VMware Tanzu, profile picture
Uploaded byVMware Tanzu
PDF, PPTX623 views

Security as Code: A DevSecOps Approach

The document discusses a DevSecOps approach to integrate security into development processes, emphasizing the need for alignment, autonomy, and mastery among teams. It introduces the concept of 'Security as Code,' which promotes codifying security policies and integrating them into development workflows for better collaboration and visibility. The document also highlights the benefits of this methodology, including the use of automated checks and enhanced collaboration through familiar coding practices.

Software
Related topics:
CI/CD

Embed presentation

Download as PDF, PPTX
SpringOne @pwntester / @atorralba A DevSecOps approach Security as code SpringOne @pwntester / @atorralba
> whoami Alvaro Muñoz @pwntester Staff Security Researcher Tony Torralba @_atorralba CodeQL Software Engineer
https://securitylab.github.com GitHub Security Lab
Let’s start with a space odyssey SpringOne @pwntester / @atorralba
9 years ago in our galaxy double vectors[12] does not actually prevent to pass an array of different size as argument Unpredictable behaviour if this code is called with an array that is too short Pseudo-code. Not the actual NASA code
9 years ago in our galaxy
The specific challenges of shifting security left SpringOne @pwntester / @atorralba
Shifting Left
#1 — It’s not just “automate and run earlier” #2 — Go left(er), don’t stop at coding! Requirements, design, architecture … SpringOne @pwntester / @atorralba
What motivates us? ● Autonomy ● Mastery ● Purpose SpringOne @pwntester / @atorralba
What motivates us? Autonomy You are in control Another team runs the tool and generates a deluge of Jira issues for you Mastery You are good at what you’re doing! The expertise stays in that team, you don’t learn anything in the process Purpose You know why you are doing it! You are just fixing a bug because the experts said so in the issue 👍 👎 SpringOne @pwntester / @atorralba
DevSecOps specificities ➢ What is common? ○ Misalignment, different goals ○ Antagonism SpringOne @pwntester / @atorralba
DevSecOps specificities ➢ What is common? ○ Misalignment, different goals ○ Antagonism ➢ What is specific? ○ Criticality / urgency of the bugs ○ Scarcity of security researchers ○ Perception that security researchers have bad intentions SpringOne @pwntester / @atorralba
DevSecOps specificities The divide is at another level SpringOne @pwntester / @atorralba
Lessons learned from DevOps SpringOne @pwntester / @atorralba
Lesson #1: Align goals SpringOne @pwntester / @atorralba
Lesson #2: Autonomy, Mastery SpringOne @pwntester / @atorralba
Security as Code SpringOne @pwntester / @atorralba
SpringOne @pwntester / @atorralba What is SaC • Everyone should be responsible for security • Provide developers with policies and tools integrated into their IDEs and pipelines • More Guardrails and fewer Gates Security as Code is the methodology of codifying security and policy decisions and socializing them with other teams. https://cyral.com/white-papers/what-is-security-as-code/
SpringOne @pwntester / @atorralba What can be covered with SaC • Security policies • (e.g. https://github.com/ossf/allstar) • Security testing • (Unit/Integration/Functional tests focused on security) • Vulnerability scanning • We’ll be focusing on this!
SpringOne @pwntester / @atorralba Benefits of SaC • Uses the developer’s same language (code), encouraging collaboration and boosting morale • Easily auditable/reviewable (more visibility, changes can be tracked) • Automates checks, allowing self-assessments
• CodeQL lets you query code as though it were data. • CodeQL extracts your code into a special database - AST - Semantics - Control Flow Graph • You can query this DB with an optimized OO declarative language CodeQL
Demo
SpringOne @pwntester / @atorralba Demo repository https://github.com/atorralba/springone-demo
Taint tracking SpringOne @pwntester / @atorralba SOURCE POST /users username={payload} &pasword=secret &repeatedPassword=secret APPLICATION UserForm userForm parseExpression( expression ); UserController SINK
Security As Code: Code Scanning ✓ Automation ✓ Developer tool ✓ Sharing knowledge ✓ Bonus: Community-powered SpringOne @pwntester / @atorralba
Support SpringOne @pwntester / @atorralba ● Sources of taint: ○ Web ○ MVC ○ REST ● Specific Spring Sinks: ○ Spring Web: Open Redirects, Open Forwards, XSS, CSRF disabling ○ Spring REST: SSRF ○ Spring LDAP: LDAP manipulation ○ Spring JDBC: SQL Injection ● Specific Spring categories: ○ Spring View manipulation ○ Spring EL Injection
Contribute your own queries and make some 💰 https://securitylab.github.com/get-involved SpringOne @pwntester / @atorralba
Thank you! Reach out on twitter: @pwntester @_atorralba @ghsecuritylab SpringOne @pwntester / @atorralba
Security as Code: A DevSecOps Approach

