DevOps & Security: Here & Now

Post on 04-Nov-2014

617 views 3 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.

transcript

DevOps and Security: It’s Happening. Right Now.

Helen Bravo

Director of Product Management at Checkmarx

Helen.bravo@checkmarx.com

• Intro to DevOps

• Integrating security within DevOps

– Problems with traditional controls

– Steps to DevOps security

Agenda

What is DevOps About?

An unstoppable deployment process

… in small chunks of time

DevOps is Happening

Companies that have adopted DevOps

Can TRADITIONAL

web application

security controls fit

in…

… a DevOps environment?!

Traditional Web Application Security Controls

• Penetration Testing

• WAF (Web Application Firewall)

• Code Analysis

Penetration Testing- Takes Time!

Penetration Testing

– 300 pages report

– 3 weeks assessment time

– 2 weeks to get it into development

Web Application Firewall (WAF)

Thinking Continuous

Deployment?

Think Continuous

Configuration!

Code Analysis

• Setup time

• Running time

• Analysis time

… just too slow!

… Do Nothing?

Required: A New Secure SDLC Approach

Step by Step

Step 1: Plan for Security

• Identify unsecured APIs and frameworks

• Map security sensitive code portions. E.g. password

changes mechanism, user authentication

mechanism.

• Anticipate regulatory problems, plan for it.

Step 1: Plan for Security

Step 2: Engage the Developers.And Be Engaged

• Connect developers to security– Going to OWASP? Bring a developer with you!

• Is your house on fire? Share the details with your developers.

• Have an open door approach

• Set up an online collaboration platform E.g. Jive, Confluence etc.

Step 2: Engage the Developers. And Be Engaged

Step 3: Arm the Developers

• Secure frameworks:

– Use a secure framework such as Spring Security, JAAS, Apache

Shiro, Symfony2

– ESAPI is a very useful OWASP security framework

• SCA tools that can provide security feedback on pre-commit stage.

– Rapid response

– Small chunks

Step 3: Arm the Developer

Step 3: Automate the Process

• Integrate within your build (Jenkins, Bamboo, TeamCity, etc.)– SAST– DAST

• Fail the build if security does not pass the bar.

Step 3: Automate the Process

DevelopCode

CommitSource Control

Build Trigger

Unit Tests

Deploy

to

ProductionDeploy to Test Env

Report& Notify

Publish to release repository

Continuous Deployment

DevelopCode

CommitSource Control

Build Trigger

Tests

Deploy

to

ProductionDeploy to

Test Env

Report&

Notify

Publish to release

repository

Automatic security

test

SCA Test

Security within Continuous Deployment

Step 5: Use Old Tools Wisely

Step 5: Use Old Tools Wisely

• Periodic pen testing

• WAF on main functions

• Code review for security sensitive code portions.

Summary

• DevOps is happening. Right Now.

– During the time of this talk, Amazon has released

75 features and bug fixes.

• Security should not be compromised

• Don’t be overwhelmed. Start small

Summary

The 3 Takeaways

1. Plan from the ground

2. Engage with your developers

3. Integrate security into automatic build process.

Questions?

Thank you

Helen.bravo@checkmarx.com

Top related

A Modern Workplace, here & now!
Education
Be Here Now: Education
Education
DevOps and Security: It*s Happening. Right Now.
Documents
Slideshare right here right now
Documents
Ram Dassbe Here Now
Documents
Video Is Here - Now What?
Marketing
Technology is Here, Now
Documents
DevOps in the Enterprise: Our Experiences at HERE/Nokia
Internet
Right here. . . .Right Now
Documents
Google+ is here. What now?
Technology
And Now, And Here
Business
Patrick DiMichelle, "Be Here Now"
Technology
Here now & tomorrow v3
Business
Be Here Now - Ram Dass
Science
HotHouse Mobile Here & Now
Business
IT is happening now 2015: DevOps (Kris Buytaert)
Education
Starting Here Starting Now Libvb
Documents
IPv6 Here and Now
Documents
Existentialism Here and Now
Documents
Intelligent Contet Here And Now
Documents

Copyright © 2018 DOCUMENTS