Presentation is loading. Please wait.

Presentation is loading. Please wait.

DevOps and Security: Its Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx

Similar presentations


Presentation on theme: "DevOps and Security: Its Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx"— Presentation transcript:

1 DevOps and Security: Its Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx

2 Intro to DevOps Integrating security within DevOps –Problems with traditional controls –Steps to DevOps security Agenda

3 What is DevOps About? An unstoppable deployment process … in small chunks of time

4 DevOps is Happening Companies that have adopted DevOps

5 Can TRADITIONAL web application security controls fit in… … a DevOps environment?!

6 Traditional Web Application Security Controls Penetration Testing WAF (Web Application Firewall) Code Analysis

7 Penetration Testing- Takes Time!

8 Penetration Testing –300 pages report –3 weeks assessment time –2 weeks to get it into development

9 Web Application Firewall (WAF) Thinking Continuous Deployment? Think Continuous Configuration!

10 Code Analysis Setup time Running time Analysis time … just too slow!

11

12 … Do Nothing?

13 Required: A New Secure SDLC Approach

14 Step by Step

15 Step 1: Plan for Security

16 Identify unsecured APIs and frameworks Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. Anticipate regulatory problems, plan for it. Step 1: Plan for Security

17 Step 2: Engage the Developers. And Be Engaged

18 Connect developers to security –Going to OWASP? Bring a developer with you! Is your house on fire? Share the details with your developers. Have an open door approach Set up an online collaboration platform E.g. Jive, Confluence etc. Step 2: Engage the Developers. And Be Engaged

19 Step 3: Arm the Developers

20 Secure frameworks: –Use a secure framework such as Spring Security, JAAS, Apache Shiro, Symfony2 –ESAPI is a very useful OWASP security framework SCA tools that can provide security feedback on pre-commit stage. –Rapid response –Small chunks Step 3: Arm the Developer

21 Step 3: Automate the Process

22 Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) –SAST –DAST Fail the build if security does not pass the bar. Step 3: Automate the Process

23 Develop Code Commit Source Control Build Trigger Unit Tests Deploy to Production Deploy to Production Deploy to Test Env Report & Notify Publish to release repository Continuous Deployment

24 Develop Code Commit Source Control Build Trigger Tests Deploy to Production Deploy to Production Deploy to Test Env Report & Notify Publish to release repository Automatic security test SCA Test Security within Continuous Deployment

25 Step 5: Use Old Tools Wisely

26 Periodic pen testing WAF on main functions Code review for security sensitive code portions.

27 Summary

28 DevOps is happening. Right Now. –During the time of this talk, Amazon has released 75 features and bug fixes. Security should not be compromised Dont be overwhelmed. Start small Summary

29 The 3 Takeaways 1.Plan from the ground 2.Engage with your developers 3.Integrate security into automatic build process.

30 Questions?

31 Thank you


Download ppt "DevOps and Security: Its Happening. Right Now. Helen Bravo Director of Product Management at Checkmarx"

Similar presentations


Ads by Google