SlideShare a Scribd company logo

The left is not wrong, just not right; It's time to shift right!

Phillip Maddux
Phillip Maddux

In the last few years of AppSec and DevOps, we've heard the calls to shift left. But how far left can we go, and is it really going to help eliminate exploitable bugs or scale your AppSec program? What if we consider a different direction, shifting right! Can a focus on shifting to the right be more effective in mitigating real-world threats and prioritization? In this presentation, I'll explore these questions and propose concepts that show why shifting right is right! 

Technology
1 of 31
Download to read offline
The left is not wrong, just not right; It’s time to shift RIGHT!
Phillip Maddux Principle AppSec Researcher & Advisor 12 yrs AppSec in Financials IT & IT Audit prior @foospidy github.com/foospidy linkedin.pxmx.io pxmx.io
Just in case, this is an AppSec talk, not a political talk...
There, that’s better. Containers
The Call To Shift Left
The DevSecOps paradigm that we are all preaching is "Shift Security Left" e.g. design and develop your application with security in mind as early as possible and integrate security into CI/CD pipeline. - Anonymous (Anonymous as in an AppSec person in an AppSec Slack channel, not _ )
What is this shifting left? An approach to software testing and system testing in which testing is performed earlier in the life cycle (i.e. moved left on the project timeline). It is the first half of the maxim "Test early and often." - Wikipedia In the parlance of DevOps and security, a shift left simply means that security is built into the process and designed into the application at an earlier stage of the development cycle. - SecurityRoundtable
Shiftin’ Left Requirements, Design, Development, Build, Testing & Deployment TestingintheSDLC
Shiftin’ Lefter Developer Training Security Champions Relationships w/Devs Achievement coins Gamification Security engineering
Requirements, Design, Development, Build TestingintheSDLC Shiftin’ Lefter Developer Training Security Champions Relationships w/Devs Achievement coins Gamification Security engineering
That is all good Photo by Jonathan Daniels on Unsplash
So what is the issue?
We’ve been doing this for years!
SDLC Evolution to the Left Requirements, Design, Development, Build, Testing & Deployment TestingintheSDLC Pen Testing Arch Review Code Scanning Manual Code Review Dependency Checks Arch ReviewsControl Standards Security Unit Tests IAST Developer Training Security Champions
We need to shift right It’s time to consider a different perspective
It’s time to shift right
Instrumentation & Visibility To really understand what is going on in production
TestingintheSDLC Instrumentation and visibility production Requirements, Design, Development, Build, Testing, Deployment & Production Instrumentation provides visibility and defense capabilities, which provides the ability to make smart blocking decisions.
Why is this important? ● Moving to the cloud. ● Business drivers moving faster resulting in app deployments moving faster. ● Abstraction of infrastructure and operations, e.g. PaaS & serverless, is enabling faster app deployments. Security needs to move fast too, it can only move faster by shifting right.
Benefits Visibility to understand the threats you’re apps are actually facing, this becomes a critical feedback loop to drive prioritization of resources on the left. Gives you an edge even with little resources - delegate security monitoring and defend in real time. Visibility sharing helps build relationships with developers. Threat hunting.
One of the best approaches is to provide rapid feedback to developers. In the land of application performance, we found that running APM tools in production was a way to help developers find places to optimize their code. This created a feedback loop from production (the right) to development (the left). James Wickett ( @wickett) https://labs.signalsciences.com/devsecops-security-shift-right
Attacks & Attack Locations Incredible feedback for developer awareness and prioritization.
Anomalous Traffic
Sensitive or High Risk Transactions
Correlations ● Attacks + anomalous responses ● Attacks + sensitive transactions ● Logins + anomalous sources ● Sensitive transactions + anomalous sources ● Automation (Bots) + user actions ● Automation (Bots) + high risk transactions ● Distinct changes in traffic patterns By Tony Hisgett from Birmingham, UK - Dalek 1, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=18985947
Principle of Known Good ● HTTP structure / attributes ● App specific parameters ○ Headers ○ GET & POST ● Device specific parameters ○ Device IDs ○ User-Agent strings ○ Client software versions Periodically change known good
Honeypots & Deception app honeypot Feeds blocking decisions
Final Thoughts You don’t have to shift left before shifting right. In fact, if you have limited resources or are building a new AppSec program, I recommend starting on the right first. Let the right inform the left as you build out your AppSec program. Absolutely necessary for existing AppSec programs to move faster.
Thank you - Questions?

