SlideShare a Scribd company logo

Shift Left Security

G
gjdevos

In the agile, lean, devops communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.

Technology
1 of 35
Download to read offline
<< Shift Left Security What the funk does that mean?! DevOps & Cloud Meetup 2018-11-28 Gérard de Vos gerard@deplica.com @gerardthefox
@gerardthefox /me Gérard de Vos gerard@deplica.com Systems Engineer ( DevOps Engineer :/ ) Wearing the security hat: security engineer, security lead, team lead. or just running stuff on the internet... Online & regulated environments DevOpsDays Amsterdam community Employers/clients: ING, Rabobank, Travix, LeasePlan, Schuberg Philis, Shell
@gerardthefox Shift left of what?
@gerardthefox Shift left of what?
@gerardthefox Why shift left? What is wrong on the right? ● Unnecessary work and rework because of late discovery of defects ● Testing is far removed from design and build and things get obfuscated ○ Designs without adequate security considerations ○ Defects slipping through ● The further along, the costlier it gets to change anything ● Because of these higher costs cuts are made: ○ Less thorough testing. Even more defects slip through ○ "Accepted" risks that don't react well on contact with the real world ● And this happens when everyone is still sharing the same goals ○ Never mind what happens when varying departmental, team, and personal objectives kick in
@gerardthefox https://en.wikipedia.org/wiki/Shift_left_testing
@gerardthefox https://en.wikipedia.org/wiki/Shift_left_testing
@gerardthefox WaterScrumFall
@gerardthefox Two worlds: 1. Security is a quality attribute and as such an integral part of requirements, design, development, QA, deployment, operations, production, etc. 2. Security is a speciality and as such the domain of the Chief (Information) Security Officer, security department, security testers, risk managers, auditors, etc.
@gerardthefox World #1 - Security as quality 1. Everyone's job ○ Maybe a little more of leads, seniors and managers than of juniors but still everyone 2. Every day
@gerardthefox Two-person rule
@gerardthefox Two-person rule 1. In development flow pull request 2. In deployment flow manual stage in CI/CD
@gerardthefox Version Control. X-as-code Everything in VCS, merge with approvals: ● Application code ● Infrastructure code ○ Terraform, CloudFormation Ansible, Chef, Puppet ● Tests ● Documentation ● Designs
@gerardthefox Static code analysis Scan your code for known vulnerabilities / weak patterns https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis CWE https://cwe.mitre.org/ SANS Top 25 (of CWE weaknesses) https://www.sans.org/top25-software-errors OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
@gerardthefox Static code analysis https://docs.sonarqube.org/7.4/user-guide/security-rules/
@gerardthefox Dependency checker Check for known vulnerable (3rd party) libraries OWASP Dependency Check https://www.owasp.org/index.php/OWASP_Dependency_Check Loads of language specific tools $ npm audit
@gerardthefox Web application scanner Scan your application as it runs in test/acc/prod, where test/acc closely resembles prod Cross site scripting (XSS) SQL injection (SQLi) Security misconfigurations Basically OWASP Top 10 again OWASP Zed Attack Proxy, ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Burp Suite, Arachni, nmap, etc. https://en.wikipedia.org/wiki/Web_application_security_scanner#Listing_of_Vulnerability_Scanners
@gerardthefox Functional tests / Unit tests Not just happy path testing ● Sad path ● Bad path, aka evil path. Anti-personas https://github.com/minimaxir/big-list-of-naughty-strings https://www.cypress.io/
