SlideShare a Scribd company logo

OWASP San Antonio Meeting 10/2/20

Denim Group
Denim Group

Title: AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program Abstract: With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies. Speaker: Dan Cornell Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Technology
1 of 68
Download to read offline
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO AppSec Fast And Slow Your DevSecOps CI/CD Pipeline Isn’t an SSA Program October 2, 2020
© 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
© 2020 Denim Group – All Rights Reserved Agenda • Cool Kids: Moving FAST • SSA Programs • Fast and Slow • OWASP SAMM Walkthrough • Conclusions • Questions 2
© 2020 Denim Group – All Rights Reserved Cool Kids: Moving FAST
© 2020 Denim Group – All Rights Reserved Security in the DevOps Pipeline Organizations like Etsy and Netflix are doing amazing things to secure application via their DevOps pipelines
© 2020 Denim Group – All Rights Reserved All About the Pipeline • Security checks in the pipeline • Application • Infrastructure • Cloud • Automation is king 5
© 2020 Denim Group – All Rights Reserved But What Doesn’t Fit Into a Pipeline? • Dangers of DevSecOps fundamentalism • The Pipeline Isn’t the Program 6
© 2020 Denim Group – All Rights Reserved SSA Programs
© 2020 Denim Group – All Rights Reserved What is Your “Why?” • Simon Sinek TED Talk • (If you have seen this before, rolling your eyes at this point is acceptable) • Why -> How -> What https://www.youtube.com /watch?v=qp0HIF3SfI4
© 2020 Denim Group – All Rights Reserved What is an SSA Program • SSA = Software Security Assurance • Set of practices and activities used to reliably create, maintain, and deploy secure software • “We do an annual app pen test for PCI” is not an SSA program • Or at least probably not a very effective one • “Here are the security checks we figured out how to stuff into our CI/CD pipeline” is also not an SSA program • Danger: Don’t let the pipeline become your program • “Shifting left” isn’t bad – it just isn’t everything 9
© 2020 Denim Group – All Rights Reserved SSA Program References • OWASP SAMM • BSIMM 10
© 2020 Denim Group – All Rights Reserved OWASP SAMM • Originally OpenSAMM from Pravir Chandra • OWASP’s evolution/fork • Five Business Functions • Three Security Practices for each • Two Streams for each https://owaspsamm.org/ 11
© 2020 Denim Group – All Rights Reserved OWASP SAMM 12
© 2020 Denim Group – All Rights Reserved BSIMM • Originally from Cigital (now Synopsys) • Based on data collection from participating organizations • Four domains • Three Practices for each • Total of 119 Activities https://www.bsimm.com/ 13
© 2020 Denim Group – All Rights Reserved BSIMM 14
© 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough • We will use OWASP SAMM for the purposes of this webinar • More prescriptive • Less vendor-centric • If you are using BSIMM it is pretty trivial to translate 15
© 2020 Denim Group – All Rights Reserved If You Are Just Starting Out • Assessing your program using either tool is less-than-ideal • Better: • Define your scope/mandate • Do some testing • Run some vulnerabilities through resolution • Proceed from there https://www.denimgroup.com/contact-us/ 16
© 2020 Denim Group – All Rights Reserved Fast and Slow
© 2020 Denim Group – All Rights Reserved Thinking Fast and Slow 18 • Written by Daniel Kahneman • System 1 (Fast): Instinctive, emotional • System 2 (Slow): Deliberative, logical • (For AppSec purposes, use configuration/customization to minimize the “emotional”) https://www.amazon.com/Thinking-Fast-Slow-Daniel- Kahneman/dp/0141033576/ref=asc_df_0141033576/
© 2020 Denim Group – All Rights Reserved An Aside: What Horrible Names! • System 1 and System 2 ??? • Almost as bad as Type I and Type II Errors 19 https://www.simplypsychology.org/type_I_and_type_II_errors.html
© 2020 Denim Group – All Rights Reserved Another Aside: The Undoing Project • Michael Lewis book on the research of and the collaboration between Daniel Kahneman and Amos Tversky https://www.amazon.com/Undoing-Project-Friendship- Changed-Minds/dp/0393354776/ref=sr_1_2 20
© 2020 Denim Group – All Rights Reserved Fast and Slow In a culture like DevSecOps that is so focused on FAST, what is still critical, but has to go SLOW? 21
© 2020 Denim Group – All Rights Reserved What Do We Mean By FAST? Blog post: Power, Responsibility, and Security’s Role in the DevOps Pipeline https://www.denimgroup.com/resources/blog/2019/02/powe r-responsibility-and-securitys-role-in-the-devops-pipeline/ 22
© 2020 Denim Group – All Rights Reserved To Be DevSecOps FAST 1. Available quickly 2. High-value 3. Low (NO) false positives (no Type I errors) • Limited time budget • Developers have to care • Don’t waste developers’ time 23
© 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough
© 2020 Denim Group – All Rights Reserved Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance 25
