Code Analysis Setup time Running time Analysis time … just too slow!
… Do Nothing?
Required: A New Secure SDLC Approach
Step by Step
Step 1: Plan for Security
Identify unsecured APIs and frameworks Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. Anticipate regulatory problems, plan for it. Step 1: Plan for Security
Step 2: Engage the Developers. And Be Engaged
Connect developers to security –Going to OWASP? Bring a developer with you! Is your house on fire? Share the details with your developers. Have an open door approach Set up an online collaboration platform E.g. Jive, Confluence etc. Step 2: Engage the Developers. And Be Engaged
Step 3: Arm the Developers
Secure frameworks: –Use a secure framework such as Spring Security, JAAS, Apache Shiro, Symfony2 –ESAPI is a very useful OWASP security framework SCA tools that can provide security feedback on pre-commit stage. –Rapid response –Small chunks Step 3: Arm the Developer
Step 3: Automate the Process
Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) –SAST –DAST Fail the build if security does not pass the bar. Step 3: Automate the Process
Develop Code Commit Source Control Build Trigger Unit Tests Deploy to Production Deploy to Production Deploy to Test Env Report & Notify Publish to release repository Continuous Deployment
Develop Code Commit Source Control Build Trigger Tests Deploy to Production Deploy to Production Deploy to Test Env Report & Notify Publish to release repository Automatic security test SCA Test Security within Continuous Deployment
Step 5: Use Old Tools Wisely
Periodic pen testing WAF on main functions Code review for security sensitive code portions.
DevOps is happening. Right Now. –During the time of this talk, Amazon has released 75 features and bug fixes. Security should not be compromised Dont be overwhelmed. Start small Summary
The 3 Takeaways 1.Plan from the ground 2.Engage with your developers 3.Integrate security into automatic build process.