Stephen de Vries, profile picture
Uploaded byStephen de Vries
2,132 views

Continuous Security Testing - DevSecCon

This document discusses integrating security testing into continuous delivery pipelines. It argues that security testing should be performed continuously and automated like other tests, rather than as a separate process. The document recommends that development, operations, and security teams work together in a "SecDevOps" model where security testing is integrated into regular testing workflows and everyone shares responsibility. It presents the BDD-Security framework as an example of how behavior-driven development can be used to automate continuous security testing that runs with each code change.

Embed presentation

Downloaded 81 times
LONDON 2015Join the conversation #devseccon Continuous Security Testing Stephen de Vries
About Me Founder and CTO Continuum Security 70% Developer / 20% Security Analyst Involved in OWASP since 2004 Created BDD-Security framework @stephendv
Security Testing • Performed after build • Outsourced to external experts • Process is opaque to dev/ops Unit/Integration/Acceptance Testing • Performed during build • Owned by dev/test • Tests visible to the team
Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Agile • Short iterative cycles • Extensive automated testing • Low/zero cost to test • Tests can replace documentation
Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Delivery Automated acceptance tests
Design Build Unit Tests Integration Tests Acceptance Tests Deploy Development Pre-prod Production Continuous Delivery into Production • Etsy: 50+ deploys per day • Gov.uk: 10+ deploys per day • Amazon: 300+ per hour Security Tests?
• Everyone is responsible for • Move testing closer to the code • Continuous automated testing quality quality security security security ^
BDD: Behaviour Driven Development
BDD: Behaviour Driven Development
https://github.com/continuumsecurity/bdd-security JBehave + OWASP ZAP + Nessus + Internal security tools + Pre-written baseline security specifications Selenium/WebDriver +
HTTP/S Proxy Manual Application Security Testing with OWASP ZAP
HTTP/S Proxy Manual Application Security Testing with OWASP ZAP Automated ^ BDD-Security
Demo https://vimeo.com/89848072
Who owns the security tests? Option 1: Security Team • Low cost test runs • Slower feedback to dev • Poor collaboration • Lack of ownership by DevOps
Design Build Integration Tests Unit Tests Acceptance Tests Deploy Development Pre-prod Production Semi-SecDevOps: Parallel tests Manual Security Tests Auto. Security Tests
Who owns the security tests? Option 2: DevOps team with oversight by Security • Better collaboration • Sense of ownership of security • Good stepping stone to… SecDev Ops Option 3: Sec+Dev+Ops in a cross- functional team • Security testing is our problem • We have the tools and skills to manage it
Design Auto. Security Tests Build Integration TestsUnit Tests Acceptance Tests Deploy Development Pre-prod Production SecDevOps: Inline blocking tests Manual Security Tests
Related Tools • Mittn (Python + Burp Intruder) https://github.com/F-Secure/ mittn • ZAP-JUnit (Java) https://github.com/continuumsecurity/zap- webdriver • Guantlet (Ruby) http://gauntlt.org/ • OWASP ZAP Jenkins plugin https://wiki.jenkins-ci.org/display/ JENKINS/Zapper+Plugin
LONDON 2015Join the conversation #devseccon Thank you! www.continuumsecurity.net @continuumsecure @stephendv

More Related Content

KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
PPTX
Automating security tests for Continuous Integration
byStephen de Vries
 
PDF
T23 HTML5 Security Testing at Spotify
byTechWell
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PPTX
DevOps & Security: Here & Now
byCheckmarx
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
PDF
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
PDF
Integrating DevOps and Security
byStijn Muylle
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
byNick Galbreath
 
Automating security tests for Continuous Integration
byStephen de Vries
 
T23 HTML5 Security Testing at Spotify
byTechWell
 
SecDevOps: The New Black of IT
byCloudPassage
 
DevOps & Security: Here & Now
byCheckmarx
 
Continuous Security Testing with Devops - OWASP EU 2014
byStephen de Vries
 
Vulnerabilities are bugs, Let's Test For Them!
byVAddy
 
Integrating DevOps and Security
byStijn Muylle
 

What's hot

PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
PDF
Ast in CI/CD by Ofer Maor
byDevSecCon
 
PDF
A Secure DevOps Journey
bySonatype
 
PDF
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
PPTX
Integrating Security into DevOps
byCloudPassage
 
PDF
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
PPTX
DevSecOps
byCheah Eng Soon
 
PDF
Building a Modern Security Engineering Organization
byZane Lackey
 
PDF
DevSecOps - The big picture
byStefan Streichsbier
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PPTX
DevSecCon KeyNote London 2015
byShannon Lietz
 
PDF
Embracing the Rise of SecDevOps
byTom Cappetta
 
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
Continuous Security Testing in a Devops World #OWASPHelsinki
byStephen de Vries
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
byDevSecCon
 
Ast in CI/CD by Ofer Maor
byDevSecCon
 
A Secure DevOps Journey
bySonatype
 
DevSecCon London 2017: How far left do you want to go with security? by Javie...
byDevSecCon
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
byChristian Schneider
 
