SlideShare a Scribd company logo

Dev opsandsecurity owasp

H
Helen Bravo

The document discusses integrating security practices within DevOps environments. It begins by introducing DevOps and noting that traditional security controls like penetration testing and code analysis are too slow for continuous deployment. It then outlines a three step approach to DevOps security: 1) Plan security requirements upfront, 2) Engage developers in security, and 3) Automate security checks into the continuous integration/deployment pipeline. The key takeaways are to plan security thoroughly, involve developers, and integrate security testing automatically into the build process.

Technology
1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
DevOps and Security: It’s Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx Helen.bravo@checkmarx.com
• Intro to DevOps • Integrating security within DevOps – Problems with traditional controls – Steps to DevOps security Agenda
What is DevOps About? An unstoppable deployment process … in small chunks of time
DevOps is Happening Companies that have adopted DevOps
Can TRADITIONAL web application security controls fit in… … a DevOps environment?!
Traditional Web Application Security Controls • Penetration Testing • WAF (Web Application Firewall) • Code Analysis
Penetration Testing- Takes Time!
Penetration Testing – 300 pages report – 3 weeks assessment time – 2 weeks to get it into development
Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!
Code Analysis • Setup time • Running time • Analysis time … just too slow!
Dev opsandsecurity owasp
… Do Nothing?
Required: A New Secure SDLC Approach
Step by Step
Step 1: Plan for Security
• Identify unsecured APIs and frameworks • Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. • Anticipate regulatory problems, plan for it. Step 1: Plan for Security
Step 2: Engage the Developers. And Be Engaged
• Connect developers to security – Going to OWASP? Bring a developer with you! • Is your house on fire? Share the details with your developers. • Have an open door approach • Set up an online collaboration platform E.g. Jive, Confluence etc. Step 2: Engage the Developers. And Be Engaged
Step 3: Arm the Developers
• Secure frameworks: – Use a secure framework such as Spring Security, JAAS, Apache Shiro, Symfony2 – ESAPI is a very useful OWASP security framework • SCA tools that can provide security feedback on pre-commit stage. – Rapid response – Small chunks Step 3: Arm the Developer
Step 3: Automate the Process
• Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) – SAST – DAST • Fail the build if security does not pass the bar. Step 3: Automate the Process
Develop Code Commit Source Control Build Trigger Unit Tests Deploy to Production Deploy to Test Env Report & Notify Publish to release repository Continuous Deployment
Develop Code Commit Source Control Build Trigger Tests Deploy to ProductionDeploy to Test Env Report & Notify Publish to release repository Automatic security test SCA Test Security within Continuous Deployment
Step 5: Use Old Tools Wisely
Step 5: Use Old Tools Wisely • Periodic pen testing • WAF on main functions • Code review for security sensitive code portions.
Summary
• DevOps is happening. Right Now. – During the time of this talk, Amazon has released 75 features and bug fixes. • Security should not be compromised • Don’t be overwhelmed. Start small Summary
The 3 Takeaways 1. Plan from the ground 2. Engage with your developers 3. Integrate security into automatic build process.
Questions?
Thank you Helen.bravo@checkmarx.com

More Related Content

PPTX
SecDevOps: The New Black of IT
CloudPassage
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
PDF
Continuous Security Testing - DevSecCon
Stephen de Vries
 
PDF
Embracing the Rise of SecDevOps
Tom Cappetta
 
PDF
Building a Modern Security Engineering Organization
Zane Lackey
 
PPTX
Automating security tests for Continuous Integration
Stephen de Vries
 
PPTX
DevOps & Security: Here & Now
Checkmarx
 
SecDevOps: The New Black of IT
CloudPassage
 
Integrating DevOps and Security
Stijn Muylle
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Continuous Security Testing - DevSecCon
Stephen de Vries
 
Embracing the Rise of SecDevOps
Tom Cappetta
 
Building a Modern Security Engineering Organization
Zane Lackey
 
Automating security tests for Continuous Integration
Stephen de Vries
 
DevOps & Security: Here & Now
Checkmarx
 

What's hot (20)

PDF
Proactive Security AppSec Case Study
Andy Hoernecke
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
PDF
Effective approaches to web application security
Zane Lackey
 
