Presentation is loading. Please wait.

Presentation is loading. Please wait.

DevOps and Security: It’s Happening. Right Now.

Published byJace Otley Modified over 10 years ago

Similar presentations

Presentation on theme: "DevOps and Security: It’s Happening. Right Now."— Presentation transcript:

1 DevOps and Security: It’s Happening. Right Now.
Helen Bravo Director of Product Management at Checkmarx

2 Agenda Intro to DevOps Integrating security within DevOps
Problems with traditional controls Steps to DevOps security

3 An unstoppable deployment process … in small chunks of time
What is DevOps About? An unstoppable deployment process … in small chunks of time

4 DevOps is Happening Companies that have adopted DevOps

5 … a DevOps environment?! Can TRADITIONAL
web application security controls fit in… … a DevOps environment?!

6 Traditional Web Application Security Controls
Penetration Testing WAF (Web Application Firewall) Code Analysis

7 Penetration Testing- Takes Time!

8 Penetration Testing 300 pages report 3 weeks assessment time
2 weeks to get it into development

9 Web Application Firewall (WAF)
Thinking Continuous Deployment? Think Continuous Configuration!

10 Code Analysis Setup time Running time Analysis time … just too slow!

11

12 … Do Nothing?

13 Required: A New Secure SDLC Approach

14 Step by Step

15 Step 1: Plan for Security

16 Step 1: Plan for Security
Identify unsecured APIs and frameworks Map security sensitive code portions. E.g. password changes mechanism, user authentication mechanism. Anticipate regulatory problems, plan for it.

17 Step 2: Engage the Developers. And Be Engaged

18 Step 2: Engage the Developers. And Be Engaged
Connect developers to security Going to OWASP? Bring a developer with you! Is your house on fire? Share the details with your developers. Have an open door approach Set up an online collaboration platform E.g. Jive, Confluence etc.

19 Step 3: Arm the Developers

20 Step 3: Arm the Developer
Secure frameworks: Use a secure framework such as Spring Security, JAAS, Apache Shiro, Symfony2 ESAPI is a very useful OWASP security framework SCA tools that can provide security feedback on pre-commit stage. Rapid response Small chunks

21 Step 3: Automate the Process

22 Step 3: Automate the Process
Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) SAST DAST Fail the build if security does not pass the bar.

23 Continuous Deployment
Develop Code Commit Source Control Build Trigger Unit Tests Deploy to Production Continuous Deployment Deploy to Test Env Report & Notify Publish to release repository

24 Security within Continuous Deployment
Develop Code Commit Source Control Build Trigger Tests Deploy to Production Security within Continuous Deployment Deploy to Test Env Automatic security test Report & Notify Publish to release repository SCA Test

25 Step 5: Use Old Tools Wisely

26 Step 5: Use Old Tools Wisely
Periodic pen testing WAF on main functions Code review for security sensitive code portions.

27 Summary

28 Summary DevOps is happening. Right Now.
During the time of this talk, Amazon has released 75 features and bug fixes. Security should not be compromised Don’t be overwhelmed. Start small

29 The 3 Takeaways Plan from the ground Engage with your developers Integrate security into automatic build process.

30 Questions?

31 Thank you

Download ppt "DevOps and Security: It’s Happening. Right Now."

Similar presentations

First create and sign up for a blue host account Through the help of Blue Host create a WordPress website for the business After you created WordPress.

First create and sign up for a blue host account Through the help of Blue Host create a WordPress website for the business After you created WordPress.
Continuous and Visible Security Testing

Continuous and Visible Security Testing
<<replace with Customer Logo>>

<<replace with Customer Logo>>
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Automation Domination Application Security with Continuous Integration (CI)

Automation Domination Application Security with Continuous Integration (CI)
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
1 The IIPC Web Curator Tool: Steve Knight The National Library of New Zealand Philip Beresford and Arun Persad The British Library An Open Source Solution.

1 The IIPC Web Curator Tool: Steve Knight The National Library of New Zealand Philip Beresford and Arun Persad The British Library An Open Source Solution.
© copyright 2014 BMC Software, Inc. DevOps consultant Niek Bartholomeus Going DevOps with BMC.

© copyright 2014 BMC Software, Inc. DevOps consultant Niek Bartholomeus Going DevOps with BMC.
Continuous Integration for Databases Learn how to automate your build and test Steve Jones Red Gate Software Part II of the Continuous Delivery for Databases.

Continuous Integration for Databases Learn how to automate your build and test Steve Jones Red Gate Software Part II of the Continuous Delivery for Databases.
Continuous Integration Demonstration. Agenda 1.Continuous Integration Basics 2.Live Demonstration 3.Bamboo Concepts 4.Advantages 5.Version 2.0 Features.

Continuous Integration Demonstration. Agenda 1.Continuous Integration Basics 2.Live Demonstration 3.Bamboo Concepts 4.Advantages 5.Version 2.0 Features.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Simship.com LRC, September 22, 2004 Dr. Stephen Flinter Connect Global Solutions.

Simship.com LRC, September 22, 2004 Dr. Stephen Flinter Connect Global Solutions.
Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.

Continuous Delivery Ajey Gore Head of Technology ThoughtWorks India.
QWise software engineering – refactored! www.qwise.se Testing, testing A first-look at the new testing capabilities in Visual Studio 2010 Mathias Olausson.

QWise software engineering – refactored! Testing, testing A first-look at the new testing capabilities in Visual Studio 2010 Mathias Olausson.
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.

Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
Jenkins User Conference Jenkins User Conference Israel, 06 June 2013 #jenkinsconf Web and Gui Automation with Jenkins Aytunc Beken Turkcell

Jenkins User Conference Jenkins User Conference Israel, 06 June 2013 #jenkinsconf Web and Gui Automation with Jenkins Aytunc Beken Turkcell
Unit Testing Continuous Integration PYUNIT AND JENKINS FRAMEWORK Presenter Rachita Agasthy.

Unit Testing Continuous Integration PYUNIT AND JENKINS FRAMEWORK Presenter Rachita Agasthy.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Goals for Presentation Explain the basics of software development methodologies Explain basic XP elements Show the structure of an XP project Give a few.

Goals for Presentation Explain the basics of software development methodologies Explain basic XP elements Show the structure of an XP project Give a few.
The Microsoft DevOps Vision

The Microsoft DevOps Vision

Similar presentations

Ads by Google