SlideShare una empresa de Scribd logo

DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture by Julie Chickillo, Brandon Grady and Jason Looney

Descargar como PPTX, PDF
DevSecCon
DevSecCon

This document discusses how security practices need to change to keep up with DevOps practices like microservices and continuous deployment. It outlines how deployment used to work with quarterly releases versus now being able to deploy multiple times per day. Security tools also need to be faster to keep up. The document recommends automating security testing so it can be integrated into continuous integration pipelines. It suggests implementing security testing in stages from the individual developer level up to production. The goal is to provide security while also keeping developers and auditors happy by maintaining a collaborative approach and documenting the process.

Tecnología
1 de 36
BOSTON 10-11 SEPT 2018 Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture • Julie Chickillo – VP, Information Security • Brandon Grady – SVP, Software Engineer • Jason Looney – Enterprise Architect
BOSTON 10-11 SEPT 2018 Back in My Day . . . . . We rented a place in a colo, bought a server, installed an OS on it, brought up a web server, and once a quarter we deployed code on it.
BOSTON 10-11 SEPT 2018 Deploying Software - uphill both ways! 1. Code is developed 2. Code is placed in UAT 3. Dynamic and Static Scanning 4. Tickets entered for vulns 5. Devs fix and redeploy 6. Code retested 7. Functional Testing 8. Manual App Pentesting 9. Code Push to Prod scheduled 10. Whole weekend wasted as production push fails and dev and infrastructure teams blame each other, finally get the stupid thing working in time for the Monday morning standup.
BOSTON 10-11 SEPT 2018 Standard Security Tools for the Good Ole Days… • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Agent Software or Network Scanner • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
BOSTON 10-11 SEPT 2018 Then This Happened Otherwise known as the time security said “You built What!!!!”
BOSTON 10-11 SEPT 2018 The Speed of DevOps • Continuous Integration and Infrastructure as Code means an environment can be fully deployed in 15 minutes. • Containers spin up and down automatically • Able to deploy small, durable changes multiple times per day.
BOSTON 10-11 SEPT 2018 Paradigm Shift
BOSTON 10-11 SEPT 2018 Continuous Integration Deployment Cycle 1. Code and QA Development 2. Branch merged into MASTER, and repo is tagged 3. Versioned Artifact built and deployed to ALL Dev Envs- Containers spun up, code deployed, services started 4. Functional Testing Executed 5. Artifact deployed to QA 6. Successful testing 7. Artifact deployed to PROD
BOSTON 10-11 SEPT 2018 Change of Mindset
BOSTON 10-11 SEPT 2018 Standard Security Tools for the Good Ole Days… • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Endpoint Agent Based • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
BOSTON 10-11 SEPT 2018 Building trust
BOSTON 10-11 SEPT 2018 Starting the conversation
BOSTON 10-11 SEPT 2018 Giving Devs the power to say no!
BOSTON 10-11 SEPT 2018 A little thing I like to call . . Wait for it . . . . . Talking with the Dev Teams! *GASP* Say it isn’t so! Continuing the conversation – yes you do have to keep talking with the developers.
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
BOSTON 10-11 SEPT 2018 1. Match the Speed • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Endpoint Agent Based • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
BOSTON 10-11 SEPT 2018 Automated Reviews at Speed • Standard Static and Dynamic tools too slow • Interactive Testing – lets us piggyback the functional testing gates • Needed a tool that could run in both old school and DevOps worlds • Can handle Windows and Linux, Containers and Servers, .NET/Java/Node.js • Runs in minutes What Beeline is using today
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self-Assigned Goal…
BOSTON 10-11 SEPT 2018 1. Match the Speed • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Endpoint Agent Based • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
BOSTON 10-11 SEPT 2018 2. Runs wherever the code is • IAST tool runs as a component of the app, deployed as part of the underlying app server • Containers • Virtual Servers • PaaS Platforms • Build into the build and deployment process • Deploy software and configurations consistently • Include security concerns into health check functions
BOSTON 10-11 SEPT 2018
BOSTON 10-11 SEPT 2018 2. Runs wherever the code is Verifying the integrity of the underlying server/container 1. Established a trusted registry for images 2. Only allow deployments of accepted containers/software 3. Script up checks for changes to registries (easier than it sounds!) 4. Supply Chain concerns go here… 5. Configuration checking happens here too 6. Complete software component inventory!!!!!! (IMPORTANT)
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
Phase 1 - Gatekeeper Approach Dev QA Sandbox UAT Prod
BOSTON 10-11 SEPT 2018 Phase 2 - Pushing Testing to the Left Dev QA Sandbox UAT Prod Still doing the Gatekeeper process
BOSTON 10-11 SEPT 2018 Phase 3 – Individual Dev Testing Dev QA Sandbox UAT ProdDevDevDevDevDevDevDevDevDev Still doing the Gatekeeper and QA/DEV Testing processes
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
BOSTON 10-11 SEPT 2018 4. Keeps the devs happy App Security is just another part of QA. • Puts any findings into the exact same workflow as any bug ticket • Provide full context and details in the same ticket • Provide priority and significance of issues • Fail the build if severity is high enough • Give them an opportunity to help build the process Unhappy devs will find always find ways around your security process
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
BOSTON 10-11 SEPT 2018 5. Keep the auditors happy Documenting the process • Approval of code for prod • Jira ticket created for every build • Add web-hook to CI server to query Contrast API after functional testing, record output in ticket • Use version-commit numbers in your testing • Remember – no findings is not the same as proof it ran
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self-Assigned Goal…
BOSTON 10-11 SEPT 2018 6. Keep the security team happy! • Automate wherever possible • Security doesn’t mean “No” • Share experiences with other infosec peers
BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self-Assigned Goal…
BOSTON 10-11 SEPT 2018 CI Deployment Cycle – Now with Security! 1. Code Development 2. Branch merged into QA 3. QA branch deployed - containers spun up, code deployed, services started, interactive security testing in place 4. Functional and Security Testing Executed 5. Successful testing, branch is tagged 6. Production Deployment – only tagged commits allowed …
BOSTON 10-11 SEPT 2018 Skillz for Infosec peeps in the DevOps Age • Learn to read (and write a little) code • Understand containers • Learn about continuous integration • Infrastructure as code is your friend • Infosec is the natural bridge between dev and infra teams
BOSTON 10-11 SEPT 2018 Thank You! Questions?

