Qui est familier du devops?
Question à l’auditoire
Dans vos lampes
Dans vos maisons,
Dans votre electroménager
Dans l’administration
Il y a du software pour tout avec l’explosion de l’IOT, machine learning, IA…
attacks on the application layer are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report).
US Office of Personnel Management
This breach was one of the biggest ever of US government systems. Although not proved, the attack was believed to be perpetrated by Chinese hackers. The data theft consisted of stealing addresses, health and financial details of 19.7 million people who had been subjected to government background checks as well as 1.8 million others.
Carphone Warehouse
One of the biggest breaches in the UK this year was when the details of almost 2.5 million customers was stolen
http://www.information-age.com/top-10-most-devastating-cyber-hacks-2015-123460657/
http://www.welivesecurity.com/2016/12/30/biggest-security-incidents-2016/
http://www.cbsnews.com/news/france-hit-by-19000-cyber-attacks-after-charlie-hebdo-terror-attacks/
http://en.rfi.fr/europe/20170219-french-fm-ayrault-accuses-russia-election-cyberattacks
Il y avait moins d’open source il y a 10 ans,
Microsoft on github by business insider http://uk.businessinsider.com/microsoft-github-open-source-2016-9?r=US&IR=T
Microsoft today counts on open source developers to feed azure with applications.
Nadella in 2014 said, "Microsoft loves Linux".
http://www.infoworld.com/article/3042699/open-source-tools/microsoft-loves-open-source-only-when-its-convenient.html
http://www.zdnet.com/article/why-microsoft-is-turning-into-an-open-source-company/
Ex : Xamarin for Visual Studio free and opensource
Failles sans que les dev ne le sachent, on introduit des failles de sécu sans le savoir
Entlib is a collection of reusable software components designed to assist software developers (such as logging, validation, data access). Application blocks are provided source code, test cases and documentation.
Telerik : UI frameworks and app development tools
ComponentOne Studio provides enterprise application developers with innovative UI and data management controls for all major platforms.
Bounty castle is a cryptography
Exemple de repository avec des failles découvertes en 2007 et pourtant encore téléchargé en 2015
Visualization of maven central, those organic looking dust mites represent components and their dependencies to other components.
Qu’utilisez-vous comme dependances ? Maitrisez-vous bien votre code open source ? Cb de dépendances avez-vous ?
On connait juste le haut du paquet
Dépendances non connues rajoutées par les IDE (utilisées ?)
SAST: Static Application Security Testing
DAST: Dynamic Application Security Testing
SCA: Software component analysis
DAST teste une application Web en cours d'exécution (les requêtes et les réponses) selon des techniques similaires à celles utilisées par un pirate informatique.
SAST examine le code source d'une application afin de détecter les vulnérabilités potentielles.
SCA Open source components
Checkmarx SAST et SCA
Sonatype SCA
Exemple DAST : acunetix, IBM, HPE, PortSwigger
More test, more checks, more visibility to each key player
Parler ROI,TTM,CDepl.
More test, more checks, more visibility to each key player
Parler ROI,TTM,CDepl.
More test, more checks, more visibility to each key player
Parler ROI,TTM,CDepl.
For a developer : security officers are simply always standing in the way, they force rather tiring procedures (pen testing, waf, code audit) right before production which usually creates change requests that adds time and money to an almost done project.
HP published a paper that says while devops should theoretically improve the security it does the opposite. From their point of view it failed to improve security
http://www.computerweekly.com/news/450401645/DevOps-largely-failing-to-improve-security-study-shows
More test, more checks, more visibility to each key player