The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
LambHack: A Vulnerable Serverless ApplicationJames Wickett
LambHack is a vulnerable serverless application written in golang in AWS Lambda running on the Go Sparta Serverless Framework. This talk focuses on how application security still has tons of meaning in serverless.
Talk from 12 Clouds of Christmas at Cloud Austin.
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
From DevOps Days KC 2017
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://lascon.org
http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
LambHack: A Vulnerable Serverless ApplicationJames Wickett
LambHack is a vulnerable serverless application written in golang in AWS Lambda running on the Go Sparta Serverless Framework. This talk focuses on how application security still has tons of meaning in serverless.
Talk from 12 Clouds of Christmas at Cloud Austin.
AppSec California 2018: The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
OWASP AppSec California 2018
Learn what devsecops really means! See why security is in crisis and how it can find a new path forward.
Talk from DevSecOps Leadership Forum in Dallas, Texas, April 22nd, 2018.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
From DevOps Days KC 2017
Defense-Oriented DevOps for Modern Software DevelopmentJames Wickett
Presentation from SpringOne Platform 2017 conference by Pivotal.
DevOps is the practice of the entire engineering team participating together through the entire service lifecycle of delivering software. This includes security and out of necessity, security as we have known it has completely changed.
Through challenges from the outside and forces from within there is a wholesale conversion taking place across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape. There are four key areas that have changed with the rise of DevOps:
Treat all systems and infrastructure as code
Change the engineering culture to orient around delivery
Favor a fast delivery cadence
Create feedback loops across the organization
With these shifts the organization has new demands and expectations on security. This talk will cover a pragmatic approach and focus on principles, practices and tooling to meet demands in these four key areas.
Serverless Security: A How-to Guide @ SnowFROC 2019James Wickett
Serverless Security: A How-to Guide @ SnowFROC 2019
Covering serverless basics, looking at lambhack, and architectures/models for serverless. Special thanks to Signal Sciences!
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://lascon.org
http://lascon2015.sched.org/event/175e3c828095386b2fa0fc660b2502a3
DevSecOps brings security to the DevOps party and it is completely changing the security playbook. This talk will cover 10 practices and patterns we have implemented that bring DevSecOps value to everyone involved. This talk will be loaded with examples that will be usable for developers, security and operations teams and you can take home next week to put into practice.
Shannon Lietz, Intuit
James WIckett, Signal Sciences
RSA Conference 2019
Serverless Security: Doing Security in 100 millisecondsJames Wickett
Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.
Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
Whether you’re building an application in a DevOps + Security culture, or have already bridged the gap with DevSecOps, the task remains the same: How do you ensure that security best practices are understood, architected for and integrated into your application from day 1 AND remain relevant year 1. During this talk I’ll focus on how to achieve these goals amidst the ever changing landscape of people, process, and technology in the cloud, in the context of various compute environments like instances, containers and serverless functions. and how to do so using off-the-shelf AWS services and features. I’ll complete the story by accompanying this discussion with a reference application architecture and examples. Attendees of this talk will receive actionable best practices and guidance, with specific implementation details for AWS
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
From GOTO London 2015
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
Talk from Serverless Days Austin with @iteration1 and @wickett. This talk covers serverless basics and the Secure WIP model as a way to bring security to the conversation.
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
From SXSW Interactive 2015
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.
This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.
Three Takeaways:
1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
2. Armed with tools and ideas for monitoring your operational and runtime security.
3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://schedule.sxsw.com/2015/events/event_IAP35935
The Seven Habits of the Highly Effective DevSecOpJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?
This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecJames Wickett
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin.
Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless.
In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel
Talk goals:
- How to approach the security concerns in a serverless world.
- Talk about the 'WIP' methodology for serverless security.
- Understand current serverless attacks for things to defend against.
- Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.
Epistemological Problem of Application SecurityJames Wickett
Over the years, AppSec has made progress but it has also made some mis-steps. We focus almost solely on development practices and training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches to Application Security.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
SpringOne Platform 2019
Building a DevSecOps Pipeline Around Your Spring Boot Application
Speaker: Hayley Denbraver, Developer Advocate, Snyk
YouTube: https://youtu.be/CtQ2KZ4aMnQ
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
DevSecOps, An Organizational Primer - AWS Security Week at the San Francisco Loft
We examine building DevSecOps culture for you or your customers, which includes foundational practices and scaling functions to instantiate and resiliently operate a DevSecOps model. To achieve this shift, we analyze common success patterns, such as how to use a secure CI/CD pipeline. You’ll learn key points such as building security owners, integrating continuous compliance and security, and removing people from the data to vastly improve your security posture over traditional operating models. Takeaways include a blueprint for building a DevSecOps operating model in your organization; an understanding the security practitioners' point of view and embracing it to drive innovation; and ways to identify operating characteristics in your organization and use them to drive a strategy for DevSecOps.