© 2020 Denim Group – All Rights Reserved Strategy and Metrics • You can’t automate strategy • SLOW • You can use CI/CD to feed your metrics • Kinda FAST • Metrics in general: very automatable 26
© 2020 Denim Group – All Rights Reserved Policy and Compliance • You can’t automate the creation of your policies • SLOW • You can use CI/CD to automate some policy checks • CI/CD pass/fail • Be careful of limitations – this is a helper, not definitive • Kinda FAST 27
© 2020 Denim Group – All Rights Reserved CI/CD Policy Configuration • Testing • Synchronous • Asynchronous • Decision • Reporting 28 Blog Post: Effective Application Security Testing in DevOps Pipelines http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/ https://www.denimgroup.com/resources/effective-application-security-for-devops/
© 2020 Denim Group – All Rights Reserved Education and Guidance • Instructor-led training: SLOW • eLearning • Monolithic: SLOW • Targeted: Not FAST, but increasingly interesting • Security Champions • Common responsibility is to configure security testing in CI/CD environments and tune scanning • They make things FASTer 29
© 2020 Denim Group – All Rights Reserved Security Champions Webinar: Security Champions: Pushing Security Expertise to the Edges of Your Organization https://www.denimgroup.com/resources/webinar/security-champions- pushing-security-expertise-to-the-edges-of-your-organization/ 30
© 2020 Denim Group – All Rights Reserved Design • Threat Assessment • Security Requirements • Security Architecture 31
© 2020 Denim Group – All Rights Reserved Threat Assessment • Determining your general application threat profiles can’t be automated • SLOW • Threat Modeling also requires a lot of manual work • Some new interesting automation, but nothing in CI/CD pipelines • Some vendors providing tooling support • Can allow for manual incremental changes – not CI/CD, but fits better into Agile environments • SLOW 32
© 2020 Denim Group – All Rights Reserved Security Requirements • Determining your requirements is largely manual • Some tooling support is available • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Requirements-Driven Testing activity 33
© 2020 Denim Group – All Rights Reserved Secure Architecture • Determining your architectural security requirements is largely manual • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Architecture Assessment activity 34
© 2020 Denim Group – All Rights Reserved Implementation • Secure Build • Secure Deployment • Defect Management 35
© 2020 Denim Group – All Rights Reserved Secure Build • This is really the crux of what we are discussing today • FAST • How can you integrate security into the build process? • SAST/DAST/IAST • SCA • OWASP Dependency Check https://owasp.org/www-project-dependency-check/ • If you are even considering this you have to have a repeatable build process • Otherwise please log off this webinar and pick up a Jenkins for Dummies book. You can pick this back up later. • Software Bill of Materials (SBOM) • OWASP Dependency Track https://dependencytrack.org/ 36
© 2020 Denim Group – All Rights Reserved Architectural Bill of Materials Webinar: The As, Bs, and Four Cs of Testing Cloud- Native Applications https://www.denimgroup.com/resources/webinar/the-as-bs- and-four-cs-of-testing-cloud-native-applications/ 37
© 2020 Denim Group – All Rights Reserved Secure Deployment • An extension of Secure Build • Organizations tend to be a little less mature • FAST • Technologies like Puppet, Chef, Terraform 38
© 2020 Denim Group – All Rights Reserved Defect Management • Subsets of this can be FAST • But you have to tune scanners or you will run into problems • High-value, no false positives • Technically automated defect creation is usually possible • In practice, it takes a while to get to this level • Limited coverage: only works for vulnerabilities you can find with automation in CI/CD pipelines • We will talk more about these testing limitations in the Verification discussions 39
© 2020 Denim Group – All Rights Reserved Bundling Strategies • Turning vulnerabilities into defects • 1:1 approach? • More time spent administering defects than fixing issues • Bundling • By vulnerability type • By severity (more mature applications) • Other approaches 40
© 2020 Denim Group – All Rights Reserved Metrics and Feedback Stream • Scanner / developer provide separation of duties • Scanners find vulns, developers say they fixed them, scanners confirm they did • Obviously only applies to vulnerabilities identified by automation • Tracking mean-time-to-remediation (MTTR) • Good metric for Agile/DevOps teams – how fast can you fix? • (Better than defects per KLoC) • Benchmark against data from Veracode/WhiteHat 41
© 2020 Denim Group – All Rights Reserved Verification • Architecture Assessment • Requirements-driven Testing • Security Testing 42
© 2020 Denim Group – All Rights Reserved Architecture Assessment • This largely has to be done manually • SLOW • Some architectural policies may be checked automatically • Cloud configuration 43
