Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Be Mean To Your Code: Rugged Development & You

9,006 views

Published on

Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application.

This talk brings some advice/tools of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system. You will learn pragmatic approaches and tooling that will affect your development processes, delivery pipelines and even the operational runtime. You will walk away with solutions you can put into practice right away and you will also be armed with rugged anti-patterns to help you identify what to change.

Published in: Software
  • Nice !! Download 100 % Free Ebooks, PPts, Study Notes, Novels, etc @ https://www.ThesisScientist.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Be Mean To Your Code: Rugged Development & You

  1. BE MEAN TO YOUR CODE RUGGED DEVELOPMENT & YOU MATT JOHANSEN JAMES WICKETT
  2. @mattjay The Beard of Destiny Gauntlt Cheerleader Head of WhiteHat Threat Research Center BlackHat, DEFCON, RSA, SXSW, more++
  3. @wickett Gauntlt Project Lead Founder of LASCON Sr. Engineer at Signal Sciences
  4. We’re making AppSec effective and practical signalsciences.com
  5. AUDIENCE SURVEY Cloud or Metal? DevOps? Agile? Flavors? How does code get to production? How often do you do code changes? Do you do security testing in the build/deploy pipeline? #RUGGEDCODE
  6. PRINCIPLES FOR A MODERN SECURITY #RUGGEDCODE TEAM
  7. #RUGGEDCODE OSSM On Demand Scalable Self-Service Measured Source: Dave Neilsen
  8. OLD DECISION MATRIX Function Features Gartner Magic Quadrant Trial Eval TCO #RUGGEDCODE
  9. NEW DECISION MATRIX API and Integrations Service Billing Half Decent? #RUGGEDCODE
  10. PRINCIPLE #1 PLAY NICE AND INTEGRATE WITH #RUGGEDCODE OTHERS
  11. PEOPLE PROCESS TECHNOLOGY #RUGGEDCODE
  12. PRINCIPLE #2 INFLUENCE THE #RUGGEDCODE PEOPLE
  13. #RUGGEDCODE DEVOPS
  14. #RUGGEDCODE CAMS Culture Lean* Automation Measurement Sharing Source: @botchagalupe @damonedwards
  15. #RUGGEDCODE
  16. PRINCIPLE #3 WHAT WE VALUE IS DETERMINED BY OUR #RUGGEDCODE CULTURE
  17. #RUGGEDCODE
  18. CONTINUOUS DELIVERY IS KING #RUGGEDCODE PRINCIPLE #4
  19. THERE ARE TWO PATHS TO WINNING FOR #RUGGEDCODE SECURITY
  20. THE DEVELOPMENT AND BUILD PIPELINE #RUGGEDCODE
  21. OPERATIONAL RUNTIME STATE AND MONITORING #RUGGEDCODE
  22. WE ARE FOCUSING ON DEV/BUILD PIPELINE IN THIS PRESENTATION #RUGGEDCODE
  23. DETECT AND FIX IN DEVELOPMENT #RUGGEDCODE
  24. WHY DOES THIS #RUGGEDCODE MATTER? VULNERABLE CODE IS EVERYWHERE
  25. #RUGGEDCODE
  26. HOW DO I FIX XSS? #RUGGEDCODE
  27. GOOD: INPUT SANITIZATION #RUGGEDCODE [XSS]
  28. BLACKLIST :( #RUGGEDCODE [XSS]
  29. WHITELIST :) #RUGGEDCODE [XSS]
  30. BETTER: OUTPUT #RUGGEDCODE ENCODING [XSS]
  31. < > BECOME &LT; &GT; #RUGGEDCODE [XSS]
  32. SQL INJECTION #RUGGEDCODE [SQLi]
  33. #RUGGEDCODE
  34. #RUGGEDCODE
  35. #RUGGEDCODE CREDIT: XKCD
  36. HOW DO I FIX IT? #RUGGEDCODE [SQLi]
  37. PARAMETERIZED #RUGGEDCODE QUERIES [SQLi]
  38. PARAMETERIZED QUERIES (PHP) #RUGGEDCODE [SQLi]
  39. PARAMETERIZED QUERIES (JAVA) #RUGGEDCODE [SQLi]
  40. CROSS SITE REQUEST #RUGGEDCODE FORGERY [CSRF]
  41. #RUGGEDCODE
  42. #RUGGEDCODE
  43. HOW DO I FIX IT? #RUGGEDCODE [CSRF]
  44. #RUGGEDCODE
  45. #RUGGEDCODE TOKENS! [CSRF]
  46. #RUGGEDCODE IMAGE CREDIT: DOTNETBIPS.COM
  47. #RUGGEDCODE AGAIN… VULNERABLE CODE IS EVERYWHERE
  48. GETS FIXED SLOWLY #RUGGEDCODE
  49. #RUGGEDCODE GETS FIXED SLOWLY
  50. #RUGGEDCODE …IF EVER
  51. #RUGGEDCODE OWASP TOP 10
  52. #RUGGEDCODE
  53. YOU HAVE A BUILD PIPELINE TELL ME MORE ABOUT HOW #RUGGEDCODE SPECIAL YOU ARE
  54. #RUGGEDCODE GAUNTLT
  55. BUILT ON CUCUMBER #RUGGEDCODE
  56. GAUNTLT PRINCIPLES AND PHILOSOPHY Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt can be part of the CI/CD pipeline Be a good citizen of exit status and stdout/ stderr MIT Open Source License #RUGGEDCODE
  57. #RUGGEDCODE
  58. GAUNTLT RESOURCES • Google Group > https://groups.google.com/d/ forum/gauntlt • Wiki > https://github.com/gauntlt/gauntlt/wiki • Twitter > @gauntlt • IRC > #gauntlt on freenode • Issue tracking > http://github.com/gauntlt/ gauntlt #RUGGEDCODE
  59. THE GAUNTLT BOOK FREE FOR LASCON! book@gauntlt.org #RUGGEDCODE
  60. #RUGGEDCODE
  61. ./velocity/lab_3/.travis.yml #RUGGEDCODE
  62. ./velocity/lab_3/.travis.yml #RUGGEDCODE
  63. #RUGGEDCODE ./Rakefile
  64. ./test/attacks/email_leakage.attack #RUGGEDCODE
  65. ./test/attacks/email_leakage.attack #RUGGEDCODE
  66. ./test/attacks/backdoors.attack #RUGGEDCODE
  67. ./test/attacks/sql_injection.attack #RUGGEDCODE
  68. #RUGGEDCODE DEMO
  69. #RUGGEDCODE @MATTJAY @WICKETT

×