SlideShare a Scribd company logo

Making DevSecOps a Reality in your Spring Applications

Hdiv Security, profile picture
Hdiv Security

Roberto Velasco discusses integrating DevSecOps into Spring applications to address software security issues, emphasizing the need for automated security measures and tools that adapt to cloud environments. The presentation highlights common vulnerabilities like SQL injection and business logic flaws, advocating for proactive security implementation during the design phase. Velasco concludes that a comprehensive DevSecOps approach involves metrics, automation, and continuous monitoring to enhance overall application security.

Software
Related topics:
Application SecurityContinuous Integration Secure Development
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
MAKING DEVSECOPS A REALITY IN YOUR SPRING APPLICATIONS Roberto Velasco
ABOUT ME Roberto Velasco Working as Java Software Architect since 2004 Involved in Software Security since 2001 Hdiv open-source project founder CEO at Hdiv Security
CONTENTS OF TALK • Introduction • Software Security issues • DevSecOps: Security Bugs • DevSecOps: Business Logic Flaws • Summary
THE NEW REALITIES • New deployments every day • Moving to the Cloud • Exponential scalability requirements • Exposed to automated attacks (low cost attacks)
SECURITY ISSUES IN THAT NEW SCENARIO • Security teams don’t have enough time to review the applications manually • Many security solutions are not adapted to the cloud • Hardware-based • Scalability issues
THE SOLUTION: DEVSECOPS • Security must be integrated within the design process of the applications • Security solutions must work within cloud environments • We need to follow a DevSecOps approach
HOW TO IMPLEMENT DEVSECOPS Metrics Tools
SOFTWARE SECURITY ISSUES • SQL Injection • Cross-Site Scripting (XSS) • Directory Traversal • Weak Crypto Algorithm • Java Object Deserialization • etc. • Access Control • Binding attacks • Race condition • Step N of workflow can be skipped • etc.
DEVSECOPS: • Syntax issues related to security • They can be detected by tools: Application Security Testing (AST) • AST • SAST • DAST • IAST • OWASP A1: Injection • OWASP A2: Broken Authentication • OWASP A3: Sensitive Data Exposure • OWASP A4: XML External Entities (XXE) • OWASP A6: Security Misconfiguration • OWASP A7: XSS • OWASP A8: Insecure Deserialization • OWASP A8 (2013): Cross-Site Request Forgery (CSRF) • OWASP A9: Using Components with Known Vulnerabilities SECURITY BUGS
1. Use an AST solution during development 2. Define metrics and thresholds to assure quality 3. Integrate security issues within your issue tracker 4. Monitor and protect production deployments DEVSECOPS: SECURITY BUGS HOW TO
DEMO https://hdivsecurity.com/videos/devsecops-security-bugs
Automated AST is not a panacea though. All of the AST tools share significant weakness in the area of detecting business logic flaws as well as more deliberate, malicious flaws like logic bombs and back doors. Business logic flaws include vulnerabilities like insecure direct object reference, which can lead to account compromise or privilege escalation. A Guidance Framework for Establishing and Maturing an Application Security Program
DEVSECOPS: • OWASP A4 (2013): Insecure Direct Object References • OWASP A7 (2013): Missing Function Level Access Control • OWASP A10 (2013): Unvalidated Redirects andForwards • OWASP A5 (2017): Broken Access Control BUSINESS LOGIC FLAWS • Access control • Binding attacks • Race condition • Step N of workflow can be skipped • etc.
DEMO • URL DIRECT ACCESS • PARAMETER MANIPULATION • MISSING FUNCTION LEVEL ACCESS CONTROL • BINDING ISSUE https://hdivsecurity.com/videos/devsecops-business-logic-flaws
• Even though they can’t be detected automatically, we can automated the protection • Business logic flaws protection can be automated through input validation • We can measure the quality of the protection DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION
• Input • URLs • HTTP form Parameters • JSON attributes (REST apps) • Validations that we usually perform manually • Type • Size • Role based • Custom code validation DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION
DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION • Traditional security validations (format & role) present important limitations • http://www.bank.com?id=123456789012345 • Security depends on people
How to automate protection? We can apply contract based protection DEVSECOPS: BUSINESS LOGIC FLAWS
DEVSECOPS: BUSINESS LOGIC FLAWS
DEVSECOPS: BUSINESS LOGIC FLAWS public class Pet { Integer id; id; String name; Date birthDate; PetType typeId; Breed breed; Color color; }
DEVSECOPS: BUSINESS LOGIC FLAWS public class Pet { Integer id; id; @Pattern(regexp=“^[A-Za-z0-9]*$”) String name; Date birthDate; PetType typeId; Breed breed; Color color; }
How do we implement this? The server must define what is allowed, rejecting the rest DEVSECOPS: BUSINESS LOGIC FLAWS
1 2 Validation Filter Libraries Extension2 DEVSECOPS: BUSINESS LOGIC FLAWS
DEMO BUSINESS LOGIC FLAWS PROTECTION https://hdivsecurity.com/videos/devsecops-business-logic-flaws-protection
• Using contract enforcement we can measure the quality of the input validation • We know how much of the input is validated using: • Integrity • Basic input validation (format, size, etc.) • Nothing at all DEVSECOPS: BUSINESS LOGIC FLAWS & METRICS
DEMO VISUALIZING VALIDATIONS QUALITY https://hdivsecurity.com/videos/devsecops-validations-quality-visualization
• Define thresholds depending your maturity model DEVSECOPS: BUSINESS LOGIC FLAWS & METRICS
DEMO BUSINESS LOGIC FLAWS – CI (JENKINS) https://hdivsecurity.com/videos/devsecops-business-logic-flaws-continuous-integration
SUMMARY • DevSecOps approach must be complete, not only focused on Security Bugs • We need tools that work in all environments offering: • Metrics generation and enforcement • Automation of protection and monitoring
THANKS! Q & A Roberto Velasco

