SlideShare a Scribd company logo

Product Security

Download as PPTX, PDF
Steven Carlson
Steven Carlson

The document discusses product security and how it relates to application security, infrastructure security, and security operations for a specific product or system. It argues that applying DevOps methodologies to traditional application security practices can help make security part of everyday work for developers and operations teams. This will help change an organization's security culture to focus on designing security into products from the start.

Technology
1 of 33
Middle Distance Security Product Security
Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ Employment: 15 years in tech • 3+ years local government • 10+ years in Finical Technology • 1 year in Ecommerce • Helpdesk -> Software Engineer -> Security -> DevOps = Product Security
The Talk  Middle Distance Security  "This talk will argue that DevOps methodologies can be applied to traditional application security practices. Only when developers and operations team members are enabled to make security a part of their everyday work will an organizations security culture change. We must meet security at the sweet spot between running a marathon and sprinting towards a software deployment. So put on your running shoes; it’s time for Dev{Sec}Ops!"
Middle Distance Security  Product Security is a superset of application security, infrastructure security, and security operations around a particular product or system.  Focuses on designing security into the products  Frequently reports into engineering, CTO
“ ” Code never lies, just runs as well as the person who wrote it. Steven Carlson
Peter Snell “Snell was one of the greatest middle- distance runners of all time.” - Runner World
Background  Born in the tiny New Zealand beach township of Opunake, Snell dominated the track world in the 800 meters, 1500 meters, and mile in the years from the 1960 Olympics through the next Games in 1964.  In addition to the three Olympic golds, his portfolio includes two Olympic records, two Commonwealth Games golds, and seven world records.  Even that list does not adequately define the supremacy that made one journalist cry, as Snell powered to his second victory at the Tokyo Olympics in 1964, “This is a god, not a man!”
“ ” In his time, he was able to maintain a calm quick pace that could outperform his competitors.
Goals - Skills • Protect the customer • Product security engineers involved in writing security requirements, code reviews, vulnerability testing • Product meaning, we are including the application and infrastructure layers
What About Corporate Security?  Tasked to defend and protect the enterprise  Reports to a CISO or CSO, frequently within IT department  Goals can be misaligned to engineering teams  Traditionally involved in network design, deployment of off-the-shelf products, etc.
Marathon  A marathon is a long-distance race with an official distance of 26.2 miles
Build pipeline
Lessons Learned – 5 years in the making  The Bad  Frustrated engineers  Lots of data  A lot of custom Dev work  The Good  Very skilled individuals  Alerts based on exploits  Business has complete visibility
“ ” That happy place between being on your tippy toes and being bored out of your mind Steven Carlson
Build pipeline
Culture of Product Security  Get everyone on board from the start  Present a maturity program  Provide the ROI to leadership  Kick off open discussions with Engineers  Enable (not force) engineers to become Security Champions
Kick off programs  Security Champions  Threat Modeling  Software Component Analysis  Secrets Management  Application Security Testing  Web Security  Cloud Governance  Risk Register
Build a team  Work with Leadership on head count  Cross-train with existing DevOps and Security Engineers  Pick a leader that you trust  Put on your running shoes