Recomendados

DevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon
 
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 

Recomendados

DevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon Boston 2018: Secure by Design by Chris Wysopal
DevSecCon Boston 2018: Secure by Design by Chris WysopalDevSecCon
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...DevSecCon
 
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...
DevSecCon Boston 2018: How come appsec is still not in the curriculum by Gabo...DevSecCon
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...DevSecCon
 
Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration Security360° Kubernetes Security: From Source Code to K8s Configuration Security
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
i18n tech talk
i18n tech talki18n tech talk
i18n tech talkHitesh Sharma
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDavide Cioccia
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseBitbar
 

Más contenido relacionado

La actualidad más candente

Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOpslokori
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationVMware Tanzu
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or lessMohammed A. Imran
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 

La actualidad más candente (20)

Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Hacker Games & DevSecOps
Hacker Games & DevSecOpsHacker Games & DevSecOps
Hacker Games & DevSecOps
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOps
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
i18n tech talk
i18n tech talki18n tech talk
i18n tech talk
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Scale security for a dollar or less
Scale security for a dollar or lessScale security for a dollar or less
Scale security for a dollar or less
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
 

Similar a DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture by Julie Chickillo, Brandon Grady and Jason Looney

DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDavide Cioccia
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseBitbar
 
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Codemotion
 
Agile+DevOps - do we understand it?
Agile+DevOps - do we understand it?Agile+DevOps - do we understand it?
Agile+DevOps - do we understand it?toamitkumar
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationXebia India
 
Probo.ci Drupal 4 Gov Devops 1/2 day Presentation
Probo.ci Drupal 4 Gov Devops 1/2 day Presentation Probo.ci Drupal 4 Gov Devops 1/2 day Presentation
Probo.ci Drupal 4 Gov Devops 1/2 day Presentation Zivtech, LLC
 
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil KumarAdopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil KumarXP Conference India
 
Modern Web-site Development Pipeline
Modern Web-site Development PipelineModern Web-site Development Pipeline
Modern Web-site Development PipelineGlobalLogic Ukraine
 
Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Phani Thoota
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)Priyanka Aash
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfibramax
 
Advanced Strategies for Testing Responsive Web
Advanced Strategies for Testing Responsive WebAdvanced Strategies for Testing Responsive Web
Advanced Strategies for Testing Responsive WebPerfecto by Perforce
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 
INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...
INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...
INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...Heiko Voigt
 
Software update for IoT Embedded World 2017
Software update for IoT Embedded World 2017Software update for IoT Embedded World 2017
Software update for IoT Embedded World 2017Chris Simmonds
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 

Similar a DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture by Julie Chickillo, Brandon Grady and Jason Looney (20)

DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bdd
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the Enterprise
 
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
Scalable full-stack development at the edge - Pascal Wolkotte - Codemotion Am...
 
Agile+DevOps - do we understand it?
Agile+DevOps - do we understand it?Agile+DevOps - do we understand it?
Agile+DevOps - do we understand it?
 