Level: 100
Speaker: Tim Anderson - Tech Industry Specialist, AWS Security
Hacker Games & DevSecOps presentation from Tallinnec 27.3. 2018 meetup. How to make DevSecOps more fun by playing hacker games? What can you learn from Hack The Box?
The New Ways of Chaos, Security, and DevOpsJames Wickett
VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps
Abstract:
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Serverless Security: Doing Security in 100 millisecondsJames Wickett
Talk on serverless security with a brief history of cloud, containers and now serverless. This talk also features serverless patterns, and security considerations needed in this new environment. This talk was given at AppSecUSA 2016.
Today everybody wants to deploy the app and infrastructure faster without any disputes. An Even, Agile framework can help to deploy faster in real-time. But Continuous Innovation may conflict with stability and security. Without security at every stage, DevOps merely introduces vulnerabilities into application quickly. To resolve such conflict, the gap in recursive feedback loops need to be eliminated. Mostly, teams are not effectively working in a collaboration and interacting with each other smoothly. This results in gaps and produce problems with code development and quality, meaning slower delivery plans and serious vulnerabilities that create security risk at most. Fortunately, these shortcomings can be addressed very well, as developers/testers are set to launch off into the DevSecOps world or via adopting rugged DevOps model.
From Zero to DevSecOps in 60 Minutes - DevTalks Romania - Cluj-Napocajerryhargrove
Whether you’re building an application in a DevOps + Security culture, or have already bridged the gap with DevSecOps, the task remains the same: How do you ensure that security best practices are understood, architected for and integrated into your application from day 1 AND remain relevant year 1. During this talk I’ll focus on how to achieve these goals amidst the ever changing landscape of people, process, and technology in the cloud, in the context of various compute environments like instances, containers and serverless functions. and how to do so using off-the-shelf AWS services and features. I’ll complete the story by accompanying this discussion with a reference application architecture and examples. Attendees of this talk will receive actionable best practices and guidance, with specific implementation details for AWS
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
How to Effect Change in the Epistemological Wasteland of Application SecurityJames Wickett
From GOTO London 2015
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches.
We will explore ways to make a change for the better across all levels of the development lifecycle, but we will focus on security testing early on in the development process. From this session, you will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
Talk from Serverless Days Austin with @iteration1 and @wickett. This talk covers serverless basics and the Secure WIP model as a way to bring security to the conversation.
Pragmatic Security and Rugged DevOps - SXSW 2015James Wickett
From SXSW Interactive 2015
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.
This workshop brings in some of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system.
Three Takeaways:
1. You will learn pragmatic approaches and tooling that will affect your development processes and delivery pipelines.
2. Armed with tools and ideas for monitoring your operational and runtime security.
3. You will walk away with code examples and tools that you can put into practice right away for security and rugged testing.
http://schedule.sxsw.com/2015/events/event_IAP35935
The Seven Habits of the Highly Effective DevSecOpJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?
This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops, and security to work together.
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
Talk given for https://www.thesecuredeveloper.com/events/the-new-ways-of-devsecops
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSecJames Wickett
Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
DevOpsDays Austin: Security in the FaaS LaneJames Wickett
James Wickett and Karthik Gaekwad talk about Serverless Security at DevOps Days Austin.
Security in FaaS isn't what we are used to, but this talk shows you how what we learned in appsec still applies. Using LambHack, which is a vulnerable serverless application written in Go on AWS Lambda using Sparta, we will evaluate how to do security in serverless.
In this talk, we will talk about security strategies and pitfalls in the serverless world. You'll leave with an understanding of how to approach security conversations about serverel
Talk goals:
- How to approach the security concerns in a serverless world.
- Talk about the 'WIP' methodology for serverless security.
- Understand current serverless attacks for things to defend against.
- Learn what different cloud providers (AWS/GKE/Azure/Oracle Cloud) do to protect you in a serverless world.
Epistemological Problem of Application SecurityJames Wickett
Over the years, AppSec has made progress but it has also made some mis-steps. We focus almost solely on development practices and training as remediation. This isn't sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. Lets journey together to find old truths and better approaches to Application Security.