Integrating Security into DevOps
byCloudPassage
 
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
byDevSecOpsSg
 
DevSecCon London 2017: Hands-on secure software development from design to de...
byDevSecCon
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
byDevSecCon
 
DevSecOps
byCheah Eng Soon
 
Building a Modern Security Engineering Organization
byZane Lackey
 
DevSecOps - The big picture
byStefan Streichsbier
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
DevSecCon KeyNote London 2015
byShannon Lietz
 
Embracing the Rise of SecDevOps
byTom Cappetta
 

Viewers also liked

PDF
Threat modeling with architectural risk patterns
byStephen de Vries
 
PPTX
Matt carroll - "Security patching system packages is fun" said no-one ever
byDevSecCon
 
PDF
Nick Drage & Fraser Scott - Epic battle devops vs security
byDevSecCon
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
PDF
Scalable threat modelling with risk patterns
byStephen de Vries
 
PPTX
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
PDF
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
PDF
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
PDF
Continous Integration of (JS) projects & check-build philosophy
byFrançois-Guillaume Ribreau
 
PPTX
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
byDevSecCon
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
PDF
Pythonista も ls を読むべきか?
byKatsunori FUJIWARA
 
PDF
Rugged DevOps: Bridging Security and DevOps
byJames Wickett
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
PDF
Automated Security Testing
byseleniumconf
 
PPTX
Security testautomation
byLinkesh Kanna Velu
 
PPTX
Cybersecurity by the numbers
byAPNIC
 
PPTX
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
PDF
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
Threat modeling with architectural risk patterns
byStephen de Vries
 
Matt carroll - "Security patching system packages is fun" said no-one ever
byDevSecCon
 
Nick Drage & Fraser Scott - Epic battle devops vs security
byDevSecCon
 
Elizabeth Lawler - Devops, security, and compliance working in unison
byDevSecCon
 
Scalable threat modelling with risk patterns
byStephen de Vries
 
DevSecCon Asia 2017 Arun N: Securing chatops
byDevSecCon
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
byDevSecCon
 
Agile Secure Software Development in a Large Software Development Organisatio...
byAchim D. Brucker
 
Continous Integration of (JS) projects & check-build philosophy
byFrançois-Guillaume Ribreau
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
byDevSecCon
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
Pythonista も ls を読むべきか?
byKatsunori FUJIWARA
 
Rugged DevOps: Bridging Security and DevOps
byJames Wickett
 
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
Automated Security Testing
byseleniumconf
 
Security testautomation
byLinkesh Kanna Velu
 
Cybersecurity by the numbers
byAPNIC
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
byDevSecCon
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
byDevSecCon
 
Threat Modeling And Analysis
byLalit Kale
 

Similar to Continuous Security Testing - DevSecCon

PPTX
Continuous Security Testing in a Devops World
byStephen de Vries
 
PPTX
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
PDF
Including security in devops
byJérémy Matos
 
PDF
Agile Relevance in the age of Continuous Everything ....
byEturnti Consulting Pvt Ltd
 
PDF
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
PDF
Devops is a Security Requirement
byKris Buytaert
 
PPTX
DevSecCon Boston2018 - advanced mobile security automation with bdd
byDavide Cioccia
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
How BDD enables True CI/CD
byRoger Turnau
 
PDF
Continuous Security Testing
byRay Lai
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
PDF
Securing Devops_toolchain
bySuman Chakraborty
 
PPTX
Making the Move to Behavior Driven Development
byQASymphony
 
PDF
Making the Move to Behavior-Driven Development
byTechWell
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
PDF
Ensuring Security through Continuous Testing
byTechWell
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
Test Driven Development (TDD)
byDavid Ehringer
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Continuous Security Testing in a Devops World
byStephen de Vries
 
Continuous and Visible Security Testing with BDD-Security
byStephen de Vries
 
Including security in devops
byJérémy Matos
 
Agile Relevance in the age of Continuous Everything ....
byEturnti Consulting Pvt Ltd
 
The Emergent Cloud Security Toolchain for CI/CD
byJames Wickett
 
Devops is a Security Requirement
byKris Buytaert
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
byDavide Cioccia
 
Introduction to DevSecOps
byabhimanyubhogwan
 
How BDD enables True CI/CD
byRoger Turnau
 
Continuous Security Testing
byRay Lai
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
byJames Wickett
 
Securing Devops_toolchain
bySuman Chakraborty
 
Making the Move to Behavior Driven Development
byQASymphony
 
Making the Move to Behavior-Driven Development
byTechWell
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
Ensuring Security through Continuous Testing
byTechWell
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Test Driven Development (TDD)
byDavid Ehringer
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 

Recently uploaded

PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
GET /Ready How to master being a Master of Ceremonies (MC)
byImma Valls Bernaus
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 

Continuous Security Testing - DevSecCon