SlideShare a Scribd company logo

Chris Rutter: Avoiding The Security Brick

M
Michael Man

Security teams provide concise summaries of dependency scans to development teams. The summaries include the vulnerability found, whether the team is affected, and how to remediate. This avoids lengthy CVE research and allows teams to focus on actual vulnerabilities. Any common libraries and frameworks are pre-scanned by security to share findings.

Technology
1 of 42
Download to read offline
Avoiding The Security Brick Chris Rutter
Practical Patterns And Techniques for Applying Security in Agile / Devops SDLCs Avoiding Throwing Security Bricks Workshop Format - Discussions every 10-15 mins Talk Aims
Java Developer > Security Champion > Security Architect > DevSecOps Consultant Payments, Banking & Government Transformations Currently Consulting with Equal Experts https://www.linkedin.com/in/chris-rutter-1b74a8b0/ Chris Rutter
My Path to DevSecOps
Agile / Devops / Value Stream / Product Delivery
“ Carry out a comprehensive security review / pen test 2 weeks before release date and allow 1 week for remediation” Brick #1
Common Issues ● Superficial review & pen test ● Little scope to influence design ● No time to deal with findings ● Pressurised risk acceptance ● Impossible to release quickly Release Management
Triage Every User Story Every Week
Pen Test New public-facing microservice Change to authentication mechanism Increase in level of data sensitivity New management tool or cloud service Review / Threat Model New non-public microservice Change to application architecture Code behind feature switch New APIs for existing data sensitivity Peer Review / Self-Sign Cosmetic changes Business logic changes Bug Fixes / Refactoring Agreed Review Criteria
Labels and Comments to Track and Evidence
JQL Reports or JIRA API to Enforce
Result ● Security has excellent domain knowledge ● Scrum masters enforce reviews as Definition Of Done ● Faster Release Cycles (up to hourly if required) ● Ability to influence designs early ● Everything reportable, automatable and shareable Release Management
Discussion
“ Before you go live you must ship your logs off to this SOC endpoint (which will take you weeks to onboard)” Brick #2
Common Issues ● Large gap between domain experts and SOC ● Provides a false (and often untested) sense of security ● Ineffective communication and incident response ● Centralised and difficult to onboard or improve Security Operations
Strategy ● Empower teams to implement and own alerting ● Constantly improve with each new threat model ● Focus on improving alert response process ● Use notification subscription model to allow flexibility Security Operations
Infra Alerts Cloudtrail for Threat Modelling GuardDuty for IDS
Templated Alerting Architecture
Slack For Alerts ● Dynamic, interactive workgroup receive notifications ● Link to cloud hosted runbook with incident response instructions ● Each investigation results in a JIRA ticket ● Security just poke people if required
Result ● All alerts continually evolving through threat modelling ● Teams take ownership of alerts ● Security only verify pattern and investigation results ● Quick to set up and script using terraform etc. ● Very cheap compared to commercial IDS / SIEM tools Embedded Operations
Discussion
“Before you can release, scan your application code for vulnerable dependencies and either fix, suppress or acknowledge” Brick #3
Common Issues ● Time-consuming CVE research duplicated (or skipped) ● Most findings are not used in a vulnerable way ● Difficult to manage vulnerabilities with most tools ● Sometimes difficult / impractical to upgrade Dependency Checking