World #2 - Security as speciality
@gerardthefox Silo danger!
@gerardthefox Security as stakeholder ● Security officer and security department are customers and stakeholders ○ Security requirements are product requirements ○ Security items are put in product backlogs, planning, demo ○ Security dept use the same tools and processes as "normal" stakeholders Same ticketing system, not own risk mgt tool ○ New items are specific ie. not a ticket with "security scan result, please check this 1200 page PDF and reply" more like "https://endpoint123/ tests vulnerable to CVE-2014-160 (Heartbleed)"
@gerardthefox Security as facilitator ● Security officer and security department are facilitators ○ Teams are responsible for their own security, and like some help ○ Help teams embed security in daily activities ○ Make the secure way the path of least resistance
@gerardthefox Risk management through change management ● Changes & Change Advisory Board ○ Standard Pre-approved, no CAB when ... ○ Normal Approval through CAB ○ Emergency Move mostly to Standard
@gerardthefox Security as speciality ● Security dept delivers expertise, tools and services to other teams ○ Requirement and design help ○ CI/CD tools & services ○ Secrets management (certificates, keys, credentials) ○ Infrastructure scanning ○ Application scanning ○ Logging ○ Metrics ○ Incident detection
@gerardthefox Requirements and design OWASP Security Knowledge Framework https://www.securityknowledgeframework.org/ OWASP Cheat Sheets https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series Help teams with the context specifics
@gerardthefox Secrets management For the things you definitely do not want in Git Credentials, certificates, keys AWS Systems Manager Parameter Store KMS Hashicorp Vault Keywhiz
@gerardthefox Infrastructure and application scanning "Lightweight": ZAP, Nessus Heavyweight: ● Metasploit https://www.metasploit.com/ ● Pentesting ● Blue team / Red team ● Stuff you learn at HXX, SHA, CCC, EMF
@gerardthefox Logging & metrics Make production logs and metrics available to developers. Dashboards, screens Interesting security wise: ● 500 internal server error. Can be vulnerability scanning ● Database error. SQL injection / scanning ● "UNION ALL" input. SQLi ● Logins, successful vs failed ● User passwd resets ● User email address resets
@gerardthefox Auditing ● Use the output, logs, of the everyday tooling as much as possible Git change logs, CI/CD, app logging ● Add to or change the logging of the tooling to satisfy audit requirements
@gerardthefox All together now
@gerardthefox Everything to the left?
@gerardthefox Would you like to know more? On the web: - Rugged DevOps - DevSecOps / SecDevOps - Plain old DevOps https://devopsdays.org https://devopsdays.org/events/2019-amsterdam https://www.owasp.org/ https://continuousdelivery.com/
@gerardthefox Challenges ● How do we make security part of daily activities? The software tools are the easy bit When not appreciated / rewarded / goal? When features always get priority? (and security is not seen as a feature) ● How can security folk / dept turn into facilitators? Being more hands-on after years of spreadsheet management Gain know-how on CI/CD, automation, or even just able to read code Create self-service tooling & expert knowledge delivery Run services like code analysis, scanners, logging, metrics Help build and run secure-platform-as-a-service
@gerardthefox What did I miss? What tool / process / way of working? What do we do with the security department? Or the developers? << Should I put something in on how on little-endian cpu architectures a shift left doubles the value? <<
Shift happens <<