Recommended

Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Phillip Maddux
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 

Recommended

Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Shift Left. Wait, what? No, Shift Right!!!
Shift Left. Wait, what? No, Shift Right!!!Phillip Maddux
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
CSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudCSA Raleigh application security and deception in the cloud
CSA Raleigh application security and deception in the cloudPhillip Maddux
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Failure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentFailure is inevitable but it isn't permanent
Failure is inevitable but it isn't permanentTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsNicole Forsgren
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Security in agile teams
Security in agile teamsSecurity in agile teams
Security in agile teamsMaria Gomez
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineeringDinis Cruz
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...Vlad Styran
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security peoplePriyanka Aash
 
Is it Safe? measuring product security goodness
Is it Safe? measuring product security goodnessIs it Safe? measuring product security goodness
Is it Safe? measuring product security goodnessJustin Berman
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 

More Related Content

What's hot

Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WaySeniorStoryteller
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsNicole Forsgren
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Security in agile teams
Security in agile teamsSecurity in agile teams
Security in agile teamsMaria Gomez
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QAFest
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too lateVlad Styran
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineeringDinis Cruz
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionAaron Rinehart
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...Vlad Styran
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security peoplePriyanka Aash
 
Is it Safe? measuring product security goodness
Is it Safe? measuring product security goodnessIs it Safe? measuring product security goodness
Is it Safe? measuring product security goodnessJustin Berman
 

What's hot (20)

Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
What we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devopsWhat we learned from three years sciencing the crap out of devops
What we learned from three years sciencing the crap out of devops
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
Security in agile teams
Security in agile teamsSecurity in agile teams
Security in agile teams
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
 
The sooner the better but never too late
The sooner the better but never too lateThe sooner the better but never too late
The sooner the better but never too late
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
В чому різниця між тестами на проникнення, аудитами, та іншими послугами з кі...
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 
Year Zero
Year ZeroYear Zero
Year Zero
 
How to transform developers into security people
How to transform developers into security peopleHow to transform developers into security people
How to transform developers into security people
 
Is it Safe? measuring product security goodness
Is it Safe? measuring product security goodnessIs it Safe? measuring product security goodness
Is it Safe? measuring product security goodness
 

Similar to The left is not wrong, just not right; It's time to shift right!

Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfEnov8
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...kunwaratul hax0r
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Dan Cundiff
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Programcentralohioissa
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfTechugo
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsPhillip Maddux
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise DevsecopsEnov8
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 

Similar to The left is not wrong, just not right; It's time to shift right! (20)

Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
Why DevOps != the Wild West and How Embracing it Can Improve Security - RSA C...
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Mike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security ProgramMike Spaulding - Building an Application Security Program
Mike Spaulding - Building an Application Security Program
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
VER_WP_CrackingCode_FINAL
VER_WP_CrackingCode_FINALVER_WP_CrackingCode_FINAL
VER_WP_CrackingCode_FINAL
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 

More from Phillip Maddux

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)Phillip Maddux
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)Phillip Maddux
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)Phillip Maddux
 
HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)Phillip Maddux
 

More from Phillip Maddux (6)

Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)HoneyPy & HoneyDB (TriPython)
HoneyPy & HoneyDB (TriPython)
 
HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)HoneyPy & HoneyDB (CarolinaCon 13)
HoneyPy & HoneyDB (CarolinaCon 13)
 
HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)HoneyPy & HoneyDB (LASCON 2016)
HoneyPy & HoneyDB (LASCON 2016)
 
HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)HoneyPy Honeypot (OWASP Triangle Chapter)
HoneyPy Honeypot (OWASP Triangle Chapter)
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

The left is not wrong, just not right; It's time to shift right!

