The document discusses shifting security left in the software development lifecycle using an agile approach and automation tools. It recommends planning security from the beginning of the development process. Automation is key to continuously test for vulnerabilities during integration and development. Tools mentioned include an open source CI server to detect errors, Zed Attack Proxy to automatically find web application vulnerabilities, and various resources on securing the DevOps pipeline.

2. •
•
•
•
•

3. SOFTWARE DEVELOPMENT IS LIKE A MMORPG...
IT NEVER ENDS!

6. THEN ALL
BECAME
AGILE!

7. AGILE

13. •
•
•
•
•
•
•
•

16. •
•
Plan Code Build Test Release Deploy
Operate &
Monitor
Why not here?Better yet, why no
here?
Why not plan security from
the beginning?!
“We test for vulns here”
SSL Approach – Shifting Security Left

19. AUTOMATION IS KEY TO SSL APROACH

23. TOOLS

24. • Open source continuous integration server
• Each integration is verified and tested over
automated builds
• Detects integration errors as fast as possible
• Has many security plugins available!

26. • Zed Attack Proxy by Simon Bennetts
• Ideal for beginners but also used by professionals
• Can find security vulnerabilities in web applications
automatically (good for devs)
• Also enables manual security testing (pentests)
• Some features include: Proxy, Scanner, Spider, Brute
Force and Fuzzing

28. •
•
•
•
•
•

29. •
•
•
•
•
•

31. •
•
•
•
•

32. •
•
•
•
•
•
•

33. •
•
•
• HTTPS://PT.SLIDESHARE.NET/DINISCRUZ/OWASP-BRAZIL-MAKING-SECURITY-INVISIBLE-BY-
BECOMING-THE-DEVELOPERS-BEST-FRIENDS-V2
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=X9NOUTCNTAC
• HTTP://WWW.DEVSECOPS.ORG/BLOG/2016/5/20/-SECURITY
• HTTPS://CDN2.HUBSPOT.NET/HUBFS/1958393/WHITE_PAPERS/DEVSECOPS_HOW_TO_SEAMLE
SSLY__315283.PDF?T=1482418124868
• HTTPS://WWW.SANS.ORG/READING-ROOM/WHITEPAPERS/ANALYST/DEVSECOPS-PLAYBOOK-
36792