Recommended

Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 

Recommended

Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
IntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchIntroSec Con - Building Your Blue Team Arsenal - glitch
IntroSec Con - Building Your Blue Team Arsenal - glitchJasonRomero21
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Agile security
Agile securityAgile security
Agile securityArthur Donkers
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Toolsn|u - The Open Security Community
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOpsRobert Grupe, CSSLP CISSP PE PMP
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingRobert Grupe, CSSLP CISSP PE PMP
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 

More Related Content

What's hot

Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 

What's hot (20)

Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Agile security
Agile securityAgile security
Agile security
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 

Similar to Shift Left Security

Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenInman News
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deploymentFilippo Zanella
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 

Similar to Shift Left Security (20)

Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt CohenEvaluating Web App, Mobile App, and API Security - Matt Cohen
Evaluating Web App, Mobile App, and API Security - Matt Cohen
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deployment
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 

More from gjdevos

There is something about serverless
There is something about serverlessThere is something about serverless
There is something about serverlessgjdevos
 
Serverless? How (not) to develop, deploy and operate serverless applications.
Serverless? How (not) to develop, deploy and operate serverless applications.Serverless? How (not) to develop, deploy and operate serverless applications.
Serverless? How (not) to develop, deploy and operate serverless applications.gjdevos
 
Introduction to devops - update 2017
Introduction to devops - update 2017Introduction to devops - update 2017
Introduction to devops - update 2017gjdevos
 
Introduction to devops 2016
Introduction to devops 2016Introduction to devops 2016
Introduction to devops 2016gjdevos
 
Introduction to devops 201604
Introduction to devops 201604Introduction to devops 201604
Introduction to devops 201604gjdevos
 
How to run a bank on Apache CloudStack
How to run a bank on Apache CloudStackHow to run a bank on Apache CloudStack
How to run a bank on Apache CloudStackgjdevos
 
DevOps - An introduction
DevOps - An introductionDevOps - An introduction
DevOps - An introductiongjdevos
 

More from gjdevos (7)

There is something about serverless
There is something about serverlessThere is something about serverless
There is something about serverless
 
Serverless? How (not) to develop, deploy and operate serverless applications.
Serverless? How (not) to develop, deploy and operate serverless applications.Serverless? How (not) to develop, deploy and operate serverless applications.
Serverless? How (not) to develop, deploy and operate serverless applications.
 
Introduction to devops - update 2017
Introduction to devops - update 2017Introduction to devops - update 2017
Introduction to devops - update 2017
 
Introduction to devops 2016
Introduction to devops 2016Introduction to devops 2016
Introduction to devops 2016
 
Introduction to devops 201604
Introduction to devops 201604Introduction to devops 201604
Introduction to devops 201604
 
How to run a bank on Apache CloudStack
How to run a bank on Apache CloudStackHow to run a bank on Apache CloudStack
How to run a bank on Apache CloudStack
 
DevOps - An introduction
DevOps - An introductionDevOps - An introduction
DevOps - An introduction
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Shift Left Security