More Related Content

PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PDF
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
DEVSECOPS.pptx
byMohammadSaif904342
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
Demystifying DevSecOps
byArchana Joshi
 
Introduction to DevSecOps
byabhimanyubhogwan
 
The State of DevSecOps
byDevOps Indonesia
 
DevSecOps Jenkins Pipeline -Security
byn|u - The Open Security Community
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
Introduction to DevSecOps
bySetu Parimi
 
DEVSECOPS.pptx
byMohammadSaif904342
 

What's hot

PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Overview of Site Reliability Engineering (SRE) & best practices
byAshutosh Agarwal
 
PDF
Slide DevSecOps Microservices
byHendri Karisma
 
PDF
DevSecOps | DevOps Sec
byRubal Jain
 
PDF
Getting started with Site Reliability Engineering (SRE)
byAbeer R
 
PDF
DevSecOps
byTomas Honzak
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PPTX
Devops architecture
byOjasvi Jagtap
 
PPTX
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
bySimplilearn
 
PPTX
CI/CD Best Practices for Your DevOps Journey
byDevOps.com
 
PPTX
CICD Pipeline - AWS Azure
byRatan Das
 
PPTX
DevOps introduction
byMettje Heegstra
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
Dev ops != Dev+Ops
byShalu Ahuja
 
PPTX
An introduction to DevOps
byAlexander Meijers
 
PDF
DevOps
byARYA TM
 
PPTX
Flutter workshop
byVishnu Suresh
 
PPTX
DevOps Foundation
byHomepree Rloy
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Overview of Site Reliability Engineering (SRE) & best practices
byAshutosh Agarwal
 
Slide DevSecOps Microservices
byHendri Karisma
 
DevSecOps | DevOps Sec
byRubal Jain
 
Getting started with Site Reliability Engineering (SRE)
byAbeer R
 
DevSecOps
byTomas Honzak
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Devops architecture
byOjasvi Jagtap
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
bySimplilearn
 
CI/CD Best Practices for Your DevOps Journey
byDevOps.com
 
CICD Pipeline - AWS Azure
byRatan Das
 
DevOps introduction
byMettje Heegstra
 
DevSecOps
byJoel Divekar
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
Dev ops != Dev+Ops
byShalu Ahuja
 
An introduction to DevOps
byAlexander Meijers
 
DevOps
byARYA TM
 
Flutter workshop
byVishnu Suresh
 
DevOps Foundation
byHomepree Rloy
 

Similar to Security as Code: A DevSecOps Approach

PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PDF
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
Shift Left Security
bygjdevos
 
PDF
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
bySBA Research
 
PDF
OSMC 2022 | Security as Code A DevSecOps Approach by Joseph Katsioloudes
byNETWAYS
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
PDF
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
PDF
August 2018: DevSecOps - London Gathering
byMichael Man
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
PPTX
Secure App Aspirations: Why it is very difficult in the real world
byOllie Whitehouse
 
PPTX
Solnet dev secops meetup
bypbink
 
PPTX
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
PPTX
What it feels like to live in a Security Enabled DevOps World
byKarun Chennuri
 
PPTX
Security within Scaled Agile
byMark Underwood
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
AppSec in an Agile World
byDavid Lindner
 
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
The Future of DevSecOps
byStefan Streichsbier
 
Shift Left Security
bygjdevos
 
SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...
bySBA Research
 
OSMC 2022 | Security as Code A DevSecOps Approach by Joseph Katsioloudes
byNETWAYS
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
byAbhay Bhargav
 
App sec and quality london - may 2016 - v0.5
byDinis Cruz
 
August 2018: DevSecOps - London Gathering
byMichael Man
 
Security at the Speed of Software Development
byDevOps.com
 
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
Secure App Aspirations: Why it is very difficult in the real world
byOllie Whitehouse
 