Security Team Proactively Scan Common Libs [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator --- [INFO] security:vault-policy-generator:jar:1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile [INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile [INFO] | - org.yaml:snakeyaml:jar:1.19:runtime [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile [INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional) [INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | - com.fasterxml:classmate:jar:1.3.4:compile [INFO] +- com.google.guava:guava:jar:24.0-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] | +- org.hamcrest:hamcrest-library:jar:1.3:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test [INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | +- org.springframework:spring-test:jar:5.0.4.RELEASE:test [INFO] | - org.xmlunit:xmlunit-core:jar:2.5.1:test [INFO] +- com.github.tomakehurst:wiremock-standalone:jar:2.6.0:test [INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test [INFO] +- commons-io:commons-io:jar:2.6:compile [INFO] - org.glassfish:javax.el:jar:3.0.1-b09:compile [INFO] | +- junit:junit:jar:4.12:test [INFO] | +- org.assertj:assertj-core:jar:3.9.1:test [INFO] | +- org.mockito:mockito-core:jar:2.15.0:test [INFO] uk.gov.hmrc.security:vault-policy-generator:jar:1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile [INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile [INFO] | - org.yaml:snakeyaml:jar:1.19:runtime [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile [INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional) [INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | - com.fasterxml:classmate:jar:1.3.4:compile [INFO] +- com.google.guava:guava:jar:24.0-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.0.0.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:2.0.0.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.0.0.RELEASE:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test [INFO] | | +- net.minidev:json-smart:jar:2.3:test [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator --- [INFO] | | | - net.minidev:accessors-smart:jar:1.2:test [INFO] | | | - org.ow2.asm:asm:jar:5.0.4:test [INFO] | | - org.slf4j:slf4j-api:jar:1.7.25:compile [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.7.10:test [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.7.10:test [INFO] | | - org.objenesis:objenesis:jar:2.6:test
Jackson Deserialization Vulnerability (CVE 2017-7525): Introduction: This vulnerability takes advantage of the ability of an attacker to force a server to deserialize a compromised class which is known to be on a large number of class paths and inject malicious input which can result in code execution. Am I Vulnerable?: You are vulnerable if you use polymorphic typing feature anywhere in your code. This can be configured in a few ways: @JsonTypeInfo, @JsonSubTypes or mapper.enableDefaultTyping() How can I remediate?: You must ensure that you globally configure ObjectMapper disableDefaultTyping() and have no instances of @JsonTypeInfo, @JsonSubTypes Share Pre-Investigated Issues
Basic Code Scanning Engine Vulnerability Search Terms XXE XMLInputFactory, TransformerFactory, SchemaFactory, SAXTransformerFactory, XMLReader Jackson Deserialization @JsonTypeInfo, @JsonSubTypes, mapper.enableDefaultTyping() Logback ServerSocketReceiver
Discussion
“A hugely critical vulnerability from 6 weeks ago has landed in a VIP’s inbox. It even has a logo so RED ALERT!, stop everything.” Brick #4
Common Issues ● Vulnerabilities come from high up to add pressure ● Usually have lots of FUD and little Facts ● Security have a point to prove ● Disrupts lots of teams and value stream Knee Jerking to Vulnerabilities
Active Security News Groups
Create Work Tracker and Link to Team Tickets
Create Work Group Which Self Manages
Lightweight Documentation to Pass up Chain Docker Escape Investigation (CVE 2019-5736): Introduction: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Investigation Scope: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore. Risk Assessment:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et Remediation Steps: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Residual Risk: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Put The Brick Down ● Security reviews and collaboration small but often ● Effective communication through modern tools ● Shift security ownership up the pipeline ● Focus on technical and process improvement rather than managing and firefighting
W.W.A.T ?
Questions?