  • 1. << Shift Left Security What the funk does that mean?! DevOps & Cloud Meetup 2018-11-28 Gérard de Vos gerard@deplica.com @gerardthefox
  • 2. @gerardthefox /me Gérard de Vos gerard@deplica.com Systems Engineer ( DevOps Engineer :/ ) Wearing the security hat: security engineer, security lead, team lead. or just running stuff on the internet... Online & regulated environments DevOpsDays Amsterdam community Employers/clients: ING, Rabobank, Travix, LeasePlan, Schuberg Philis, Shell
  • 5. @gerardthefox Why shift left? What is wrong on the right? ● Unnecessary work and rework because of late discovery of defects ● Testing is far removed from design and build and things get obfuscated ○ Designs without adequate security considerations ○ Defects slipping through ● The further along, the costlier it gets to change anything ● Because of these higher costs cuts are made: ○ Less thorough testing. Even more defects slip through ○ "Accepted" risks that don't react well on contact with the real world ● And this happens when everyone is still sharing the same goals ○ Never mind what happens when varying departmental, team, and personal objectives kick in
  • 9. @gerardthefox Two worlds: 1. Security is a quality attribute and as such an integral part of requirements, design, development, QA, deployment, operations, production, etc. 2. Security is a speciality and as such the domain of the Chief (Information) Security Officer, security department, security testers, risk managers, auditors, etc.
  • 10. @gerardthefox World #1 - Security as quality 1. Everyone's job ○ Maybe a little more of leads, seniors and managers than of juniors but still everyone 2. Every day
  • 12. @gerardthefox Two-person rule 1. In development flow pull request 2. In deployment flow manual stage in CI/CD
  • 13. @gerardthefox Version Control. X-as-code Everything in VCS, merge with approvals: ● Application code ● Infrastructure code ○ Terraform, CloudFormation Ansible, Chef, Puppet ● Tests ● Documentation ● Designs
  • 14. @gerardthefox Static code analysis Scan your code for known vulnerabilities / weak patterns https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis CWE https://cwe.mitre.org/ SANS Top 25 (of CWE weaknesses) https://www.sans.org/top25-software-errors OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 16. @gerardthefox Dependency checker Check for known vulnerable (3rd party) libraries OWASP Dependency Check https://www.owasp.org/index.php/OWASP_Dependency_Check Loads of language specific tools $ npm audit
  • 17. @gerardthefox Web application scanner Scan your application as it runs in test/acc/prod, where test/acc closely resembles prod Cross site scripting (XSS) SQL injection (SQLi) Security misconfigurations Basically OWASP Top 10 again OWASP Zed Attack Proxy, ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Burp Suite, Arachni, nmap, etc. https://en.wikipedia.org/wiki/Web_application_security_scanner#Listing_of_Vulnerability_Scanners
  • 18. @gerardthefox Functional tests / Unit tests Not just happy path testing ● Sad path ● Bad path, aka evil path. Anti-personas https://github.com/minimaxir/big-list-of-naughty-strings https://www.cypress.io/
  • 19. World #2 - Security as speciality
  • 21. @gerardthefox Security as stakeholder ● Security officer and security department are customers and stakeholders ○ Security requirements are product requirements ○ Security items are put in product backlogs, planning, demo ○ Security dept use the same tools and processes as "normal" stakeholders Same ticketing system, not own risk mgt tool ○ New items are specific ie. not a ticket with "security scan result, please check this 1200 page PDF and reply" more like "https://endpoint123/ tests vulnerable to CVE-2014-160 (Heartbleed)"
  • 22. @gerardthefox Security as facilitator ● Security officer and security department are facilitators ○ Teams are responsible for their own security, and like some help ○ Help teams embed security in daily activities ○ Make the secure way the path of least resistance
  • 23. @gerardthefox Risk management through change management ● Changes & Change Advisory Board ○ Standard Pre-approved, no CAB when ... ○ Normal Approval through CAB ○ Emergency Move mostly to Standard
  • 24. @gerardthefox Security as speciality ● Security dept delivers expertise, tools and services to other teams ○ Requirement and design help ○ CI/CD tools & services ○ Secrets management (certificates, keys, credentials) ○ Infrastructure scanning ○ Application scanning ○ Logging ○ Metrics ○ Incident detection
  • 25. @gerardthefox Requirements and design OWASP Security Knowledge Framework https://www.securityknowledgeframework.org/ OWASP Cheat Sheets https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series Help teams with the context specifics
  • 26. @gerardthefox Secrets management For the things you definitely do not want in Git Credentials, certificates, keys AWS Systems Manager Parameter Store KMS Hashicorp Vault Keywhiz
  • 27. @gerardthefox Infrastructure and application scanning "Lightweight": ZAP, Nessus Heavyweight: ● Metasploit https://www.metasploit.com/ ● Pentesting ● Blue team / Red team ● Stuff you learn at HXX, SHA, CCC, EMF
  • 28. @gerardthefox Logging & metrics Make production logs and metrics available to developers. Dashboards, screens Interesting security wise: ● 500 internal server error. Can be vulnerability scanning ● Database error. SQL injection / scanning ● "UNION ALL" input. SQLi ● Logins, successful vs failed ● User passwd resets ● User email address resets
  • 29. @gerardthefox Auditing ● Use the output, logs, of the everyday tooling as much as possible Git change logs, CI/CD, app logging ● Add to or change the logging of the tooling to satisfy audit requirements
  • 32. @gerardthefox Would you like to know more? On the web: - Rugged DevOps - DevSecOps / SecDevOps - Plain old DevOps https://devopsdays.org https://devopsdays.org/events/2019-amsterdam https://www.owasp.org/ https://continuousdelivery.com/
  • 33. @gerardthefox Challenges ● How do we make security part of daily activities? The software tools are the easy bit When not appreciated / rewarded / goal? When features always get priority? (and security is not seen as a feature) ● How can security folk / dept turn into facilitators? Being more hands-on after years of spreadsheet management Gain know-how on CI/CD, automation, or even just able to read code Create self-service tooling & expert knowledge delivery Run services like code analysis, scanners, logging, metrics Help build and run secure-platform-as-a-service
  • 34. @gerardthefox What did I miss? What tool / process / way of working? What do we do with the security department? Or the developers? << Should I put something in on how on little-endian cpu architectures a shift left doubles the value? <<