Solnet dev secops meetup
bypbink
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
byDevSecCon
 
What it feels like to live in a Security Enabled DevOps World
byKarun Chennuri
 
Security within Scaled Agile
byMark Underwood
 

More from VMware Tanzu

PDF
Spring Boot 3 And Beyond
byVMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
byVMware Tanzu
 
PDF
Spring into AI presented by Dan Vega 5/14
byVMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
byVMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
byVMware Tanzu
 
PPTX
Building Cloud Ready Apps
byVMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
byVMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
byVMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
byVMware Tanzu
 
PDF
Spring Update | July 2023
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
byVMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
byVMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
byVMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
byVMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
byVMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
byVMware Tanzu
 
PDF
Tanzu Developer Connect - French
byVMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
byVMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
byVMware Tanzu
 
Spring Boot 3 And Beyond
byVMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
byVMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
byVMware Tanzu
 
tanzu_developer_connect.pptx
byVMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
byVMware Tanzu
 
Building Cloud Ready Apps
byVMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
byVMware Tanzu
 
Tanzu Developer Connect Workshop - English
byVMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
byVMware Tanzu
 
Spring Update | July 2023
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
byVMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
byVMware Tanzu
 
Virtual Developer Connect Workshop - English
byVMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
byVMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
byVMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
byVMware Tanzu
 
Tanzu Developer Connect - French
byVMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
byVMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
byVMware Tanzu
 

Recently uploaded

PDF
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
PPTX
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
PPTX
Odoo vs SAP – Which ERP Is Better for Growing Businesses?
bySatishKumar2651
 
PPTX
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
PDF
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
PDF
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
PDF
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
PPTX
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
PPTX
Why Airline Platforms Fail at Change and How Etihad Fixed It
byIT IDOL Technologies
 
PDF
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
PDF
DSD-INT 2025 Multi-scale modeling to simulate Land Subsidence in the Central ...
byDeltares
 
PDF
DSD-INT 2025 Coupled modeling in Ribasim - Linking Water Availability and Qua...
byDeltares
 
PDF
GOOGLE_VERTEX_AI web development 1.pdf
bydavidjohansen1597
 
PDF
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
PDF
AI Concepts - MCP Neurons
byPhilip Schwarz
 
PDF
HTML 5 CSS 3 DEVELOPMENT TECHNOLOGY.pdf
bydavidjohansen1597
 
PPTX
A practical and beginner-friendly guide to understanding data structures in J...
bynaingseihahs
 
PDF
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
PDF
SXP Market 2025-2035: $6.1B Future of Student Experience Platforms
bySatyanarayan Shambhu
 
PPTX
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 
DSD-INT 2025 MODFLOW 6 Developments - Langevin
byDeltares
 
Choosing Your Web3 Architecture: L1 vs L2 vs Appchain
bystorygamemarketing
 
Odoo vs SAP – Which ERP Is Better for Growing Businesses?
bySatishKumar2651
 
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
DSD-INT 2025 Flexible Reservoir Modelling with Ribasim - From Simple to Compl...
byDeltares
 
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
Why Airline Platforms Fail at Change and How Etihad Fixed It
byIT IDOL Technologies
 
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
DSD-INT 2025 Multi-scale modeling to simulate Land Subsidence in the Central ...
byDeltares
 
DSD-INT 2025 Coupled modeling in Ribasim - Linking Water Availability and Qua...
byDeltares
 
GOOGLE_VERTEX_AI web development 1.pdf
bydavidjohansen1597
 
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
AI Concepts - MCP Neurons
byPhilip Schwarz
 
HTML 5 CSS 3 DEVELOPMENT TECHNOLOGY.pdf
bydavidjohansen1597
 
A practical and beginner-friendly guide to understanding data structures in J...
bynaingseihahs
 
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
SXP Market 2025-2035: $6.1B Future of Student Experience Platforms
bySatyanarayan Shambhu
 
Publix Data Scraping for Grocery Prices & Store Analysis.pptx
byMobile App Scraping
 