More Related Content

PDF
Protection and Verification of Security Design Flaws
Hdiv Security
 
PPTX
Making Security Agile
Oleg Gryb
 
PPTX
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
PDF
Shift Left Security
gjdevos
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
Protection and Verification of Security Design Flaws
Hdiv Security
 
Making Security Agile
Oleg Gryb
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Shift Left Security
gjdevos
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
AllDayDevOps 2019 AppSensor
jtmelton
 

What's hot (20)

PDF
Top API Security Issues Found During POCs
42Crunch
 
PDF
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PDF
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
PDF
Threat modeling with architectural risk patterns
Stephen de Vries
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
PDF
Security champions v1.0
Dinis Cruz
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PPTX
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
PPTX
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
PPTX
Secure coding practices
Mohammed Danish Amber
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
PPTX
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
PDF
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PDF
Security in a Continuous Delivery World
Dinis Cruz
 
PPTX
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Top API Security Issues Found During POCs
42Crunch
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
DevSecOps | DevOps Sec
Rubal Jain
 
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Threat modeling with architectural risk patterns
Stephen de Vries
 
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Security champions v1.0
Dinis Cruz
 
Integrating security into Continuous Delivery
Tom Stiehm
 
Continuous and Visible Security Testing with BDD-Security
Stephen de Vries
 
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Secure coding practices
Mohammed Danish Amber
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Security in a Continuous Delivery World
Dinis Cruz
 
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Ad

Similar to Making DevSecOps a Reality in your Spring Applications (20)

PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PPTX
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
PDF
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
PDF
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays
 
PPTX
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
PDF
SC conference - Building AppSec Teams
Dinis Cruz
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
PDF
DevSecOps | How hard it is?
PhishX
 
PDF
Devoxx UK 2022 - Application security: What should the attack landscape look ...
Chris Swan
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
PDF
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
PPTX
DevSecOps without DevOps is Just Security
Kevin Fealey
 
PDF
SecDevOps for API Security
42Crunch
 
PDF
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
PPTX
Web security – everything we know is wrong cloud version
Eoin Keary
 
PDF
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
APIsecure_ Official
 
App sec and quality london - may 2016 - v0.5
Dinis Cruz
 
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...
apidays
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
SC conference - Building AppSec Teams
Dinis Cruz
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
AppSec in an Agile World
David Lindner
 
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
DevSecOps | How hard it is?
PhishX
 
Devoxx UK 2022 - Application security: What should the attack landscape look ...
Chris Swan
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
AppSec How-To: Achieving Security in DevOps
Checkmarx
 
DevSecOps without DevOps is Just Security
Kevin Fealey
 
SecDevOps for API Security
42Crunch
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
Web security – everything we know is wrong cloud version
Eoin Keary
 
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Ad

Recently uploaded (20)

PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Introduction to Artificial Intelligence
lohedi9363
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Introduction Database Management System for Course Database
ReinertYosua
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
System and Network Administration Chapter 2
jaramharo
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 