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for Security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us, and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
SpringOne Platform 2019
Building a DevSecOps Pipeline Around Your Spring Boot Application
Speaker: Hayley Denbraver, Developer Advocate, Snyk
YouTube: https://youtu.be/CtQ2KZ4aMnQ
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
DevSecOps, An Organizational Primer - AWS Security Week at the San Francisco Loft
We examine building DevSecOps culture for you or your customers, which includes foundational practices and scaling functions to instantiate and resiliently operate a DevSecOps model. To achieve this shift, we analyze common success patterns, such as how to use a secure CI/CD pipeline. You’ll learn key points such as building security owners, integrating continuous compliance and security, and removing people from the data to vastly improve your security posture over traditional operating models. Takeaways include a blueprint for building a DevSecOps operating model in your organization; an understanding the security practitioners' point of view and embracing it to drive innovation; and ways to identify operating characteristics in your organization and use them to drive a strategy for DevSecOps.
Level: 100
Speaker: Tim Anderson - Tech Industry Specialist, AWS Security
Hacker Games & DevSecOps presentation from Tallinnec 27.3. 2018 meetup. How to make DevSecOps more fun by playing hacker games? What can you learn from Hack The Box?
The New Ways of Chaos, Security, and DevOpsJames Wickett
VMware Thought Leadership Series: The New Ways of Chaos, Security, and DevOps
Abstract:
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and DevOps closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
Application Security Epistemology in a Continuous Delivery WorldJames Wickett
CD Summit - Austin, from DevOps Connect
Desc:
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn’t sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here.
http://www.devopsconnect.com/events/cd-summit-austin/
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
As kubernetes matures into the standard de facto Operating System of the Cloud, in addition to a shift in deployment methods such as GitOps and Continuous delivery paradigms - automation of security is one of our main concerns
The security policy alignment starts from the CI/CD pipelines, and continues to runtime security solutions.
In this talk, we will introduce a few solutions built around kubernetes from the early stages of the CI/CD pipelines through runtime application security models which we are seeing from many companies on the security vertical.
Scanning tools [ static ]
Runtime [ pro-active, permissive ]
Few words about Haggai:
Haggai is a DevOps Architect, Group & TechLead at Tikal, for the past 15 years Haggai’s has provided solutions in the domains of Ci/CD, Configuration Management, and Security.
And in the past, ~4 years specialized in Kubernetes-based deployment schemes.
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
For federal agencies, accomplishing in just a matter of weeks IT tasks that typically take months or years may seem like a pipe dream. That’s the promise of the DevSecOps methodology. DevSecOps is a way of thinking that encourages software developers to work collaboratively with IT operations and security staff on development, testing and quality assurance to develop and deploy software more quickly and automate deployment of code, security and infrastructure changes.
Commercial Cloud provides a comprehensive platform of tools, technologies and services that can enable federal agencies to realize this promise.
The VA Digital Services Team (DSVA) has been leading the Department of Veterans Affairs on their journey to the cloud for the past 4 years. The initial DSVA cloud deployment was vets.gov and Caseflow on AWS. Vets.gov and Caseflow are real world examples of how modern devsecops techniques be used with existing federal ATO security requirements.
In this talk, AWS and DSVA will present DevSecOps principles, best practices and lessons learned. DSVA will discuss how Vets.gov and Caseflow have implemented these techniques inside the VA. This includes applying continuous integration and continuous deployment (CI/CD) to the software development process where security checks are performed and automated to ensure compliance and ATO conformance with VA's security standards.
10 Reasons Your Software Sucks 2014 - Tax Day Edition!Caleb Jenkins
Based on years of consulting, and working with some of the largest (and smallest) software companies in the world.. these are the 10 practices that if you started doing today, would drastically improve the quality and delivery of your software! Also, be sure to hang around afterwards in the Open Spaces area.. Caleb will be around to discuss any of the areas from his talk in more detail. It’s going to be great time!
Topics hit on: Object Oriented Principals, SOLID Coding, Security Concerns, Software Patterns, Automated Testing, Source Control - Branching and Merging Strategies, Continuous Integration, Agile | Scrum | XP | Lean, Team Dynamics, Continually Learning
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
Stay safe, grab a drink and join us virtually for our upcoming "Vulnerability Alert Fatigue and Malicious Code Attacks" meetup to hear about How to Cover Known & Unknown Risks in your OSS,
Supply Chain Security Maturity model, known vulnerabilities in IAM and ways to incorporate security in the package update process.