Know Your Product  Know the product you are supporting inside out  Reach out to engineers who have previously and are currently work on existing software  Reach out to IT who have previously and are currently worked on existing infrastructure
Measure Your Success  Produce weekly reports for executive management  Align metrics with the audience  Request feedback early and often  Less is often more  Having a Software Development Life Cycle (SDLC) in place, trying to show security improvement vs vulnerabilities can help.
Tools / Demo  Samples templates: https://github.com/RockRunner007 /gitlab-templates  Gitlab supported templates: https://gitlab.com/gitlab- org/gitlab-foss  Python Management: https://python- gitlab.readthedocs.io/en/stable/ind ex.html
Secrets Detection include: - project: 'infra/gitlab-templates' file: 'jobs/Secret-Detection.gitlab-ci.yml' stages: - secrets secret_detection: stage: secrets artifacts: expire_in: 1 day #variables: #Optional if you want to exclude a test project #SECRET_DETECTION_EXCLUDED_PATHS: "" More Details: https://docs.gitlab.com/ee/user/applicatio n_security/secret_detection/
Static Application Security Testing (SAST) include: - project: 'infra/gitlab-templates' file: 'jobs/SAST.gitlab-ci.yml' stages: - sast sast: stage: sast artifacts: expire_in: 1 day variables: SEARCH_MAX_DEPTH: 4 SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SCAN_KUBERNETES_MANIFESTS: "false" More Details: https://docs.gitlab.com/ee/user/applicatio n_security/sast/
Container Scanning include: - project: 'infra/gitlab-templates' file: 'security/Container-Scanning.gitlab-ci.yml' stages: - build - containersecurity - check_results container_scanning: stage: containersecurity artifacts: expire_in: 1 day paths: - gl-container-scanning-report.json variables: GIT_STRATEGY: fetch CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG CI_APPLICATION_TAG: $CI_COMMIT_SHA rules: - if: '$CI =~ /.*/' when: always More Details: https://docs.gitlab.com/ee/user/applicatio n_security/container_scanning/
Dynamic Application Security Testing (DAST) include: - project: 'infra/gitlab-templates' file: 'jobs/DAST.latest.gitlab-ci.yml' stages: - dast dast: stage: dast artifacts: expire_in: 1 day variables: DAST_WEBSITE: https://test.toolkit.co/ DAST_FULL_SCAN_ENABLED: "true" More Details: https://docs.gitlab.com/ee/user/applicatio n_security/dast/
Add Security
Secure Phase Guidance  Find it early. Fix it early.  Avoid replicating vulnerabilities  Learn from constant feedback
Do I Need Product Security  Does your company develop and/or sell software?  How are product security related vulnerabilities managed?  Is your product tested for security flaws?
Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ Employment: 15 years in tech • 3+ years local government • 10+ years in Finical Technology • 1 year in Ecommerce • Helpdesk -> Software Engineer -> Security -> DevOps = Product Security
Feedback Please remember to fill out the evaluation forms
Good Resources  https://naksecurity.medium.com/product-security-measurement-complexity-and- the-near-future-a42ec7fd3cf7  https://santikris2003.medium.com/product-security-dev-sec-tips-2fdb1698a3b3  https://hockeyinjune.medium.com/product-security-14127b5838ba  http://uploads.pnsqc.org/2015/papers/t-051_Rebelo_paper.pdf  https://attack.mitre.org/  https://www.gsa.gov/technology/technology-products-services/it-security/nist- cybersecurity-framework-csf  https://www.nist.gov/itl/csd/secure-systems-and-applications  https://owasp.org/www-pdf-archive/SAMM_Core_V1-5_FINAL.pdf
Glossary  Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats.  Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources.  Security Operations - a centralized unit that deals with security issues on an organizational and technical level.  Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.  Security Vendors: https://blackpointcyber.com/blog/the-confusing-cyber-security- landscape/  Peter Snell  https://youtu.be/RK0woLEtQQA  https://www.runnersworld.com/news/a30225240/peter-snell-dies-at-80/  Gitlab: https://about.gitlab.com/