Recommended

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
KVM_security
KVM_securityKVM_security
KVM_securityFrank Caviggia
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 

Recommended

Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
KVM_security
KVM_securityKVM_security
KVM_securityFrank Caviggia
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security JourneyJerry Jalava
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OSJosef Adersberger
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbain|u - The Open Security Community
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdBuoyant
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityMatt Baldwin
 
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftReplatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftVMware Tanzu
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for BeginnersDigitalOcean
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 

More Related Content

What's hot

Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersAll Things Open
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with MicronautQAware GmbH
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdBuoyant
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityMatt Baldwin
 
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftReplatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftVMware Tanzu
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for BeginnersDigitalOcean
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваMail.ru Group
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep diveamylynn11
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Michael Ducy
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 

What's hot (20)

JEE on DC/OS
JEE on DC/OSJEE on DC/OS
JEE on DC/OS
 
Lessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for ContainersLessons Learned in Automating Compliance for Containers
Lessons Learned in Automating Compliance for Containers
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Microservices with Micronaut
Microservices with MicronautMicroservices with Micronaut
Microservices with Micronaut
 
Locking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with LinkerdLocking down your Kubernetes cluster with Linkerd
Locking down your Kubernetes cluster with Linkerd
 
Istio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio SecurityIstio Cloud Native Online Series - Intro to Istio Security
Istio Cloud Native Online Series - Intro to Istio Security
 
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with MinecraftReplatforming Legacy Packaged Applications: Block-by-Block with Minecraft
Replatforming Legacy Packaged Applications: Block-by-Block with Minecraft
 
Kubernetes for Beginners
Kubernetes for BeginnersKubernetes for Beginners
Kubernetes for Beginners
 
DAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга СвиридоваDAST в CI/CD, Ольга Свиридова
DAST в CI/CD, Ольга Свиридова
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Cloud networking deep dive
Cloud networking deep diveCloud networking deep dive
Cloud networking deep dive
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 

Similar to Chris Rutter: Avoiding The Security Brick

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
Avoiding the security brick
Avoiding the security brickAvoiding the security brick
Avoiding the security brickEqual Experts
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Erkang Zheng
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Cloud native development without the toil
Cloud native development without the toilCloud native development without the toil
Cloud native development without the toilAmbassador Labs
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...Daniel Bryant
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...Daniel Bryant
 
Clone of an organization
Clone of an organizationClone of an organization
Clone of an organizationIRJET Journal
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsCasey Lee
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.pptazida3
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryTechWell
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Claire Priester Papas
 

Similar to Chris Rutter: Avoiding The Security Brick (20)

AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Avoiding the security brick
Avoiding the security brickAvoiding the security brick
Avoiding the security brick
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Cloud native development without the toil
Cloud native development without the toilCloud native development without the toil
Cloud native development without the toil
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
JAX London 2021: Jumpstart Your Cloud Native Development: An Overview of Prac...
 
Clone of an organization
Clone of an organizationClone of an organization
Clone of an organization
 
Top10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome AppsTop10 Characteristics of Awesome Apps
Top10 Characteristics of Awesome Apps
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...Automate Cloud and Application Security Deployments with Barracuda and Puppet...
Automate Cloud and Application Security Deployments with Barracuda and Puppet...
 

More from Michael Man

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam CramMichael Man
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...Michael Man
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...Michael Man
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesMichael Man
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019Michael Man
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Michael Man
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Michael Man
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringMichael Man
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018Michael Man
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...Michael Man
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractMichael Man
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOpsMichael Man
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test AutomationMichael Man
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309Michael Man
 

More from Michael Man (20)

5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
K8S Certifications - Exam Cram
K8S Certifications - Exam CramK8S Certifications - Exam Cram
K8S Certifications - Exam Cram
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
DSO-LG March 2018: The mechanics behind how attackers exploit simple programm...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Sept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling ExamplesSept 2019 - DSO-LG Tooling Examples
Sept 2019 - DSO-LG Tooling Examples
 
DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019DevSecOps Manchester - May 2019
DevSecOps Manchester - May 2019
 
Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)Extract: DevSecOps - London Gathering (March 2019)
Extract: DevSecOps - London Gathering (March 2019)
 
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
Matt Turner: Istio, The Packet's-Eye View (DevSecOps - London Gathering, Janu...
 