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
Similar to The Emergent Cloud Security Toolchain for CI/CD (20)
Security in a Site Reliability Engineering (SRE) context with a focus on being pragmatic just makes sense. In this talk, we will look at 4 key areas where SRE and Security tribes can join forces and influence the overall business. This is a lab/discussion session.
A Way to Think about DevSecOps: MEASUREJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in history to learn how engineering decisions affect the lives of those around us, with an eye on how to make meaningful progress today.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce MEASURE, a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
----
thanks to Verica https://verica.io and techstrongcon.com
The Security, DevOps, and Chaos Playbook to Change the WorldJames Wickett
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This talk will highlight security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
DevOps and the subsequent move to bring security in under the umbrella of DevSecOps has created a new ethos for security. This is good. But, when things go wrong–and we know they will–are we going to be successful with the DevSecOps model, or will we be left searching yet again?
In an attempt to answer this question, we will look back in time over 120 years to unveil a tale that touches on business, engineering, and resilience. We will see how engineering decisions affect the lives of those around us and even though the world has radically changed over the last century, we are still facing many of the same root challenges.
Along the way, we will highlight the high-performing DevSecOps teams of today and introduce a framework for approaching DevSecOps in your organization. Topics range from empathy to lean to system safety with the hope to frame a new playbook for devs, ops, and security to work together.
From Innotech Austin 2019 and Cloud Austin Nov 2019
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does= chaos engineering fit in? This talk highlights security's place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together.
Discussion of how security is in crisis but DevSecOps offers a new playbook and gives security a path to influence. Taking a look at the WAF space, we look at how Signal Sciences has created feedback between Dev and Ops and Security to create new value.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
This talk is half discussion of the DevSecOps 2018 community survey report and half conversation with the crowd in attendance on what they want the future to look like. This was prepared for the July 2018 meetup of DevOps Austin.
The talk was created by @wickett of Signal Sciences and @ernestmueller of AlienVault.
Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?
From Austin OWASP meetup in June 2018
Serverless Security: A Pragmatic Primer for builders and defenders
Covers an intro to serverless, security ideas, and an open source vulnerable lambda application called lambhack.
From LASCON 2017, Austin, Texas.
The Path of DevOps Enlightenment for InfoSecJames Wickett
Presentation at All Day DevOps on the path for infosec and security engineers in the modern software development flow and their place in DevOps. The journey is important but the destination is critical.
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
This talk is from DevSecOps Singapore, June 29th, 2017.
Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaYara Milbes
Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience.
In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
2. #RSAC
@WICKETT
@WICKETT
Head of Research @ Signal Sciences
Organizer of DevOps Days Austin
lynda.com author on DevOps and Security
Courses
Blog at theagileadmin.com and
labs.signalsciences.com
5. #RSAC
@WICKETT
Questions on my Mind
Can Security as an Industry Rise to the
Demands of DevOps?
Is the DevOps culture able to handle security
and all of our baggage?
Will security destroy the DevOps Culture?
8. #RSAC
@WICKETT
Companies are spending a great deal on
security, but we read of massive computer-
related attacks. Clearly something is wrong.
The root of the problem is twofold:
we’re protecting the wrong things,
and we’re hurting productivity in the process.
THINKING SECURITY, STEVEN M. BELLOVIN 2015
10. #RSAC
@WICKETT
[Security by risk assessment]
introduces a dangerous fallacy: that
structured inadequacy is almost as
good as adequacy and that
underfunded security efforts plus risk
management are about as good as
properly funded security work
18. #RSAC
@WICKETT
Serverless encourages functions as
deploy units and run as one-time*,
read-only containers*, coupled with
third party services that allow running
end-to-end applications without
worrying about system operation.
* - yes, we know there is container reuse and writability
24. @WICKETT
Maybe in order to understand devsecops, we have to
look at the word itself. Basically, it’s made up of three
separate words: de, vseco, and ps. What do these
words mean? It’s a mystery, and that’s why so is
devsecops.
- DevSecOps Deep Thoughts
25. @WICKETT
Whenever someone asks
me to define devsecops, I
usually think for a minute,
then I spin around and pin
the guy's arm behind his
back. NOW who's asking the
questions?