© 2020 Denim Group – All Rights Reserved ScoutSuite • Check configuration of cloud environments • Checks for: • Open S3 buckets • IAM configuration https://github.com/nccgroup/ScoutSuite 44
© 2020 Denim Group – All Rights Reserved Requirements-Driven Testing • Control verification: largely a manual process • SLOW • Misuse/abuse testing: • Fuzzing can be automated, but runtimes can extend beyond the time budget for FAST • Abuse case and business logic testing is manual • DoS testing does not fit in most general pipelines • Mostly SLOW • Some automation and integration possible 45
© 2020 Denim Group – All Rights Reserved Security Testing • THIS is really what the discussion comes down to • How sufficient is the security testing you can stuff into a CI/CD pipeline? • OWASP SAMM has two streams: • Scalable baseline • Deep understanding 46
© 2020 Denim Group – All Rights Reserved OWASP and Testing • OWASP has traditionally had a cultural focus on the strengths (and weaknesses) of automated testing tools • Consultants vs scanner vendors • Testing Guide • https://owasp.org/www-project-web-security-testing-guide/ • ASVS • https://owasp.org/www-project-application-security-verification-standard/ 47
© 2020 Denim Group – All Rights Reserved Scalable Baseline Stream • Three levels of maturity 1. Use an automated tool 2. Employ application-specific automation (tuning) 3. Integrate into the build process • This webinar presupposes the top level of maturity • You did remember to tune your scanner before you put it in the build process, right? 48
© 2020 Denim Group – All Rights Reserved Deep Understanding Stream • This is all manual • Manual test high-risk components • Perform penetration testing • Integrate testing into the development process • Tooling can help • Focus efforts on diffs / new or altered functionality 49
© 2020 Denim Group – All Rights Reserved Testing in CI/CD Pipelines 50
© 2020 Denim Group – All Rights Reserved SAST in CI/CD • Mostly open source linting tools • Need for speed • Commercial-grade tools are less prevalent • Run SAST on diffs? • Cross-method/class data and control flow takes time • Cut down the rules • Shorten run times • Limit false positives 51
© 2020 Denim Group – All Rights Reserved DAST in CI/CD • Concerns about run times • Approaches for targeted DAST • Focus on changes in the app 52
© 2020 Denim Group – All Rights Reserved Targeting DAST Testing Webinar: Monitoring Application Attack Surface and Integrating Security into DevOps Pipelines https://threadfix.it/resources/monitorin g-application-attack-surface-and- integrating-security-into-devops- pipelines/ 53
© 2020 Denim Group – All Rights Reserved IAST in CI/CD • Great! • Typically relies on generated traffic • Use DAST testing to generate traffic • Use integration tests to generate traffic 54
© 2020 Denim Group – All Rights Reserved SCA in CI/CD • Great! • Look at run time tradeoffs vs. velocity of new components and new vulnerabilities 55
© 2020 Denim Group – All Rights Reserved Operations • Incident Management • Environmental Management • Operational Management 56
© 2020 Denim Group – All Rights Reserved Incident Management • Not in a pipeline • Use automation for detection where possible • Some automation frameworks available for response 57
© 2020 Denim Group – All Rights Reserved Application Logging for Security Video: Top Strategies to Capture Security Intelligence for Applications https://www.denimgroup.com/resources/article/top-strategies-to-capture- security-intelligence-for-applications-includes-educational-video/ 58
© 2020 Denim Group – All Rights Reserved Environment Management • Servers should be cattle, not pets • Configuration Handling stream: • Hopefully you have this sorted given the work you have done for Secure Deployment • Chef, Puppet, Terraform • ScoutSuite • Patching and Updating stream: • Detection: FAST • Actual patching: SLOW 59
© 2020 Denim Group – All Rights Reserved Operational Management • Data Protection stream: SLOW • Oh, wait, your DLP solution will sort this out for you • Decommissioning: SLOW 60
© 2020 Denim Group – All Rights Reserved Conclusions
© 2020 Denim Group – All Rights Reserved What Goes in a Pipeline? • Linting SAST • DAST if you can target it • IAST if you can generate meaningful traffic • SCA if you want 62
© 2020 Denim Group – All Rights Reserved What Likely Has to be Done Outside? • Full, commercial-grade SAST • Full DAST • Manual code review • Penetration testing • Threat modeling 63
© 2020 Denim Group – All Rights Reserved What Has to be Done Outside? • Most everything else • Strategy • Policy • Training • Architecture • Security requirements 64
© 2020 Denim Group – All Rights Reserved Shifting Left is Awesome… • But it is only one aspect of a far more complicated landscape • For testing: think coverage • Classes of vulnerabilities • Detection approaches • Quality of approaches • For everything else: • Thing programmatically 65
© 2020 Denim Group – All Rights Reserved Questions
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com