August 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London GatheringAugust 2018: DevSecOps - London Gathering
August 2018: DevSecOps - London Gathering
 
DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018DevSecOps - London Gathering : June 2018
DevSecOps - London Gathering : June 2018
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...The mechanics behind how attackers exploit simple programming mistakes ...
The mechanics behind how attackers exploit simple programming mistakes ...
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
DevSecOps March 2018 - Extract
DevSecOps March 2018 - ExtractDevSecOps March 2018 - Extract
DevSecOps March 2018 - Extract
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dynaminet -DevSecOps
Dynaminet -DevSecOpsDynaminet -DevSecOps
Dynaminet -DevSecOps
 
DevSecOps: Test Automation
DevSecOps: Test AutomationDevSecOps: Test Automation
DevSecOps: Test Automation
 
Project management experience security in agile 1309
Project management experience security in agile 1309Project management experience security in agile 1309
Project management experience security in agile 1309
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Chris Rutter: Avoiding The Security Brick

  • 2. Practical Patterns And Techniques for Applying Security in Agile / Devops SDLCs Avoiding Throwing Security Bricks Workshop Format - Discussions every 10-15 mins Talk Aims
  • 3. Java Developer > Security Champion > Security Architect > DevSecOps Consultant Payments, Banking & Government Transformations Currently Consulting with Equal Experts https://www.linkedin.com/in/chris-rutter-1b74a8b0/ Chris Rutter
  • 4.
  • 5. My Path to DevSecOps
  • 6.
  • 7. Agile / Devops / Value Stream / Product Delivery
  • 8. “ Carry out a comprehensive security review / pen test 2 weeks before release date and allow 1 week for remediation” Brick #1
  • 9.
  • 10. Common Issues ● Superficial review & pen test ● Little scope to influence design ● No time to deal with findings ● Pressurised risk acceptance ● Impossible to release quickly Release Management
  • 11. Triage Every User Story Every Week
  • 12. Pen Test New public-facing microservice Change to authentication mechanism Increase in level of data sensitivity New management tool or cloud service Review / Threat Model New non-public microservice Change to application architecture Code behind feature switch New APIs for existing data sensitivity Peer Review / Self-Sign Cosmetic changes Business logic changes Bug Fixes / Refactoring Agreed Review Criteria
  • 13. Labels and Comments to Track and Evidence
  • 14. JQL Reports or JIRA API to Enforce
  • 15. Result ● Security has excellent domain knowledge ● Scrum masters enforce reviews as Definition Of Done ● Faster Release Cycles (up to hourly if required) ● Ability to influence designs early ● Everything reportable, automatable and shareable Release Management
  • 17. “ Before you go live you must ship your logs off to this SOC endpoint (which will take you weeks to onboard)” Brick #2
  • 18.
  • 19. Common Issues ● Large gap between domain experts and SOC ● Provides a false (and often untested) sense of security ● Ineffective communication and incident response ● Centralised and difficult to onboard or improve Security Operations
  • 20. Strategy ● Empower teams to implement and own alerting ● Constantly improve with each new threat model ● Focus on improving alert response process ● Use notification subscription model to allow flexibility Security Operations
  • 21. Infra Alerts Cloudtrail for Threat Modelling GuardDuty for IDS
  • 23. Slack For Alerts ● Dynamic, interactive workgroup receive notifications ● Link to cloud hosted runbook with incident response instructions ● Each investigation results in a JIRA ticket ● Security just poke people if required
  • 24. Result ● All alerts continually evolving through threat modelling ● Teams take ownership of alerts ● Security only verify pattern and investigation results ● Quick to set up and script using terraform etc. ● Very cheap compared to commercial IDS / SIEM tools Embedded Operations
  • 26. “Before you can release, scan your application code for vulnerable dependencies and either fix, suppress or acknowledge” Brick #3
  • 27.
  • 28. Common Issues ● Time-consuming CVE research duplicated (or skipped) ● Most findings are not used in a vulnerable way ● Difficult to manage vulnerabilities with most tools ● Sometimes difficult / impractical to upgrade Dependency Checking