- DevSecOps Deep Thoughts
Shoutout to the @TheJewberwocky the original DevOps Deep Thoughts
26. @WICKETT
The original DevOps Deep Thoughts were
created by the hilarious and awesome Josh
Zimmerman (@TheJewberwocky) as Not Jack
Handey which is parody of Deep Thoughts by
Jack Handey.
These DevSecOps Deep Thoughts are not nearly
as funny nor deep, but hey what do you expect of
a parody of a parody?
27. @WICKETT
Many people don't realize that
playing dead can help not only
with bears, but also at
important business meetings.
- Jack Handey
28. #RSAC
@WICKETT
High performing orgs achieve
quality by incorporating security
(and security teams) into the
delivery process
2016 State of DevOps Report
41. @WICKETT
The design and development of an application and its
features. Including all the development practices like version
control, sprint planning, unit-testing.
Develop Inherit Build Deploy Operate
42. @WICKETT
- Threat Modeling
- Security Stories
- Authentication to Push
- Development Standards
Develop Inherit Build Deploy Operate
Security Activities and Considerations
- Peer Review
- Static Code Analysis
- Unit Tests for Security
43. @WICKETT
- The Threat Modeling Book by Adam
Shostack
- OWASP App Threat Modeling Cheat Sheet
- Evil User Stories (link)
- OWASP Application Security Verification
Standard
- Mozilla Rapid Risk Assessment (link)
Develop Inherit Build Deploy Operate
Threat Modeling and Security Stories
44. @WICKETT
- Pre-commit Hooks for
Security
- Coding Standards (Security
and otherwise)
Develop Inherit Build Deploy Operate
Development Standards
- Peer Review
- Single Mainline Branch
- Linting and Code Hygiene
45. @WICKETT
- git-secrets Prevents you from committing
passwords and other sensitive information to
a git repository. From awslabs. (link)
- git-hound Hound is a Git plugin that helps
prevent sensitive data from being committed
into a repository by sniffing potential commits
against PCRE regular expressions. (link)
Develop Inherit Build Deploy Operate
Code Standards and Team Tooling
- gometalinter or whatever your language
of choice (this is a golang example, you
will need one for your language)
- gofmt formats the code automatically
and makes everything look the same,
easier for everyone to grok (again, this is
specific to lang)
46. @WICKETT
Develop Inherit Build Deploy Operate
Code Standards and Team Tooling is run on
developer laptops and systems, but verified
by CI system.
47. @WICKETT
- Not unfamiliar territory for
security!
- Static Application Security
Testing (SAST)
- IDE Plugin if Possible
Develop Inherit Build Deploy Operate
Static Code Analysis!
- Open Source: Brakeman
(Ruby), FindSecurityBugs (Java),
Phan (PHP), Go AST (golang)
- Paid: Brakeman Pro, Veracode,
Fortify, …
48. @WICKETT
- Unit Testing is the currency of Developers
- JUnit, Rspec, Testing (golang), ….
- Goal is to have security tests being written with other unit tests
or whatever testing patterns you use: TDD, BDD, ATDD, …
Develop Inherit Build Deploy Operate
Unit Testing for Security
49. @WICKETT
Are the developers testing for security locally before it gets to CI
system?
Do we practice good hygiene and coding practices?
Are we developing as a team in trunk with few branches?
Develop Inherit Build Deploy Operate
Questions to Ask
50. @WICKETT
This is an overlooked phase because it is the most invisible as
software dependencies get bundled in and inherited in our
own code and upstream.
Develop Inherit Build Deploy Operate
51. @WICKETT
Develop Inherit Build Deploy Operate
- This is your real LOC count!
- The Software Delivery Supply
Chain
- Publish a Bill of Materials and
trace back
Security Considerations
- This is not just application
dependencies and libraries,
but also OS-level (remember
shellshock, heartbleed, ..)
52. @WICKETT
Develop Inherit Build Deploy Operate
- bundler-audit - checks for vulnerable
versions of gems in your ruby code
(link)
- nsp - node security platform (link)
- Paid options: Sonatype, BlackDuck,
JFrog
Language Tooling
- Retire.js - known vuln JS libs (link)
53. @WICKETT
Develop Inherit Build Deploy Operate
- Over 30% of containers in
Docker Hub have high sev
vulns (source)
- Open Source: Docker Bench,
Clair
- Paid Options: aqua, twistlock
Containers!
54. @WICKETT
Develop Inherit Build Deploy Operate
What have I bundled into my app that is making vulnerable?
Am I publishing a Bill of Materials with my application?