  • 1. The left is not wrong, just not right; It’s time to shift RIGHT!
  • 2. Phillip Maddux Principle AppSec Researcher & Advisor 12 yrs AppSec in Financials IT & IT Audit prior @foospidy github.com/foospidy linkedin.pxmx.io pxmx.io
  • 3. Just in case, this is an AppSec talk, not a political talk...
  • 5. The Call To Shift Left
  • 6. The DevSecOps paradigm that we are all preaching is "Shift Security Left" e.g. design and develop your application with security in mind as early as possible and integrate security into CI/CD pipeline. - Anonymous (Anonymous as in an AppSec person in an AppSec Slack channel, not _ )
  • 7. What is this shifting left? An approach to software testing and system testing in which testing is performed earlier in the life cycle (i.e. moved left on the project timeline). It is the first half of the maxim "Test early and often." - Wikipedia In the parlance of DevOps and security, a shift left simply means that security is built into the process and designed into the application at an earlier stage of the development cycle. - SecurityRoundtable
  • 8. Shiftin’ Left Requirements, Design, Development, Build, Testing & Deployment TestingintheSDLC
  • 9. Shiftin’ Lefter Developer Training Security Champions Relationships w/Devs Achievement coins Gamification Security engineering
  • 10. Requirements, Design, Development, Build TestingintheSDLC Shiftin’ Lefter Developer Training Security Champions Relationships w/Devs Achievement coins Gamification Security engineering
  • 11. That is all good Photo by Jonathan Daniels on Unsplash
  • 12. So what is the issue?
  • 13. We’ve been doing this for years!
  • 14. SDLC Evolution to the Left Requirements, Design, Development, Build, Testing & Deployment TestingintheSDLC Pen Testing Arch Review Code Scanning Manual Code Review Dependency Checks Arch ReviewsControl Standards Security Unit Tests IAST Developer Training Security Champions
  • 15. We need to shift right It’s time to consider a different perspective
  • 16. It’s time to shift right
  • 17.
  • 18.
  • 19. Instrumentation & Visibility To really understand what is going on in production
  • 20. TestingintheSDLC Instrumentation and visibility production Requirements, Design, Development, Build, Testing, Deployment & Production Instrumentation provides visibility and defense capabilities, which provides the ability to make smart blocking decisions.
  • 21. Why is this important? ● Moving to the cloud. ● Business drivers moving faster resulting in app deployments moving faster. ● Abstraction of infrastructure and operations, e.g. PaaS & serverless, is enabling faster app deployments. Security needs to move fast too, it can only move faster by shifting right.
  • 22. Benefits Visibility to understand the threats you’re apps are actually facing, this becomes a critical feedback loop to drive prioritization of resources on the left. Gives you an edge even with little resources - delegate security monitoring and defend in real time. Visibility sharing helps build relationships with developers. Threat hunting.
  • 23. One of the best approaches is to provide rapid feedback to developers. In the land of application performance, we found that running APM tools in production was a way to help developers find places to optimize their code. This created a feedback loop from production (the right) to development (the left). James Wickett ( @wickett) https://labs.signalsciences.com/devsecops-security-shift-right
  • 24. Attacks & Attack Locations Incredible feedback for developer awareness and prioritization.
  • 26. Sensitive or High Risk Transactions
  • 27. Correlations ● Attacks + anomalous responses ● Attacks + sensitive transactions ● Logins + anomalous sources ● Sensitive transactions + anomalous sources ● Automation (Bots) + user actions ● Automation (Bots) + high risk transactions ● Distinct changes in traffic patterns By Tony Hisgett from Birmingham, UK - Dalek 1, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=18985947
  • 28. Principle of Known Good ● HTTP structure / attributes ● App specific parameters ○ Headers ○ GET & POST ● Device specific parameters ○ Device IDs ○ User-Agent strings ○ Client software versions Periodically change known good
  • 30. Final Thoughts You don’t have to shift left before shifting right. In fact, if you have limited resources or are building a new AppSec program, I recommend starting on the right first. Let the right inform the left as you build out your AppSec program. Absolutely necessary for existing AppSec programs to move faster.
  • 31. Thank you - Questions?