data Protection
Red7 Medical Identity Security and Data Protection
 
Red7 Software Planning Models
Red7 Software Planning ModelsRed7 Software Planning Models
Red7 Software Planning Models
 
Red7 Product Management Software Tools Overview
Red7 Product Management Software Tools OverviewRed7 Product Management Software Tools Overview
Red7 Product Management Software Tools Overview
 
Technical debt sources and impacts
Technical debt sources and impactsTechnical debt sources and impacts
Technical debt sources and impacts
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Boy Scouts STEM Nova Awards
Boy Scouts STEM Nova AwardsBoy Scouts STEM Nova Awards
Boy Scouts STEM Nova Awards
 
Red7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models OverviewRed7 NPD and Project Management Life Cycle Models Overview
Red7 NPD and Project Management Life Cycle Models Overview
 
Venturing: Extending the Boy Scout Troop
Venturing: Extending the Boy Scout TroopVenturing: Extending the Boy Scout Troop
Venturing: Extending the Boy Scout Troop
 
Boy Scout Parents Introduction
Boy Scout Parents IntroductionBoy Scout Parents Introduction
Boy Scout Parents Introduction
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
Red7 Developing Product Requirements: Tools and Process
Red7 Developing Product Requirements: Tools and ProcessRed7 Developing Product Requirements: Tools and Process
Red7 Developing Product Requirements: Tools and Process
 
Boy Scouts Introduction
Boy Scouts IntroductionBoy Scouts Introduction
Boy Scouts Introduction
 

Similar to Agile AppSec DevOps

SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
Advanced Full Stack Development: Scaling, Deployment, and Maintenance
Advanced Full Stack Development: Scaling, Deployment, and MaintenanceAdvanced Full Stack Development: Scaling, Deployment, and Maintenance
Advanced Full Stack Development: Scaling, Deployment, and Maintenance
saniakhan8105
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Shannon Williams
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps for Enterprise Systems
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
DevOps.com
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Amazon Web Services
 
Security for developers
Security for developersSecurity for developers
Security for developers
Abdelrhman Shawky
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
Agile Testing Alliance
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Response
jtmelton
 

Similar to Agile AppSec DevOps (20)

SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Advanced Full Stack Development: Scaling, Deployment, and Maintenance
Advanced Full Stack Development: Scaling, Deployment, and MaintenanceAdvanced Full Stack Development: Scaling, Deployment, and Maintenance
Advanced Full Stack Development: Scaling, Deployment, and Maintenance
 
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
Securing Container Deployments from Build to Ship to Run - August 2017 - Ranc...
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
AppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and ResponseAppSensor - Near Real Time Event Detection and Response
AppSensor - Near Real Time Event Detection and Response
 

Recently uploaded

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 

Recently uploaded (20)