Recommended

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 

Recommended

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
laibaarsyila
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
Adrian Sanabria
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 

More Related Content

What's hot

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
1&1
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
laibaarsyila
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
Adrian Sanabria
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 

What's hot (20)

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
Application Security
Application SecurityApplication Security
Application Security
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 

Similar to Product Security

Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
Steven Carlson
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
DevOps Indonesia
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
Stefan Streichsbier
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
Uleska
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
Jaap Karan Singh
 

Similar to Product Security (20)

Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

Product Security

  • 2. Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ Employment: 15 years in tech • 3+ years local government • 10+ years in Finical Technology • 1 year in Ecommerce • Helpdesk -> Software Engineer -> Security -> DevOps = Product Security
  • 3. The Talk  Middle Distance Security  "This talk will argue that DevOps methodologies can be applied to traditional application security practices. Only when developers and operations team members are enabled to make security a part of their everyday work will an organizations security culture change. We must meet security at the sweet spot between running a marathon and sprinting towards a software deployment. So put on your running shoes; it’s time for Dev{Sec}Ops!"
  • 4. Middle Distance Security  Product Security is a superset of application security, infrastructure security, and security operations around a particular product or system.  Focuses on designing security into the products  Frequently reports into engineering, CTO
  • 5. “ ” Code never lies, just runs as well as the person who wrote it. Steven Carlson
  • 6. Peter Snell “Snell was one of the greatest middle- distance runners of all time.” - Runner World
  • 7. Background  Born in the tiny New Zealand beach township of Opunake, Snell dominated the track world in the 800 meters, 1500 meters, and mile in the years from the 1960 Olympics through the next Games in 1964.  In addition to the three Olympic golds, his portfolio includes two Olympic records, two Commonwealth Games golds, and seven world records.  Even that list does not adequately define the supremacy that made one journalist cry, as Snell powered to his second victory at the Tokyo Olympics in 1964, “This is a god, not a man!”
  • 8. “ ” In his time, he was able to maintain a calm quick pace that could outperform his competitors.
  • 9. Goals - Skills • Protect the customer • Product security engineers involved in writing security requirements, code reviews, vulnerability testing • Product meaning, we are including the application and infrastructure layers
  • 10. What About Corporate Security?  Tasked to defend and protect the enterprise  Reports to a CISO or CSO, frequently within IT department  Goals can be misaligned to engineering teams  Traditionally involved in network design, deployment of off-the-shelf products, etc.
  • 11. Marathon  A marathon is a long-distance race with an official distance of 26.2 miles
  • 12.
  • 14. Lessons Learned – 5 years in the making  The Bad  Frustrated engineers  Lots of data  A lot of custom Dev work  The Good  Very skilled individuals  Alerts based on exploits  Business has complete visibility
  • 15. “ ” That happy place between being on your tippy toes and being bored out of your mind Steven Carlson
  • 17. Culture of Product Security  Get everyone on board from the start  Present a maturity program  Provide the ROI to leadership  Kick off open discussions with Engineers  Enable (not force) engineers to become Security Champions
  • 18. Kick off programs  Security Champions  Threat Modeling  Software Component Analysis  Secrets Management  Application Security Testing  Web Security  Cloud Governance  Risk Register
  • 19. Build a team  Work with Leadership on head count  Cross-train with existing DevOps and Security Engineers  Pick a leader that you trust  Put on your running shoes
  • 20. Know Your Product  Know the product you are supporting inside out  Reach out to engineers who have previously and are currently work on existing software  Reach out to IT who have previously and are currently worked on existing infrastructure
