FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security &...
-
Upload
new-relic -
Category
Technology
-
view
281 -
download
0
description
Transcript of FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security &...
AppSec in a DevOps WorldSHAUN GORDONNEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE
OCTOBER 23, 2013
Wednesday, November 6, 13
Wednesday, November 6, 13
Speed
Wednesday, November 6, 13
Speed
SecurityWednesday, November 6, 13
Speedvs.
SecurityWednesday, November 6, 13
Wednesday, November 6, 13
Accelerating Development Cycles
Wednesday, November 6, 13
Accelerating Development CyclesBoxed Software
Waterfall1 Year
Wednesday, November 6, 13
Accelerating Development CyclesWeb 1.0Waterfall3 months
Wednesday, November 6, 13
Accelerating Development Cycles
Agile Web 2.04 week
Wednesday, November 6, 13
Accelerating Development Cycles
DevOps2x week
Wednesday, November 6, 13
Accelerating Development Cyclesdaily Continuous
DeploymentDevOps
Wednesday, November 6, 13
Accelerating Development CyclesContinuous Deployment
DevOpshourly
Wednesday, November 6, 13
Accelerating Development Cycles
hourlyContinuous Deployment
DevOps
Wednesday, November 6, 13
Accelerating Development Cycles
3 monthsAgile4 week
Waterfall
Wednesday, November 6, 13
Accelerating Development Cycles
3 monthsAgile4 week
Waterfall
Wednesday, November 6, 13
Accelerating Development Cycles
hourlyContinuous Deployment
DevOps
daily
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Define functional (features) and non-functional requirements (capabilities)
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Translate requirements into architecture and detailed design
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Build it!
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Ensure functional and non-functional requirements
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Ship or push live
Wednesday, November 6, 13
Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on
Maintain and patch as needed
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityWednesday, November 6, 13
Traditional (Waterfall) SDLC Security
CheckpointsControls
Formal Processes
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Continuous Deployment Security
Wednesday, November 6, 13
Continuous Deployment Security
Low to No friction (can’t slow us down)Transparent No significant changes to development processesMake us More Secure
Requirements
Wednesday, November 6, 13
Continuous Deployment Security
Low to No friction (can’t slow us down)Transparent No significant changes to development processesMake us More Secure
AutomationTraining & EmpowermentLightweight ProcessesTriageQuickly Detect & Respond
Requirements Strategies & Tactics
Wednesday, November 6, 13
Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
Wednesday, November 6, 13
Continuous Deployment SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
Wednesday, November 6, 13
Continuous Deployment SecurityRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
Wednesday, November 6, 13
Continuous Deployment SecurityProduction
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
Development, Testing, & ReleaseRequirements & DesignRequirements Design Development Testing Release Production
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
Wednesday, November 6, 13
Continuous Deployment SecurityProduction
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
Development, Testing, & ReleaseRequirements & Design
Wednesday, November 6, 13
Continuous Deployment Security
• Functional & Non-Functional security requirement
• Architectural Review
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
Wednesday, November 6, 13
Continuous Deployment Security
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Threat Modeling
• Required Security Evaluation
Wednesday, November 6, 13
Required Security Evaluation
1.Technical Overview2.Business Context3.Developer Concerns
< 25 Minute Meeting
Wednesday, November 6, 13
Security Evaluation Outcomes
Wednesday, November 6, 13
Security Evaluation Outcomes
• Low Risk• Simple Guidance
Wednesday, November 6, 13
Security Evaluation Outcomes
• Higher Risk• Deep Dive• Whiteboarding• Threat Model
Wednesday, November 6, 13
Security Evaluation Follow-Up
Wednesday, November 6, 13
Security Evaluation Follow-Up
• Document• Follow Up
Wednesday, November 6, 13
• Required Security Evaluation
Continuous Deployment Security
• Threat Modeling
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
Wednesday, November 6, 13
• Required Security Evaluation
Continuous Deployment Security
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Lightweight Targeted Threat Modeling
Wednesday, November 6, 13
Threat Modeling
Wednesday, November 6, 13
Threat Modeling
Identify your assets and the threats against them
Wednesday, November 6, 13
Threat Modeling
Identify your assets and the threats against them
Focus your resources on the greatest risks
Wednesday, November 6, 13
Threat Modeling @ New Relic
Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your Application
Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your ApplicationIdentify your Assets
Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your ApplicationIdentify your Assets