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 

Agile AppSec DevOps

  • 1. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 1 AGILE APPSEC DEVOPS Secure Software Development with Agile DevOps robertGrupe, CISSP, CSSLP, PE, PMP Tags :: Application, Software, Security, Development, AppSec, DevOps, DevSecOps OWASP, Agile, Kanban, Scrum, Best Practices, Feature Driven Development, FDD, Test Driven Development , TDD
  • 2. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 2 Presentation Summary How ... Application Security (AppSec), Secure Software Development Life Cycle (SSDLC) is applied to Development and IT Operations (DevOps) in Agile, rapid software development and delivery. Moving from 1. Waterfall/Agile: AppSec 2. Feature Driven Development: AppSec with DevOps 3. Test Driven Development (TDD): DevSecOps
  • 3. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 3 Table of Contents 1. AppSec with DevOps: Feature Diven Development 1. Foundational Elements 2. DevSecOps: Security Driven Development
  • 4. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 4 I FOUNDATION Security Feature Driven Development
  • 5. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 5 DevOps Dev • Plan: Requirements, Architecture, Schedule • Create: Design, Coding, Build • Verify: Test • Package: Pre-Production Staging Ops • Release: Coordinating, Deploying • Configure: Infrastructure, Applications • Monitor: Performance, Use, Metrics DevOps Collaboration of software delivery teams: • Developers; • Operations; • Quality Assurance: Testers • Management; • ... etc. Continuous Development automate delivery, focuses on • Bringing together different processes; • Executing them more quickly and more frequently.
  • 6. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 6 SSDLC (SDLC with AppSec) Requirements (Scoping) Design Implementation (Development) Verification (Test) Release • AppSec Requirements (User Stories with Acceptance Criteria) • Security & Regulatory Risk Assessment • Frameworks Patterns • Analyze Attack Surface • Threat Modeling • Approved Tools • Deprecate Unsafe Functions • Static Analysis • Unit Tests/ User Story Acceptance • Dynamic Analysis • Fuzz Testing • Attack Surface Review • Penetration Testing • Deferred Defects Risk Acceptance • Go/No-Go
  • 7. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 7 Application Security Requirement Foundation • AppSec Requirements Library • Use Cases with Acceptance Criteria • Compliance Traceability • Feature Use Case Process Flow Diagrams • Architecture, Components, Patterns • Prototypes • Risk Assessment Threat Modeling Intake • Context Diagram • Data Flow Diagram • Data Map & Model • Process Flow Diagrams
  • 8. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 8 Agile: Scrumban FDD* • Kanban workflow† • Scrum development Ideas Features w/User Stories Design Dev Test Static Test Dynamic Final Approval Release WIP Limit * Feature Driven Development † Adaptive Software Development
  • 9. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 9 Phase 1 (Foundational) AppSec DevOps: Security Feature Driven Development • User Stories • Assess Risks • Frameworks/Patterns • Attack Analysis • Threat Modeling • Approved Tools • Deprecate Functions • Static Analysis • Unit Tests • Dynamic Analysis • Fuzz Testing • Attack Review • Penetration Testing • Risk Acceptance • Go/No-Go • Logs • Alerts • Management • Usage • Changes • Vulnerabilities • Dashboards & Reports
  • 10. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 10 II DEVSECOPS Security Test Driven Development
  • 11. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 11 Host Platform Prerequisites 0.01 Minimum required platform components 0.02 Fully patched and up-to-date platform 0.03 Vulnerability free Components & Development Framework 0.04 Host firewall-ing: only required ports 0.05 Anti-malware scanning 0.06 Load balancing 0.07 Resiliency – failover 0.08 Backups – encrypted 0.09 Certificate Management 0.10 Key Management 0.11 Access Management: least privilege roles for admin & maintenance
  • 12. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 12 Application Defense • Inside-Out (the network is porous) • 1. Design Threat Analysis • 2. SAST (Static Security Testing) in IDE • 3. SAST in builds • 4. Secure Code Reviews (optional / out-of-band) • 5. DAST (Dynamic Security Testing) • 6. QA of requirements (white box) • 7. Fuzzing (As required, based on risk: QA Pen Test) • Outside-In • 8. Pen Test Suite • 9. Public Bug Bounty Program • Responsive/Active Defense - detection & response • 10. RASP (Runtime Application Self-Protection Security): Logging, with automated response • 11. SIEM (Security Information and Event Management: Dashboards with auto alerts • 12. Training (reducing detected vulnerabilites)
  • 13. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 13 Phase 2 DevSecOps: Security Test Driven Development • Threat Analysis • CI Training • SAST in IDE • SAST in build mgmt • Automated Security Requirements QA • DAST • RASP • SIEM • Secure Code Review • Fuzzing (PenT) • Bug Bounty
  • 14. Red7:|:applicationsecurity © Copyright 2017 Robert Grupe. All rights reserved. 14 Finis • Robert Grupe, CISSP, CSSLP, PE, PMP • robert@rgrupe.com • +1.314.278.7901

Editor's Notes

  1. Bio From Fortune 100 to start-up companies, Robert Grupe is an international professional with practitioner, leader, and consultant experience in market strategy, development, and support for global leaders in aerospace, electro-optic, information security, and health care industries. Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and Project Management Professional (PMP).
  2. https://en.wikipedia.org/wiki/DevOps https://en.wikipedia.org/wiki/DevOps_toolchain Plan Tools: Atlassian (JIRA/Confluence), CA Technologies, iRise and Jama Software Create Tools: Bitbucket, GitLab, GitHub, Electric Cloud, and CFEngine Verify Tools: * Test automation (ThoughtWorks, IBM, HP), * Static analysis (Parasoft, Microsoft, SonarSource), * Test Lab (Skytap, Microsoft, Delphix), and * Security (HP, IBM, Trustwave, FlawCheck). Packaging Tools: Jfrog’s Artifactory, SonaType Nexus repository, and Inedo’s ProGet. Release Tools: Automic, Inedo, VMware, and XebiaLabs * application release automation * deployment automation * release management Configure Tools: Ansible, Chef, Puppet, Otter, and Salt * Continuous Configuration Automation, * configuration management, and * Infrastructure as Code tools. Monitoring Tools: BigPanda, Ganglia, New Relic, Wireshark
  3. http://www.microsoft.com/en-us/sdl/default.aspx
  4. https://en.wikipedia.org/wiki/Agile_software_development https://en.wikipedia.org/wiki/Scrum_(software_development)
  5. From The Daily Drucker, 3/13