Laura Bell of SafeStack discusses continuous security and how to achieve it. Continuous security involves integrating security practices like automated testing, reviews, and monitoring into regular development workflows. This allows issues to be addressed quickly as code is developed rather than in separate phases. Bell provides principles for continuous security like using automated, autonomous, integrated, repeatable and scalable processes. She also shares a case study of applying these principles at a fast growing company and lessons learned around tools, resources, education and environments.

1. Continuous Security
Laura Bell
SafeStack

2. Con$nuous
Security
Laura Bell
F O U N D E R & L E A D C O N S U LTA N T
S A F E S TAC K
@ l a d y _ n e rd
l a u r a @ s a fe s t a c k . i o

3. once upon a $me*…
*
Some'me
in
the
last
week
for
some
of
you

4. and the whole world
went to hell

5. common misconcep$ons

6. it’s not my job
(that’s why we have a security team)

7. it’s impossible so why try

8. we’ve always done this…
nobody’s hacked us yet

9. we’re too li@le to fail
(at security)

10. agility increases risk

11. what is con$nuous security?

12. design
code
stuff
idea
test
deploy

13. design
code
stuff
idea
test
deploy
Ini'al
Risk
Assessment
Design
Review
Code
and
Implementa'on
Review
Penetra'on
Tes'ng

15. con$nuous

16. principles of con$nuous security

17. automated
autonomous
integrated
repeatable
scalable

18. automated
“the best technical people I know work
really hard to make themselves redundant”

19. Deployment
Provisioning
Tes$ng
Sta$c analysis
Vulnerability mgmt

20. autonomous
“no boMlenecks, breakdowns or ripples”

22. Skills
Authority
Accountability
every team

23. integrated
“bite-­‐sized security that works with every step
of your lifecycle”

25. Woven in to keep you going
Respected enough to stop you

26. repeatable
“security fails when it’s a special event”

27. Every story
Every sprint
Every developer
Every $me

28. Standard Security Stories
h@p://www.safecode.org

29. scalable
“more than just
a single team
experiment”

30. Business as usual
Managed
Measured
Controlled
Universal
Special
Proof of concept
Blue sky
Experiment
Innova$on

31. Case Study

32. Fast growing
110 developers
Compliance environment
New code
Legacy code
Mul$ple languages

33. Requirements
Standard Security
Stories
Architecture
Inclusion
Reusable
requirements

34. Code review
IDE based free tools
Peer Review
Security guild

35. Tes$ng
Automated ZAP
tes$ng
Selenium
Standard security
tests

36. Deployment
Vulnerability checks
Infrastructure as code
On demand deployments

37. Collabora$on
Security guild
Chat ops
Hack events

38. Good stuff
speed of change
skill level increase
increased awareness
priority of legacy
use of security resource

39. Lessons learned
security guilds
tool cost
tool quality
approaches
training at scale

40. achieving con$nuous security

41. choose tools wisely
integra$ons with workflows, API, speed

42. easy to digest resources
keep your examples, templates and
reusable stuff as close to your developers
as possible

43. educate everyone
skills are the number one bo@leneck

44. give testers some love
test environments, clean test data and tools

45. no special treatment
legacy code needs security too

46. dev == test == prod
remove the differences to remove
deployment complexity

47. Ques$ons?
Laura Bell
F O U N D E R & L E A D C O N S U LTA N T
S A F E S TAC K
@ l a d y _ n e rd
l a u r a @ s a fe s t a c k . i o

48. @lady_nerd
Laura Bell
SafeStack
Thanks for listening…