Date post: | 10-Jan-2017 |
Category: |
Technology |
Upload: | dinis-cruz |
View: | 124 times |
Download: | 1 times |
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
-Abraham Lincoln
Two things about Automation1. Automation applied to an efficient operation will magnify its efficiency
2. Automation applied to an inefficient operation will magnify its inefficiency
-Bill Gates
Overview
• Timeline - 1986 • Agile Security
• Bug Tracker • Definition of Done • App Sec Radar
• Continuous Delivery • Security Testing
• How OWASP can help
Timeline - 1986
• HBR publishes an article: “The New New Product Development Game”
• Computer Fraud and Abuse Act
The New New Product Development GameLeading companies show six characteristics in managing their new product development processes:
1. Built-in instability
2. Self-organizing project teams
3. Overlapping development phases
4. “Multilearning”
5. Subtle control
6. Organizational transfer of learning
Computer Fraud and Abuse Act
• Enacted in 1986 • First Felony in 1988 - Morris Worm • Mr. Robert Morris Sr. (his father) was the
Chief Scientist at NSA • Comm-Sec & Compu-Sec merged Info-
Sec • CERT was created in CMU
OWASP
• OWASP Top Ten • OWASP Software Assurance Maturity Model • OWASP Development Guide • OWASP ZAP Project: The Zed Attack Proxy
(ZAP)
Agile Manifesto
• Individuals and Interactions over processes and tools
• Working software over comprehensive documentation
• Customer collaboration over contract negotiation
• Responding to change over following a plan
Security in an Agile Framework
• Communicate Security Recommendations simply and clearly
• Identify the biggest risk and which ones you teams are exposed to
• When you raise a security issue: • Unique - No duplicates • Useful - Improves the security and
quality of the software • Actionable - All necessary
information is in the ticket
App Sec Issues Tracking and MetricsFor every security issue detected raise a Jira bug ticket and include the following attributes to the bug type: 1. Business risk 2. Attack vector 3. Priority 4. Components 5. Testing Method 6. Dev Team
App-Sec RadarThe Application Security Radar is a site in forms the technology teams on security technologies they should embrace or move away from.
This ensures developers adopt more secure technologies, there are 6 recommendation categories for the app sec radar: • Plan for Removal • No New Use • Evaluate • Trial • Adopt • Hold
DoD - Definition of Done
• Security should include a reference quick check list for developers on what to avoid, and what to look out for during code review.
Continuous Delivery
You’re doing continuous delivery when:
• Your software is deployable throughout its lifecycle • Your team prioritises keeping the software deployable
over working on new features • Anybody can get fast, automated feedback on the
production readiness of their systems any time somebody makes a change to them
• You can perform push-button deployments of any version of the software to any environment on demand
How OWASP Can Help
• If you solve a problem and I solve a problem, each of us has two solutions. • Guidance • Security Libraries • Developer tools • Training • etc..
Interests
• Headers reporting back: • Content Security Policy CSP • HTTP Public Key Pinning
• DMARC - (Email Standard)