Making DevSecOps a Reality in your Spring Applications

  • 1. MAKING DEVSECOPS A REALITY IN YOUR SPRING APPLICATIONS Roberto Velasco
  • 2. ABOUT ME Roberto Velasco Working as Java Software Architect since 2004 Involved in Software Security since 2001 Hdiv open-source project founder CEO at Hdiv Security
  • 3. CONTENTS OF TALK • Introduction • Software Security issues • DevSecOps: Security Bugs • DevSecOps: Business Logic Flaws • Summary
  • 4. THE NEW REALITIES • New deployments every day • Moving to the Cloud • Exponential scalability requirements • Exposed to automated attacks (low cost attacks)
  • 5. SECURITY ISSUES IN THAT NEW SCENARIO • Security teams don’t have enough time to review the applications manually • Many security solutions are not adapted to the cloud • Hardware-based • Scalability issues
  • 6. THE SOLUTION: DEVSECOPS • Security must be integrated within the design process of the applications • Security solutions must work within cloud environments • We need to follow a DevSecOps approach
  • 7. HOW TO IMPLEMENT DEVSECOPS Metrics Tools
  • 8. SOFTWARE SECURITY ISSUES • SQL Injection • Cross-Site Scripting (XSS) • Directory Traversal • Weak Crypto Algorithm • Java Object Deserialization • etc. • Access Control • Binding attacks • Race condition • Step N of workflow can be skipped • etc.
  • 9. DEVSECOPS: • Syntax issues related to security • They can be detected by tools: Application Security Testing (AST) • AST • SAST • DAST • IAST • OWASP A1: Injection • OWASP A2: Broken Authentication • OWASP A3: Sensitive Data Exposure • OWASP A4: XML External Entities (XXE) • OWASP A6: Security Misconfiguration • OWASP A7: XSS • OWASP A8: Insecure Deserialization • OWASP A8 (2013): Cross-Site Request Forgery (CSRF) • OWASP A9: Using Components with Known Vulnerabilities SECURITY BUGS
  • 10. 1. Use an AST solution during development 2. Define metrics and thresholds to assure quality 3. Integrate security issues within your issue tracker 4. Monitor and protect production deployments DEVSECOPS: SECURITY BUGS HOW TO
  • 12. Automated AST is not a panacea though. All of the AST tools share significant weakness in the area of detecting business logic flaws as well as more deliberate, malicious flaws like logic bombs and back doors. Business logic flaws include vulnerabilities like insecure direct object reference, which can lead to account compromise or privilege escalation. A Guidance Framework for Establishing and Maturing an Application Security Program
  • 13. DEVSECOPS: • OWASP A4 (2013): Insecure Direct Object References • OWASP A7 (2013): Missing Function Level Access Control • OWASP A10 (2013): Unvalidated Redirects andForwards • OWASP A5 (2017): Broken Access Control BUSINESS LOGIC FLAWS • Access control • Binding attacks • Race condition • Step N of workflow can be skipped • etc.
  • 14. DEMO • URL DIRECT ACCESS • PARAMETER MANIPULATION • MISSING FUNCTION LEVEL ACCESS CONTROL • BINDING ISSUE https://hdivsecurity.com/videos/devsecops-business-logic-flaws
  • 15. • Even though they can’t be detected automatically, we can automated the protection • Business logic flaws protection can be automated through input validation • We can measure the quality of the protection DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION
  • 16. • Input • URLs • HTTP form Parameters • JSON attributes (REST apps) • Validations that we usually perform manually • Type • Size • Role based • Custom code validation DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION
  • 17. DEVSECOPS: BUSINESS LOGIC FLAWS & SOLUTION • Traditional security validations (format & role) present important limitations • http://www.bank.com?id=123456789012345 • Security depends on people
  • 18. How to automate protection? We can apply contract based protection DEVSECOPS: BUSINESS LOGIC FLAWS
  • 20. DEVSECOPS: BUSINESS LOGIC FLAWS public class Pet { Integer id; id; String name; Date birthDate; PetType typeId; Breed breed; Color color; }
  • 21. DEVSECOPS: BUSINESS LOGIC FLAWS public class Pet { Integer id; id; @Pattern(regexp=“^[A-Za-z0-9]*$”) String name; Date birthDate; PetType typeId; Breed breed; Color color; }
  • 22. How do we implement this? The server must define what is allowed, rejecting the rest DEVSECOPS: BUSINESS LOGIC FLAWS
  • 24. DEMO BUSINESS LOGIC FLAWS PROTECTION https://hdivsecurity.com/videos/devsecops-business-logic-flaws-protection
  • 25. • Using contract enforcement we can measure the quality of the input validation • We know how much of the input is validated using: • Integrity • Basic input validation (format, size, etc.) • Nothing at all DEVSECOPS: BUSINESS LOGIC FLAWS & METRICS
  • 27. • Define thresholds depending your maturity model DEVSECOPS: BUSINESS LOGIC FLAWS & METRICS
  • 28. DEMO BUSINESS LOGIC FLAWS – CI (JENKINS) https://hdivsecurity.com/videos/devsecops-business-logic-flaws-continuous-integration
  • 29. SUMMARY • DevSecOps approach must be complete, not only focused on Security Bugs • We need tools that work in all environments offering: • Metrics generation and enforcement • Automation of protection and monitoring