Recommended

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 

Recommended

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 

More Related Content

What's hot

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
Denim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
Denim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
Denim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
Denim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 

What's hot (20)

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 

Similar to OWASP San Antonio Meeting 10/2/20

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
Tom Stiehm
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
Denim Group
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Simplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your LogsSimplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your Logs
SolarWinds
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
 

Similar to OWASP San Antonio Meeting 10/2/20 (20)

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Simplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your LogsSimplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your Logs
 
Automation and Technical Debt
Automation and Technical DebtAutomation and Technical Debt
Automation and Technical Debt
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 

More from Denim Group

A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
Denim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Denim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 

More from Denim Group (7)

A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 

OWASP San Antonio Meeting 10/2/20

  • 1. © 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO AppSec Fast And Slow Your DevSecOps CI/CD Pipeline Isn’t an SSA Program October 2, 2020
  • 2. © 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
  • 3. © 2020 Denim Group – All Rights Reserved Agenda • Cool Kids: Moving FAST • SSA Programs • Fast and Slow • OWASP SAMM Walkthrough • Conclusions • Questions 2
  • 4. © 2020 Denim Group – All Rights Reserved Cool Kids: Moving FAST
  • 5. © 2020 Denim Group – All Rights Reserved Security in the DevOps Pipeline Organizations like Etsy and Netflix are doing amazing things to secure application via their DevOps pipelines
  • 6. © 2020 Denim Group – All Rights Reserved All About the Pipeline • Security checks in the pipeline • Application • Infrastructure • Cloud • Automation is king 5
  • 7. © 2020 Denim Group – All Rights Reserved But What Doesn’t Fit Into a Pipeline? • Dangers of DevSecOps fundamentalism • The Pipeline Isn’t the Program 6
  • 8. © 2020 Denim Group – All Rights Reserved SSA Programs
  • 9. © 2020 Denim Group – All Rights Reserved What is Your “Why?” • Simon Sinek TED Talk • (If you have seen this before, rolling your eyes at this point is acceptable) • Why -> How -> What https://www.youtube.com /watch?v=qp0HIF3SfI4
  • 10. © 2020 Denim Group – All Rights Reserved What is an SSA Program • SSA = Software Security Assurance • Set of practices and activities used to reliably create, maintain, and deploy secure software • “We do an annual app pen test for PCI” is not an SSA program • Or at least probably not a very effective one • “Here are the security checks we figured out how to stuff into our CI/CD pipeline” is also not an SSA program • Danger: Don’t let the pipeline become your program • “Shifting left” isn’t bad – it just isn’t everything 9
  • 11. © 2020 Denim Group – All Rights Reserved SSA Program References • OWASP SAMM • BSIMM 10
  • 12. © 2020 Denim Group – All Rights Reserved OWASP SAMM • Originally OpenSAMM from Pravir Chandra • OWASP’s evolution/fork • Five Business Functions • Three Security Practices for each • Two Streams for each https://owaspsamm.org/ 11
  • 13. © 2020 Denim Group – All Rights Reserved OWASP SAMM 12
  • 14. © 2020 Denim Group – All Rights Reserved BSIMM • Originally from Cigital (now Synopsys) • Based on data collection from participating organizations • Four domains • Three Practices for each • Total of 119 Activities https://www.bsimm.com/ 13
  • 15. © 2020 Denim Group – All Rights Reserved BSIMM 14