Continuous Everything v2.0
Continuous Everything v2.0Continuous Everything v2.0
Continuous Everything v2.0
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 
Continuous Everything
Continuous EverythingContinuous Everything
Continuous Everything
 
Arif_Shaik_CV
Arif_Shaik_CVArif_Shaik_CV
Arif_Shaik_CV
 
Probo.ci Drupal 4 Gov Devops 1/2 day Presentation
Probo.ci Drupal 4 Gov Devops 1/2 day Presentation Probo.ci Drupal 4 Gov Devops 1/2 day Presentation
Probo.ci Drupal 4 Gov Devops 1/2 day Presentation
 
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil KumarAdopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
Adopting agile in an embedded platform Suryakiran Kasturi & Akhil Kumar
 
Modern Web-site Development Pipeline
Modern Web-site Development PipelineModern Web-site Development Pipeline
Modern Web-site Development Pipeline
 
Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)Resume_Thoota_Phani (2)
Resume_Thoota_Phani (2)
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Zephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdfZephyr-Overview-20230124.pdf
Zephyr-Overview-20230124.pdf
 
Advanced Strategies for Testing Responsive Web
Advanced Strategies for Testing Responsive WebAdvanced Strategies for Testing Responsive Web
Advanced Strategies for Testing Responsive Web
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...
INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...
INF104 - HCL Domino AppDev Pack – The Future of Domino App Dev Nobody Knows A...
 
Software update for IoT Embedded World 2017
Software update for IoT Embedded World 2017Software update for IoT Embedded World 2017
Software update for IoT Embedded World 2017
 
Multi-OS Engine Technology Overview
Multi-OS Engine Technology OverviewMulti-OS Engine Technology Overview
Multi-OS Engine Technology Overview
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 

Más de DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon
 

Más de DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture by Julie Chickillo, Brandon Grady and Jason Looney

