Optimizing AI for immediate response in Smart CCTV
Continuous Security Testing for DevOps #devseccon
1. LONDON 2015Join the conversation #devseccon
Continuous Security
Testing
Stephen de Vries
2. About Me
Founder and CTO Continuum Security
70% Developer / 20% Security Analyst
Involved in OWASP since 2004
Created BDD-Security framework
@stephendv
3. Security Testing
• Performed after build
• Outsourced to external experts
• Process is opaque to dev/ops
Unit/Integration/Acceptance Testing
• Performed during build
• Owned by dev/test
• Tests visible to the team
16. Who owns the security tests?
Option 1: Security Team
• Low cost test runs
• Slower feedback to dev
• Poor collaboration
• Lack of ownership by DevOps
17. Design Build Integration Tests
Unit
Tests
Acceptance
Tests
Deploy
Development Pre-prod Production
Semi-SecDevOps: Parallel tests
Manual Security Tests
Auto. Security Tests
18. Who owns the security tests?
Option 2: DevOps team with oversight by Security
• Better collaboration
• Sense of ownership of security
• Good stepping stone to…
SecDev
Ops
Option 3: Sec+Dev+Ops in a cross-
functional team
• Security testing is our problem
• We have the tools and skills to manage
it