  • 21. Measure Your Success  Produce weekly reports for executive management  Align metrics with the audience  Request feedback early and often  Less is often more  Having a Software Development Life Cycle (SDLC) in place, trying to show security improvement vs vulnerabilities can help.
  • 22. Tools / Demo  Samples templates: https://github.com/RockRunner007 /gitlab-templates  Gitlab supported templates: https://gitlab.com/gitlab- org/gitlab-foss  Python Management: https://python- gitlab.readthedocs.io/en/stable/ind ex.html
  • 23. Secrets Detection include: - project: 'infra/gitlab-templates' file: 'jobs/Secret-Detection.gitlab-ci.yml' stages: - secrets secret_detection: stage: secrets artifacts: expire_in: 1 day #variables: #Optional if you want to exclude a test project #SECRET_DETECTION_EXCLUDED_PATHS: "" More Details: https://docs.gitlab.com/ee/user/applicatio n_security/secret_detection/
  • 24. Static Application Security Testing (SAST) include: - project: 'infra/gitlab-templates' file: 'jobs/SAST.gitlab-ci.yml' stages: - sast sast: stage: sast artifacts: expire_in: 1 day variables: SEARCH_MAX_DEPTH: 4 SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SCAN_KUBERNETES_MANIFESTS: "false" More Details: https://docs.gitlab.com/ee/user/applicatio n_security/sast/
  • 25. Container Scanning include: - project: 'infra/gitlab-templates' file: 'security/Container-Scanning.gitlab-ci.yml' stages: - build - containersecurity - check_results container_scanning: stage: containersecurity artifacts: expire_in: 1 day paths: - gl-container-scanning-report.json variables: GIT_STRATEGY: fetch CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG CI_APPLICATION_TAG: $CI_COMMIT_SHA rules: - if: '$CI =~ /.*/' when: always More Details: https://docs.gitlab.com/ee/user/applicatio n_security/container_scanning/
  • 26. Dynamic Application Security Testing (DAST) include: - project: 'infra/gitlab-templates' file: 'jobs/DAST.latest.gitlab-ci.yml' stages: - dast dast: stage: dast artifacts: expire_in: 1 day variables: DAST_WEBSITE: https://test.toolkit.co/ DAST_FULL_SCAN_ENABLED: "true" More Details: https://docs.gitlab.com/ee/user/applicatio n_security/dast/
  • 28. Secure Phase Guidance  Find it early. Fix it early.  Avoid replicating vulnerabilities  Learn from constant feedback
  • 29. Do I Need Product Security  Does your company develop and/or sell software?  How are product security related vulnerabilities managed?  Is your product tested for security flaws?
  • 30. Steven Carlson Software Engineer who is passionate about clean secure code. https://rockrunner007.github.io/ Employment: 15 years in tech • 3+ years local government • 10+ years in Finical Technology • 1 year in Ecommerce • Helpdesk -> Software Engineer -> Security -> DevOps = Product Security
  • 31. Feedback Please remember to fill out the evaluation forms
  • 32. Good Resources  https://naksecurity.medium.com/product-security-measurement-complexity-and- the-near-future-a42ec7fd3cf7  https://santikris2003.medium.com/product-security-dev-sec-tips-2fdb1698a3b3  https://hockeyinjune.medium.com/product-security-14127b5838ba  http://uploads.pnsqc.org/2015/papers/t-051_Rebelo_paper.pdf  https://attack.mitre.org/  https://www.gsa.gov/technology/technology-products-services/it-security/nist- cybersecurity-framework-csf  https://www.nist.gov/itl/csd/secure-systems-and-applications  https://owasp.org/www-pdf-archive/SAMM_Core_V1-5_FINAL.pdf
  • 33. Glossary  Application Security - the process of developing, adding, and testing security features within applications to prevent security vulnerabilities against threats.  Infrastructure Security - the security provided to protect infrastructure, especially critical infrastructure such as cloud or datacenter resources.  Security Operations - a centralized unit that deals with security issues on an organizational and technical level.  Software Development Life Cycle (SDLC) - a conceptual framework describing all activities in a software development project from planning to maintenance. This process is associated with several models, each including a variety of tasks and activities.  Security Vendors: https://blackpointcyber.com/blog/the-confusing-cyber-security- landscape/  Peter Snell  https://youtu.be/RK0woLEtQQA  https://www.runnersworld.com/news/a30225240/peter-snell-dies-at-80/  Gitlab: https://about.gitlab.com/

Editor's Notes

  1. He won three Olympic gold medals and is the only man since 1920 to have won the 800 and 1500 meters at the same Olympics, in 1964.
  2. Implement a proactive approach to discover and mitigate security issues in the early stages of SDLC thereby significantly reducing the cost of fixing the post-production vulnerabilities. Vulnerabilities get copied and replicated across the code base, it magnifies risk in individual projects and possibly across multiple projects. Then it becomes a big development effort to clean up those vulnerabilities. Constant feedback and successful collaboration between developers and security team will reduce the risk factor throughout SDLC.