Security as Code: A DevSecOps Approach

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

SpringOne
@pwntester / @atorralba
A DevSecOps approach
Security as code
SpringOne
@pwntester / @atorralba

> whoami
Alvaro Muñoz
@pwntester
Staﬀ Security Researcher
Tony Torralba
@_atorralba
CodeQL Software Engineer

https://securitylab.github.com
GitHub Security Lab

Let’s start with a space odyssey
SpringOne
@pwntester / @atorralba

9 years ago in our galaxy
double vectors[12] does not actually prevent to pass
an array of diﬀerent size as argument
Unpre...

9 years ago in our galaxy

The speciﬁc challenges of shifting
security left
SpringOne
@pwntester / @atorralba

Shifting Left

#1 — It’s not just “automate and run earlier”
#2 — Go left(er), don’t stop at coding!
Requirements, design, architecture …...

What motivates us?
● Autonomy
● Mastery
● Purpose
SpringOne
@pwntester / @atorralba

What motivates us?
Autonomy You are in control Another team runs the tool and
generates a deluge of Jira issues for you
Ma...

DevSecOps speciﬁcities
➢ What is common?
○ Misalignment, diﬀerent goals
○ Antagonism
SpringOne
@pwntester / @atorralba

DevSecOps specificities
➢ What is common?
○ Misalignment, different goals
○ Antagonism
➢ What is specific?
○ Criticality / ur...

DevSecOps speciﬁcities
The divide is at another level
SpringOne
@pwntester / @atorralba

Lessons learned from DevOps
SpringOne
@pwntester / @atorralba

Lesson #1: Align goals
SpringOne
@pwntester / @atorralba

Lesson #2: Autonomy, Mastery
SpringOne
@pwntester / @atorralba

Security as Code
SpringOne
@pwntester / @atorralba

SpringOne
@pwntester / @atorralba
What is SaC
• Everyone should be responsible for security
• Provide developers with poli...

SpringOne
@pwntester / @atorralba
What can be covered with SaC
• Security policies
• (e.g. https://github.com/ossf/allstar...

SpringOne
@pwntester / @atorralba
Beneﬁts of SaC
• Uses the developer’s same language
(code), encouraging collaboration an...

• CodeQL lets you query code as
though it were data.
• CodeQL extracts your code into
a special database
- AST
- Semantics...

Demo

SpringOne
@pwntester / @atorralba
Demo repository
https://github.com/atorralba/springone-demo

Taint tracking
SpringOne
@pwntester / @atorralba
SOURCE
POST /users
username={payload}
&pasword=secret
&repeatedPassword=s...

Security As Code: Code Scanning
✓ Automation
✓ Developer tool
✓ Sharing knowledge
✓ Bonus: Community-powered
SpringOne
@pw...

Support
SpringOne
@pwntester / @atorralba
● Sources of taint:
○ Web
○ MVC
○ REST
● Speciﬁc Spring Sinks:
○ Spring Web: Ope...

Contribute your own queries and make some 💰
https://securitylab.github.com/get-involved
SpringOne
@pwntester / @atorralba

Thank you!
Reach out on twitter:
@pwntester
@_atorralba
@ghsecuritylab
SpringOne
@pwntester / @atorralba

Security as Code: A DevSecOps Approach

Share SlideShare

Facebook
Twitter
LinkedIn

Embed

Size (px)

Show related SlideShares at end

WordPress Shortcode

Link

Share
Email

ChatGPT and the Future of Work - Cl... by Clark Boyd 9424 views
Getting into the tech field. what n... by Tessa Mero 2384 views
Google's Just Not That Into You: Un... by Lily Ray 3774 views
How to have difficult conversations by Rajiv Jayarajah, ... 2378 views
Introduction to Data Science by Christy Abraham Joy 81737 views
Time Management & Productivity - B... by Vit Horky 169438 views

Top clipped slide

1 of 38 Ad

1 of 38 Ad