  • 16. © 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough • We will use OWASP SAMM for the purposes of this webinar • More prescriptive • Less vendor-centric • If you are using BSIMM it is pretty trivial to translate 15
  • 17. © 2020 Denim Group – All Rights Reserved If You Are Just Starting Out • Assessing your program using either tool is less-than-ideal • Better: • Define your scope/mandate • Do some testing • Run some vulnerabilities through resolution • Proceed from there https://www.denimgroup.com/contact-us/ 16
  • 18. © 2020 Denim Group – All Rights Reserved Fast and Slow
  • 19. © 2020 Denim Group – All Rights Reserved Thinking Fast and Slow 18 • Written by Daniel Kahneman • System 1 (Fast): Instinctive, emotional • System 2 (Slow): Deliberative, logical • (For AppSec purposes, use configuration/customization to minimize the “emotional”) https://www.amazon.com/Thinking-Fast-Slow-Daniel- Kahneman/dp/0141033576/ref=asc_df_0141033576/
  • 20. © 2020 Denim Group – All Rights Reserved An Aside: What Horrible Names! • System 1 and System 2 ??? • Almost as bad as Type I and Type II Errors 19 https://www.simplypsychology.org/type_I_and_type_II_errors.html
  • 21. © 2020 Denim Group – All Rights Reserved Another Aside: The Undoing Project • Michael Lewis book on the research of and the collaboration between Daniel Kahneman and Amos Tversky https://www.amazon.com/Undoing-Project-Friendship- Changed-Minds/dp/0393354776/ref=sr_1_2 20
  • 22. © 2020 Denim Group – All Rights Reserved Fast and Slow In a culture like DevSecOps that is so focused on FAST, what is still critical, but has to go SLOW? 21
  • 23. © 2020 Denim Group – All Rights Reserved What Do We Mean By FAST? Blog post: Power, Responsibility, and Security’s Role in the DevOps Pipeline https://www.denimgroup.com/resources/blog/2019/02/powe r-responsibility-and-securitys-role-in-the-devops-pipeline/ 22
  • 24. © 2020 Denim Group – All Rights Reserved To Be DevSecOps FAST 1. Available quickly 2. High-value 3. Low (NO) false positives (no Type I errors) • Limited time budget • Developers have to care • Don’t waste developers’ time 23
  • 25. © 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough
  • 26. © 2020 Denim Group – All Rights Reserved Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance 25
  • 27. © 2020 Denim Group – All Rights Reserved Strategy and Metrics • You can’t automate strategy • SLOW • You can use CI/CD to feed your metrics • Kinda FAST • Metrics in general: very automatable 26
  • 28. © 2020 Denim Group – All Rights Reserved Policy and Compliance • You can’t automate the creation of your policies • SLOW • You can use CI/CD to automate some policy checks • CI/CD pass/fail • Be careful of limitations – this is a helper, not definitive • Kinda FAST 27
  • 29. © 2020 Denim Group – All Rights Reserved CI/CD Policy Configuration • Testing • Synchronous • Asynchronous • Decision • Reporting 28 Blog Post: Effective Application Security Testing in DevOps Pipelines http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/ https://www.denimgroup.com/resources/effective-application-security-for-devops/
  • 30. © 2020 Denim Group – All Rights Reserved Education and Guidance • Instructor-led training: SLOW • eLearning • Monolithic: SLOW • Targeted: Not FAST, but increasingly interesting • Security Champions • Common responsibility is to configure security testing in CI/CD environments and tune scanning • They make things FASTer 29
  • 31. © 2020 Denim Group – All Rights Reserved Security Champions Webinar: Security Champions: Pushing Security Expertise to the Edges of Your Organization https://www.denimgroup.com/resources/webinar/security-champions- pushing-security-expertise-to-the-edges-of-your-organization/ 30
  • 32. © 2020 Denim Group – All Rights Reserved Design • Threat Assessment • Security Requirements • Security Architecture 31
  • 33. © 2020 Denim Group – All Rights Reserved Threat Assessment • Determining your general application threat profiles can’t be automated • SLOW • Threat Modeling also requires a lot of manual work • Some new interesting automation, but nothing in CI/CD pipelines • Some vendors providing tooling support • Can allow for manual incremental changes – not CI/CD, but fits better into Agile environments • SLOW 32