  • 29. Security Team Proactively Scan Common Libs [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator --- [INFO] security:vault-policy-generator:jar:1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile [INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile [INFO] | - org.yaml:snakeyaml:jar:1.19:runtime [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile [INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional) [INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | - com.fasterxml:classmate:jar:1.3.4:compile [INFO] +- com.google.guava:guava:jar:24.0-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] | +- org.hamcrest:hamcrest-library:jar:1.3:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test [INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | +- org.springframework:spring-test:jar:5.0.4.RELEASE:test [INFO] | - org.xmlunit:xmlunit-core:jar:2.5.1:test [INFO] +- com.github.tomakehurst:wiremock-standalone:jar:2.6.0:test [INFO] +- org.hamcrest:hamcrest-all:jar:1.3:test [INFO] +- commons-io:commons-io:jar:2.6:compile [INFO] - org.glassfish:javax.el:jar:3.0.1-b09:compile [INFO] | +- junit:junit:jar:4.12:test [INFO] | +- org.assertj:assertj-core:jar:3.9.1:test [INFO] | +- org.mockito:mockito-core:jar:2.15.0:test [INFO] uk.gov.hmrc.security:vault-policy-generator:jar:1-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-starter:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot:jar:2.0.0.RELEASE:compile [INFO] | | - org.springframework:spring-context:jar:5.0.4.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-expression:jar:5.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.0.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.10.0:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile [INFO] | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] | +- org.springframework:spring-core:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-jcl:jar:5.0.4.RELEASE:compile [INFO] | - org.yaml:snakeyaml:jar:1.19:runtime [INFO] +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.0.4.RELEASE:compile [INFO] | | - org.springframework:spring-beans:jar:5.0.4.RELEASE:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.4:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile [INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile [INFO] | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile [INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.0.0.RELEASE:compile (optional) [INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | - com.fasterxml:classmate:jar:1.3.4:compile [INFO] +- com.google.guava:guava:jar:24.0-jre:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | - org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.0.0.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:2.0.0.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.0.0.RELEASE:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test [INFO] | | +- net.minidev:json-smart:jar:2.3:test [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ vault-policy-generator --- [INFO] | | | - net.minidev:accessors-smart:jar:1.2:test [INFO] | | | - org.ow2.asm:asm:jar:5.0.4:test [INFO] | | - org.slf4j:slf4j-api:jar:1.7.25:compile [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.7.10:test [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.7.10:test [INFO] | | - org.objenesis:objenesis:jar:2.6:test
  • 30. Jackson Deserialization Vulnerability (CVE 2017-7525): Introduction: This vulnerability takes advantage of the ability of an attacker to force a server to deserialize a compromised class which is known to be on a large number of class paths and inject malicious input which can result in code execution. Am I Vulnerable?: You are vulnerable if you use polymorphic typing feature anywhere in your code. This can be configured in a few ways: @JsonTypeInfo, @JsonSubTypes or mapper.enableDefaultTyping() How can I remediate?: You must ensure that you globally configure ObjectMapper disableDefaultTyping() and have no instances of @JsonTypeInfo, @JsonSubTypes Share Pre-Investigated Issues
  • 31. Basic Code Scanning Engine Vulnerability Search Terms XXE XMLInputFactory, TransformerFactory, SchemaFactory, SAXTransformerFactory, XMLReader Jackson Deserialization @JsonTypeInfo, @JsonSubTypes, mapper.enableDefaultTyping() Logback ServerSocketReceiver
  • 33. “A hugely critical vulnerability from 6 weeks ago has landed in a VIP’s inbox. It even has a logo so RED ALERT!, stop everything.” Brick #4
  • 34.
  • 35. Common Issues ● Vulnerabilities come from high up to add pressure ● Usually have lots of FUD and little Facts ● Security have a point to prove ● Disrupts lots of teams and value stream Knee Jerking to Vulnerabilities
  • 37. Create Work Tracker and Link to Team Tickets
  • 38. Create Work Group Which Self Manages
  • 39. Lightweight Documentation to Pass up Chain Docker Escape Investigation (CVE 2019-5736): Introduction: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Investigation Scope: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore. Risk Assessment:Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et Remediation Steps: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Residual Risk: Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
  • 40. Put The Brick Down ● Security reviews and collaboration small but often ● Effective communication through modern tools ● Shift security ownership up the pipeline ● Focus on technical and process improvement rather than managing and firefighting