PDF
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
PDF
T23 HTML5 Security Testing at Spotify
TechWell
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PDF
The Joy of Proactive Security
Andy Hoernecke
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
PPTX
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PPTX
Continuous Security Testing in a Devops World #OWASPHelsinki
Stephen de Vries
 
PDF
Automating OWASP Tests in your CI/CD
rkadayam
 
PDF
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
ODP
Making security-agile matt-tesauro
Matt Tesauro
 
PPTX
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
PDF
Automated Security Testing
seleniumconf
 
PDF
A Secure DevOps Journey
Sonatype
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Proactive Security AppSec Case Study
Andy Hoernecke
 
Devops, Secops, Opsec, DevSec *ops *.* ?
Kris Buytaert
 
Effective approaches to web application security
Zane Lackey
 
we45 - SecDevOps Concept Presentation
Abhay Bhargav
 
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
T23 HTML5 Security Testing at Spotify
TechWell
 
Integrating security into Continuous Delivery
Tom Stiehm
 
The Joy of Proactive Security
Andy Hoernecke
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Puppet
 
we45 SecDevOps Presentation - ISACA Chennai
Abhay Bhargav
 
The Journey to DevSecOps
SeniorStoryteller
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Stephen de Vries
 
Automating OWASP Tests in your CI/CD
rkadayam
 
Vulnerabilities are bugs, Let's Test For Them!
VAddy
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
Making security-agile matt-tesauro
Matt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
Automated Security Testing
seleniumconf
 
A Secure DevOps Journey
Sonatype
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Ad

Viewers also liked (11)

PDF
Introduction to Threat Modeling
InMobi Technology
 
PPTX
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
PPTX
Adopting DevOps @ Scale: Lessons learned at Hertz, Kaiser Permanente and lBM
Jules Pierre-Louis
 
PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PDF
DevSecOps in Baby Steps
Priyanka Aash
 
PDF
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
PDF
Designing Teams for Emerging Challenges
Aaron Irizarry
 
PDF
Visual Design with Data
Seth Familian
 
PDF
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
PDF
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Introduction to Threat Modeling
InMobi Technology
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
Adopting DevOps @ Scale: Lessons learned at Hertz, Kaiser Permanente and lBM
Jules Pierre-Louis
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
DevSecOps in Baby Steps
Priyanka Aash
 
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Designing Teams for Emerging Challenges
Aaron Irizarry
 
Visual Design with Data
Seth Familian
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
How to Become a Thought Leader in Your Niche
Leslie Samuel
 
Ad

Similar to Dev opsandsecurity owasp (20)

PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
PPTX
Secure DevOPS Implementation Guidance
Tej Luthra
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PPTX
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
ellan12
 
PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
PDF
Scale security for a dollar or less
Mohammed A. Imran
 
PPTX
DevSecOps and Drupal: Securing your applications in a modern IT landscape
Will Hall
 
PDF
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
PDF
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
PDF
The What, Why, and How of DevSecOps
Cprime
 
PDF
You build it - Cyber Chicago Keynote
John Willis
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PPTX
Secure DevOps - Evolution or Revolution?
Security Innovation
 
PPTX
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
PPTX
DevSecCon Keynote
Shannon Lietz
 
PPTX
DevSecCon KeyNote London 2015
Shannon Lietz
 
PDF
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Secure DevOPS Implementation Guidance
Tej Luthra
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
ellan12
 
Introduction to DevSecOps
abhimanyubhogwan
 
The Rise of DevSecOps in CI_CD Workflows.pdf
your techdigest
 
Scale security for a dollar or less
Mohammed A. Imran
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
Will Hall
 
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
 
The What, Why, and How of DevSecOps
Cprime
 
You build it - Cyber Chicago Keynote
John Willis
 
DevSecOps : an Introduction
Prashanth B. P.
 
Secure DevOps - Evolution or Revolution?
Security Innovation
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
DevSecCon Keynote
Shannon Lietz
 
DevSecCon KeyNote London 2015
Shannon Lietz
 
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 

Recently uploaded (20)

PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 

Dev opsandsecurity owasp