  • 34. © 2020 Denim Group – All Rights Reserved Security Requirements • Determining your requirements is largely manual • Some tooling support is available • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Requirements-Driven Testing activity 33
  • 35. © 2020 Denim Group – All Rights Reserved Secure Architecture • Determining your architectural security requirements is largely manual • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Architecture Assessment activity 34
  • 36. © 2020 Denim Group – All Rights Reserved Implementation • Secure Build • Secure Deployment • Defect Management 35
  • 37. © 2020 Denim Group – All Rights Reserved Secure Build • This is really the crux of what we are discussing today • FAST • How can you integrate security into the build process? • SAST/DAST/IAST • SCA • OWASP Dependency Check https://owasp.org/www-project-dependency-check/ • If you are even considering this you have to have a repeatable build process • Otherwise please log off this webinar and pick up a Jenkins for Dummies book. You can pick this back up later. • Software Bill of Materials (SBOM) • OWASP Dependency Track https://dependencytrack.org/ 36
  • 38. © 2020 Denim Group – All Rights Reserved Architectural Bill of Materials Webinar: The As, Bs, and Four Cs of Testing Cloud- Native Applications https://www.denimgroup.com/resources/webinar/the-as-bs- and-four-cs-of-testing-cloud-native-applications/ 37
  • 39. © 2020 Denim Group – All Rights Reserved Secure Deployment • An extension of Secure Build • Organizations tend to be a little less mature • FAST • Technologies like Puppet, Chef, Terraform 38
  • 40. © 2020 Denim Group – All Rights Reserved Defect Management • Subsets of this can be FAST • But you have to tune scanners or you will run into problems • High-value, no false positives • Technically automated defect creation is usually possible • In practice, it takes a while to get to this level • Limited coverage: only works for vulnerabilities you can find with automation in CI/CD pipelines • We will talk more about these testing limitations in the Verification discussions 39
  • 41. © 2020 Denim Group – All Rights Reserved Bundling Strategies • Turning vulnerabilities into defects • 1:1 approach? • More time spent administering defects than fixing issues • Bundling • By vulnerability type • By severity (more mature applications) • Other approaches 40
  • 42. © 2020 Denim Group – All Rights Reserved Metrics and Feedback Stream • Scanner / developer provide separation of duties • Scanners find vulns, developers say they fixed them, scanners confirm they did • Obviously only applies to vulnerabilities identified by automation • Tracking mean-time-to-remediation (MTTR) • Good metric for Agile/DevOps teams – how fast can you fix? • (Better than defects per KLoC) • Benchmark against data from Veracode/WhiteHat 41
  • 43. © 2020 Denim Group – All Rights Reserved Verification • Architecture Assessment • Requirements-driven Testing • Security Testing 42
  • 44. © 2020 Denim Group – All Rights Reserved Architecture Assessment • This largely has to be done manually • SLOW • Some architectural policies may be checked automatically • Cloud configuration 43
  • 45. © 2020 Denim Group – All Rights Reserved ScoutSuite • Check configuration of cloud environments • Checks for: • Open S3 buckets • IAM configuration https://github.com/nccgroup/ScoutSuite 44
  • 46. © 2020 Denim Group – All Rights Reserved Requirements-Driven Testing • Control verification: largely a manual process • SLOW • Misuse/abuse testing: • Fuzzing can be automated, but runtimes can extend beyond the time budget for FAST • Abuse case and business logic testing is manual • DoS testing does not fit in most general pipelines • Mostly SLOW • Some automation and integration possible 45
  • 47. © 2020 Denim Group – All Rights Reserved Security Testing • THIS is really what the discussion comes down to • How sufficient is the security testing you can stuff into a CI/CD pipeline? • OWASP SAMM has two streams: • Scalable baseline • Deep understanding 46