  • 1. BOSTON 10-11 SEPT 2018 Securing the Automated Pipeline: A Tale of Navigating the Microservices Culture • Julie Chickillo – VP, Information Security • Brandon Grady – SVP, Software Engineer • Jason Looney – Enterprise Architect
  • 2. BOSTON 10-11 SEPT 2018 Back in My Day . . . . . We rented a place in a colo, bought a server, installed an OS on it, brought up a web server, and once a quarter we deployed code on it.
  • 3. BOSTON 10-11 SEPT 2018 Deploying Software - uphill both ways! 1. Code is developed 2. Code is placed in UAT 3. Dynamic and Static Scanning 4. Tickets entered for vulns 5. Devs fix and redeploy 6. Code retested 7. Functional Testing 8. Manual App Pentesting 9. Code Push to Prod scheduled 10. Whole weekend wasted as production push fails and dev and infrastructure teams blame each other, finally get the stupid thing working in time for the Monday morning standup.
  • 4. BOSTON 10-11 SEPT 2018 Standard Security Tools for the Good Ole Days… • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Agent Software or Network Scanner • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
  • 5. BOSTON 10-11 SEPT 2018 Then This Happened Otherwise known as the time security said “You built What!!!!”
  • 6. BOSTON 10-11 SEPT 2018 The Speed of DevOps • Continuous Integration and Infrastructure as Code means an environment can be fully deployed in 15 minutes. • Containers spin up and down automatically • Able to deploy small, durable changes multiple times per day.
  • 7. BOSTON 10-11 SEPT 2018 Paradigm Shift
  • 8. BOSTON 10-11 SEPT 2018 Continuous Integration Deployment Cycle 1. Code and QA Development 2. Branch merged into MASTER, and repo is tagged 3. Versioned Artifact built and deployed to ALL Dev Envs- Containers spun up, code deployed, services started 4. Functional Testing Executed 5. Artifact deployed to QA 6. Successful testing 7. Artifact deployed to PROD
  • 9. BOSTON 10-11 SEPT 2018 Change of Mindset
  • 10. BOSTON 10-11 SEPT 2018 Standard Security Tools for the Good Ole Days… • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Endpoint Agent Based • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
  • 11. BOSTON 10-11 SEPT 2018 Building trust
  • 12. BOSTON 10-11 SEPT 2018 Starting the conversation
  • 13. BOSTON 10-11 SEPT 2018 Giving Devs the power to say no!
  • 14. BOSTON 10-11 SEPT 2018 A little thing I like to call . . Wait for it . . . . . Talking with the Dev Teams! *GASP* Say it isn’t so! Continuing the conversation – yes you do have to keep talking with the developers.
  • 15. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
  • 16. BOSTON 10-11 SEPT 2018 1. Match the Speed • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Endpoint Agent Based • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
  • 17. BOSTON 10-11 SEPT 2018 Automated Reviews at Speed • Standard Static and Dynamic tools too slow • Interactive Testing – lets us piggyback the functional testing gates • Needed a tool that could run in both old school and DevOps worlds • Can handle Windows and Linux, Containers and Servers, .NET/Java/Node.js • Runs in minutes What Beeline is using today
  • 18. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self-Assigned Goal…
  • 19. BOSTON 10-11 SEPT 2018 1. Match the Speed • Static Source Code Analysis = 8 hours • Dynamic Scan Analysis = 2 hours • Vulnerability Scans = 1 hour • Configuration Management – Endpoint Agent Based • Attack Detection – Agent software and Network Device • Web App Firewall – 1-2 weeks of tuning in UAT
  • 20. BOSTON 10-11 SEPT 2018 2. Runs wherever the code is • IAST tool runs as a component of the app, deployed as part of the underlying app server • Containers • Virtual Servers • PaaS Platforms • Build into the build and deployment process • Deploy software and configurations consistently • Include security concerns into health check functions
  • 22. BOSTON 10-11 SEPT 2018 2. Runs wherever the code is Verifying the integrity of the underlying server/container 1. Established a trusted registry for images 2. Only allow deployments of accepted containers/software 3. Script up checks for changes to registries (easier than it sounds!) 4. Supply Chain concerns go here… 5. Configuration checking happens here too 6. Complete software component inventory!!!!!! (IMPORTANT)
  • 23. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
  • 24. Phase 1 - Gatekeeper Approach Dev QA Sandbox UAT Prod
  • 25. BOSTON 10-11 SEPT 2018 Phase 2 - Pushing Testing to the Left Dev QA Sandbox UAT Prod Still doing the Gatekeeper process
  • 26. BOSTON 10-11 SEPT 2018 Phase 3 – Individual Dev Testing Dev QA Sandbox UAT ProdDevDevDevDevDevDevDevDevDev Still doing the Gatekeeper and QA/DEV Testing processes
  • 27. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
  • 28. BOSTON 10-11 SEPT 2018 4. Keeps the devs happy App Security is just another part of QA. • Puts any findings into the exact same workflow as any bug ticket • Provide full context and details in the same ticket • Provide priority and significance of issues • Fail the build if severity is high enough • Give them an opportunity to help build the process Unhappy devs will find always find ways around your security process
  • 29. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self Assigned Goal…
  • 30. BOSTON 10-11 SEPT 2018 5. Keep the auditors happy Documenting the process • Approval of code for prod • Jira ticket created for every build • Add web-hook to CI server to query Contrast API after functional testing, record output in ticket • Use version-commit numbers in your testing • Remember – no findings is not the same as proof it ran
  • 31. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self-Assigned Goal…
  • 32. BOSTON 10-11 SEPT 2018 6. Keep the security team happy! • Automate wherever possible • Security doesn’t mean “No” • Share experiences with other infosec peers
  • 33. BOSTON 10-11 SEPT 2018 OK, Catching Our Breath, New Security Requirements 1. Must be able to match deployment speeds 2. Must be able to work in multiple environments (containers, ugh) 3. Provide certainty that production code is clean 4. Keep the devs happy 5. Keep the auditors happy 6. Keep the security team happy!* *Self-Assigned Goal…
  • 34. BOSTON 10-11 SEPT 2018 CI Deployment Cycle – Now with Security! 1. Code Development 2. Branch merged into QA 3. QA branch deployed - containers spun up, code deployed, services started, interactive security testing in place 4. Functional and Security Testing Executed 5. Successful testing, branch is tagged 6. Production Deployment – only tagged commits allowed …
  • 35. BOSTON 10-11 SEPT 2018 Skillz for Infosec peeps in the DevOps Age • Learn to read (and write a little) code • Understand containers • Learn about continuous integration • Infrastructure as code is your friend • Infosec is the natural bridge between dev and infra teams
  • 36. BOSTON 10-11 SEPT 2018 Thank You! Questions?

Notas del editor

  1. Brandon Grady
  2. Brandon Grady
  3. Julie
  4. Jason
  5. Jason
  6. Jason
  7. Jason
  8. Julie Chickillo
  9. Julie Chickillo
  10. Julie Chickillo
  11. Julie Chickillo
  12. Julie Chickillo
  13. Julie Chickillo
  14. Brandon
  15. Brandon
  16. Julie
  17. Julie
  18. Julie
  19. Julie
  20. Julie
  21. Brandon Grady
  22. Jason
  23. Jason
  24. Jason
  25. Jason
  26. Brandon
  27. Brandon
  28. Julie Chickillo
  29. Julie Chickillo
  30. Julie Chickillo
  31. Julie Chickillo
  32. Julie Chickillo
  33. Brandon Grady and Jason
  34. Brandon Grady and Jason