Questions to Ask
55. @WICKETT
This phase is where the CI build system runs all the build
steps and does acceptance testing. Previous testing and
tooling gets verified here.
Develop Inherit Build Deploy Operate
56. @WICKETT
Develop Inherit Build Deploy Operate
- Outside-In Security Testing
- Infra as Code (Testing)
- Dynamic Application Security
Testing (DAST)
Security Considerations
- Compliance on every build!
- Cloud provider config as
code
- Using containers
57. @WICKETT
Develop Inherit Build Deploy Operate
- These all require tuning and can be
difficult to integrate into build
pipelines.
- Application Security scanners:
Nikto, Arachni, ZAP, sqlmap, xsser,
…
Dynamic Application Security Scanners
- Other - SSLyze, nmap,
ssh_scan
- See Kali Linux
- Paid: Qualys, AppScan,
BurpSuite, …
58. @WICKETT
The goal should be to come up with
a set of automated tests that probe
and check security configurations
and runtime system behavior for
security features that will execute
every time the system is built and
every time it is deployed.
59. @WICKETT
Framework with Security testing written in a natural
language that developers, security and operations can
understand.
Gauntlt wraps security testing tools but does not install tools
Gauntlt was built to be part of the CI/CD pipeline
Open source, MIT License,
gauntlt.org
63. @WICKETT
Develop Inherit Build Deploy Operate
- Test Kitchen - https://kitchen.ci/
- Serverspec - http://serverspec.org/
- Chef InSpec - Continuous
Compliance Testing (https://
www.chef.io/inspec/)
Infrastructure and Compliance
- Cloud Provider is
Infrastructure too
- Version and test Cloud
Config (e.g. CloudFormation
for AWS)
64. @WICKETT
Develop Inherit Build Deploy Operate
Am I testing for security low hanging fruit?
Am I arming my pipeline with attack tools to exercise my
application?
Have I validated the previous two phases of testing in secure
build environment?
Questions to Ask
65. @WICKETT
The phase where software moves from our testing to where
customers are able to operate it for the first time.
Develop Inherit Build Deploy Operate
66. @WICKETT
Develop Inherit Build Deploy Operate
- Watch out for Compliance
- Secrets Management
- Deploy Accountability
- Authorization and Logging
Security Considerations
- Monitoring Deploys
- Infra as Code (Execution)
- Repeatable Execution
73. @WICKETT
[Deploys] can be treated as
standard or routine changes
that have been pre-approved
by management, and that
don’t require a heavyweight
change review meeting.
78. @WICKETT
Develop Inherit Build Deploy Operate
What secrets are needed to move my application from
development into production?
Am I testing for Compliance on each and every deploy?
Is there a repeatable mechanism to push changes to
production?
Questions to Ask
79. @WICKETT
The runtime state of the application, where users interact with
or consume the application. Our application in production.
Develop Inherit Build Deploy Operate
81. @WICKETT
Develop Inherit Build Deploy Operate
- Chaos Engineering and creating
stability through instability
- Circuit Break Pattern in use
- Instrumentation and
Visualization
Security Considerations
- Application security and
service abuse and misuse
- Bug Bounties
- Red Teaming as a Service
83. @WICKETT
“every aspect of managing WAFs is an ongoing
process. This is the antithesis of set it and forget it
technology. That is the real point of this research.
To maximize value from your WAF you need to go
in with everyone’s eyes open to the effort required
to get and keep the WAF running productively.”
- WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR
84. @WICKETT
Account takeover attempts
Areas of the site under attack
Most likely vectors of attack
Business logic flows
Abuse and Misuse signals
Detect what matters
92. @WICKETT
Develop Inherit Build Deploy Operate
Do you know if you are under attack at this current moment?
Do you know what the attackers are going after?
Can I turn on and off services independently if being attacked?
Are we doing Chaos experiments?
Questions to Ask
94. #RSAC
@WICKETT
The New Ways
Empathy and Enablement
Be Fast and Non-Blocking
Don’t slow delivery
Join with continuous testing efforts
Security testing automated in every phase
Penetration Testing alongside the Pipeline
Security provides value through making security normal
95. #RSAC
@WICKETT
Apply What You Have Learned Today
Next week you should:
Identify the who/where/what of your CI/CD Pipeline
In the first three months following this presentation you should:
Create a plan around the five phases and security tooling and practices
Implement 1-2 tools in the pipeline
Within six months you should:
Have security in all five phases of the pipeline
Answer the maturity questions for each phase