  • 48. © 2020 Denim Group – All Rights Reserved OWASP and Testing • OWASP has traditionally had a cultural focus on the strengths (and weaknesses) of automated testing tools • Consultants vs scanner vendors • Testing Guide • https://owasp.org/www-project-web-security-testing-guide/ • ASVS • https://owasp.org/www-project-application-security-verification-standard/ 47
  • 49. © 2020 Denim Group – All Rights Reserved Scalable Baseline Stream • Three levels of maturity 1. Use an automated tool 2. Employ application-specific automation (tuning) 3. Integrate into the build process • This webinar presupposes the top level of maturity • You did remember to tune your scanner before you put it in the build process, right? 48
  • 50. © 2020 Denim Group – All Rights Reserved Deep Understanding Stream • This is all manual • Manual test high-risk components • Perform penetration testing • Integrate testing into the development process • Tooling can help • Focus efforts on diffs / new or altered functionality 49
  • 51. © 2020 Denim Group – All Rights Reserved Testing in CI/CD Pipelines 50
  • 52. © 2020 Denim Group – All Rights Reserved SAST in CI/CD • Mostly open source linting tools • Need for speed • Commercial-grade tools are less prevalent • Run SAST on diffs? • Cross-method/class data and control flow takes time • Cut down the rules • Shorten run times • Limit false positives 51
  • 53. © 2020 Denim Group – All Rights Reserved DAST in CI/CD • Concerns about run times • Approaches for targeted DAST • Focus on changes in the app 52
  • 54. © 2020 Denim Group – All Rights Reserved Targeting DAST Testing Webinar: Monitoring Application Attack Surface and Integrating Security into DevOps Pipelines https://threadfix.it/resources/monitorin g-application-attack-surface-and- integrating-security-into-devops- pipelines/ 53
  • 55. © 2020 Denim Group – All Rights Reserved IAST in CI/CD • Great! • Typically relies on generated traffic • Use DAST testing to generate traffic • Use integration tests to generate traffic 54
  • 56. © 2020 Denim Group – All Rights Reserved SCA in CI/CD • Great! • Look at run time tradeoffs vs. velocity of new components and new vulnerabilities 55
  • 57. © 2020 Denim Group – All Rights Reserved Operations • Incident Management • Environmental Management • Operational Management 56
  • 58. © 2020 Denim Group – All Rights Reserved Incident Management • Not in a pipeline • Use automation for detection where possible • Some automation frameworks available for response 57
  • 59. © 2020 Denim Group – All Rights Reserved Application Logging for Security Video: Top Strategies to Capture Security Intelligence for Applications https://www.denimgroup.com/resources/article/top-strategies-to-capture- security-intelligence-for-applications-includes-educational-video/ 58
  • 60. © 2020 Denim Group – All Rights Reserved Environment Management • Servers should be cattle, not pets • Configuration Handling stream: • Hopefully you have this sorted given the work you have done for Secure Deployment • Chef, Puppet, Terraform • ScoutSuite • Patching and Updating stream: • Detection: FAST • Actual patching: SLOW 59
  • 61. © 2020 Denim Group – All Rights Reserved Operational Management • Data Protection stream: SLOW • Oh, wait, your DLP solution will sort this out for you • Decommissioning: SLOW 60
  • 62. © 2020 Denim Group – All Rights Reserved Conclusions
  • 63. © 2020 Denim Group – All Rights Reserved What Goes in a Pipeline? • Linting SAST • DAST if you can target it • IAST if you can generate meaningful traffic • SCA if you want 62
  • 64. © 2020 Denim Group – All Rights Reserved What Likely Has to be Done Outside? • Full, commercial-grade SAST • Full DAST • Manual code review • Penetration testing • Threat modeling 63
  • 65. © 2020 Denim Group – All Rights Reserved What Has to be Done Outside? • Most everything else • Strategy • Policy • Training • Architecture • Security requirements 64
  • 66. © 2020 Denim Group – All Rights Reserved Shifting Left is Awesome… • But it is only one aspect of a far more complicated landscape • For testing: think coverage • Classes of vulnerabilities • Detection approaches • Quality of approaches • For everything else: • Thing programmatically 65
  • 67. © 2020 Denim Group – All Rights Reserved Questions
  • 68. © 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com