Security as Code: A DevSecOps Approach

  • 1.
    SpringOne @pwntester / @atorralba ADevSecOps approach Security as code SpringOne @pwntester / @atorralba
  • 2.
    > whoami Alvaro Muñoz @pwntester StaffSecurity Researcher Tony Torralba @_atorralba CodeQL Software Engineer
  • 3.
  • 4.
    Let’s start witha space odyssey SpringOne @pwntester / @atorralba
  • 5.
    9 years agoin our galaxy double vectors[12] does not actually prevent to pass an array of different size as argument Unpredictable behaviour if this code is called with an array that is too short Pseudo-code. Not the actual NASA code
  • 6.
    9 years agoin our galaxy
  • 9.
    The specific challengesof shifting security left SpringOne @pwntester / @atorralba
  • 10.
  • 11.
    #1 — It’snot just “automate and run earlier” #2 — Go left(er), don’t stop at coding! Requirements, design, architecture … SpringOne @pwntester / @atorralba
  • 12.
    What motivates us? ●Autonomy ● Mastery ● Purpose SpringOne @pwntester / @atorralba
  • 13.
    What motivates us? AutonomyYou are in control Another team runs the tool and generates a deluge of Jira issues for you Mastery You are good at what you’re doing! The expertise stays in that team, you don’t learn anything in the process Purpose You know why you are doing it! You are just fixing a bug because the experts said so in the issue 👍 👎 SpringOne @pwntester / @atorralba
  • 14.
    DevSecOps specificities ➢ Whatis common? ○ Misalignment, different goals ○ Antagonism SpringOne @pwntester / @atorralba
  • 15.
    DevSecOps specificities ➢ Whatis common? ○ Misalignment, different goals ○ Antagonism ➢ What is specific? ○ Criticality / urgency of the bugs ○ Scarcity of security researchers ○ Perception that security researchers have bad intentions SpringOne @pwntester / @atorralba
  • 16.
    DevSecOps specificities The divideis at another level SpringOne @pwntester / @atorralba
  • 17.
    Lessons learned fromDevOps SpringOne @pwntester / @atorralba
  • 18.
    Lesson #1: Aligngoals SpringOne @pwntester / @atorralba
  • 19.
    Lesson #2: Autonomy,Mastery SpringOne @pwntester / @atorralba
  • 20.
  • 21.
    SpringOne @pwntester / @atorralba Whatis SaC • Everyone should be responsible for security • Provide developers with policies and tools integrated into their IDEs and pipelines • More Guardrails and fewer Gates Security as Code is the methodology of codifying security and policy decisions and socializing them with other teams. https://cyral.com/white-papers/what-is-security-as-code/
  • 22.
    SpringOne @pwntester / @atorralba Whatcan be covered with SaC • Security policies • (e.g. https://github.com/ossf/allstar) • Security testing • (Unit/Integration/Functional tests focused on security) • Vulnerability scanning • We’ll be focusing on this!
  • 23.
    SpringOne @pwntester / @atorralba Benefitsof SaC • Uses the developer’s same language (code), encouraging collaboration and boosting morale • Easily auditable/reviewable (more visibility, changes can be tracked) • Automates checks, allowing self-assessments
  • 24.
    • CodeQL letsyou query code as though it were data. • CodeQL extracts your code into a special database - AST - Semantics - Control Flow Graph • You can query this DB with an optimized OO declarative language CodeQL
  • 25.
  • 26.
    SpringOne @pwntester / @atorralba Demorepository https://github.com/atorralba/springone-demo
  • 32.
    Taint tracking SpringOne @pwntester /@atorralba SOURCE POST /users username={payload} &pasword=secret &repeatedPassword=secret APPLICATION UserForm userForm parseExpression( expression ); UserController SINK
  • 34.
    Security As Code:Code Scanning ✓ Automation ✓ Developer tool ✓ Sharing knowledge ✓ Bonus: Community-powered SpringOne @pwntester / @atorralba
  • 35.
    Support SpringOne @pwntester / @atorralba ●Sources of taint: ○ Web ○ MVC ○ REST ● Specific Spring Sinks: ○ Spring Web: Open Redirects, Open Forwards, XSS, CSRF disabling ○ Spring REST: SSRF ○ Spring LDAP: LDAP manipulation ○ Spring JDBC: SQL Injection ● Specific Spring categories: ○ Spring View manipulation ○ Spring EL Injection
  • 36.
    Contribute your ownqueries and make some 💰 https://securitylab.github.com/get-involved SpringOne @pwntester / @atorralba
  • 37.
    Thank you! Reach outon twitter: @pwntester @_atorralba @ghsecuritylab SpringOne @pwntester / @atorralba