Enumerate your Threats
Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your ApplicationIdentify your Assets
Enumerate your ThreatsRate & Rank your Threats
Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your ApplicationIdentify your Assets
Enumerate your ThreatsRate & Rank your Threats
Address or AcceptWednesday, November 6, 13
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Secure Coding Practices
• Static Analysis• White Box
Testing
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Required Security Evaluation
Wednesday, November 6, 13
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Secure Coding Practices
• Security Libraries & Services
• Static Analysis• White Box
Testing
• Required Security Evaluation
Wednesday, November 6, 13
Secure Libraries & Services
Authentication ServiceSecurity Event Logging ServiceInput Validation Regex Patterns
Encryption Libraries
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Static Analysis• White Box
Testing
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Required Security Evaluation
Wednesday, November 6, 13
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• White Box Testing
• Required Security Evaluation
Wednesday, November 6, 13
Brakeman+
Jenkins
brakemanscanner.orgWednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• White Box Testing
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Required Security Evaluation
Wednesday, November 6, 13
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Dynamic Analysis
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Vulnerability Scanning
• Penetration Testing
• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Requirements Testing
• Penetration Testing
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Requirements Testing
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Continuous Scanning in Test, Staging, & Production
• Penetration Testing
• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Continuous Scanning in Test, Staging, & Production
• Penetration Testing
• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Continuous Scanning in Test, Staging, & Production
• Penetration Testing
• Required Security Evaluation
Wednesday, November 6, 13
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Continuous Scanning in Test, Staging, & Production
• Penetration Testing
• Security Assessment
• Security Sign-Off
• Required Security Evaluation
Wednesday, November 6, 13
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Security Assessment
• Security Sign-Off
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Continuous Scanning in Test, Staging, & Production
• Automated Commit Triage
• Security Sign-Off
• Required Security Evaluation
Wednesday, November 6, 13
Triage Process
Dangerous MethodsSensitive ModulesSecurity Keywords
Wednesday, November 6, 13
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Security Sign-Off
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Continuous Scanning in Test, Staging, & Production
• Automated Commit Triage
• Quick Detection & Recovery
• Required Security Evaluation
Wednesday, November 6, 13
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment Security
• Separation of Duties• Management Release Sign-Off• Limits on Production Access
ProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Accountability• Management Release Sign-Off• Limits on Production Access
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Accountability• Management Release Sign-Off• Limits on Production Access
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Accountability• Sidekick Process• Limits on Production Access
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
Wednesday, November 6, 13
Wednesday, November 6, 13
Wednesday, November 6, 13
Two Sets of (masked) eyes on every changeWednesday, November 6, 13
• Accountability• Sidekick Process• Limits on Production Access
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production
• Accountability• Sidekick Process• Enabling Tools
• Required Security Evaluation
Wednesday, November 6, 13
• Accountability• Sidekick Process• Enabling Tools
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
• Lightweight Targeted Threat Modeling
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
• Lightweight Targeted Threat Modeling
• Accountability• Sidekick Process• Enabling Tools
• Penetration Testing
• Secure Coding Practices
• Security Libraries & Services
• Automated Static Analysis
• Testing Tools & Training
Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design
• Automated Commit Triage
• Quick Detection & Recovery
• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation
Wednesday, November 6, 13
Powered By...
Wednesday, November 6, 13
Powered By...
AutomationTraining & Empowerment
Lightweight ProcessesTriage
Quick Detection & Response
Wednesday, November 6, 13
Auditors
Wednesday, November 6, 13
Auditors
Compensating Controls
Wednesday, November 6, 13
Auditors
Compensating Controls
Tell the Story
Wednesday, November 6, 13
Thank You!
Wednesday, November 6, 13
Thank You!
Wednesday, November 6, 13
Image AttributionSlide 14Checkpoint Rheinpark by h1p://www.flickr.com/photos/kecko/3179561892/
Wednesday, November 6, 13