SlideShare una empresa de Scribd logo

SDLC & DevSecOps

I
Irina Kostina

The document discusses security best practices across the software development lifecycle (SDLC). It covers: - The Microsoft Security Development Lifecycle (SDL) methodology which includes activities like threat modeling, security testing, using approved tools and cryptography standards, managing third-party components, and establishing an incident response process. - Static and dynamic application security testing (SAST and DAST) - SAST analyzes source code for vulnerabilities while DAST tests running applications. Both have tradeoffs in terms of when issues are found, expenses to fix, and what types of vulnerabilities are discovered. - DevSecOps practices like integrating security activities into each stage of development through techniques like incremental threat modeling, automated testing, and continuous

Tecnología
1 de 72
Descargar para leer sin conexión
Magnus Klaaborg Stubman, Improsec A/S Irina Kostina, Microsoft Security Development Lifecycle methodology & DevSecOps
Equifax breach 2017 Equifax's CEO and other executives resigned following a backlash over the hack at the company that compromised the data of 143 million people The thieves spent 76 days within Equifax's network before they were detected. $700 million to settle federal and state investigations $425 million to directly help consumers affected by the breach $1.4 billion: Amount Equifax has spent on upgrading its security in the wake of the incident
In contrast with: SQL Injection : Extracts Starbucks Enterprise Accounting, Financial, Payroll Database Bounty : 4000$ https://hackerone.com/reports/531051
Development Methodologies SDLC Dev Test Deploy to ProductionDev
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ?
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ? ?
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to Production Test Test Test
Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to Production Test Test Test Training Training
Development Methodologies SDLC Dev Test Deploy to ProductionDevTraining
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC
Development Methodologies SDLC How easy/hard is it to get rid of the solution?
Development Methodologies SDLC How easy/hard is it to get rid of the solution? How easy/hard is it to move the solution?
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time
Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time • Ask yourself: • What do you need? • What works in your organization?
Internal Quality Assurance (QA) SDLC • Definition of Done: • Implemented according to Standards • Unit test cases has been written for all functionality • Documented • Code reviewed by colleague • Documentation review by colleague • dependency-check reports 0 vulnerabilities
https://www.exploit-db.com/exploits/18329
Security – all or nothing?
Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories?
Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over?
Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over? • The most important step is the first! • Get started • Incremental improvements • Try, try and try again
Segmentation
Segmentation / Isolation / Separation
Simplicity
Simplicity Silver Bullets • Complex code • Hard to read
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest
Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest Expensive!
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning.
Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning. • "What are we doing to prevent this from being abused/exploited?"
Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting • Copenhagen: https://owasp.org/www-chapter-copenhagen/ • Aarhus: https://owasp.org/www-chapter-aarhus/
Silver Bullets - summarized SDLC • Segmentation • Simplicity • Culture
Provide Training Ensure everyone understands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
Provide Training Ensure everyone understands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
#5 : Threat Modeling
Development Business requirements Operations Users Feedback loop
Identify defects as early as possible Development Business requirements Operations Users Feedback loop Monitor
Development Business requirements Operations UsersDevelopment Business requirements Incremental Threat Modeling DAST Operations Users Dedicated Pentesting Vulnerability Scanning Monitoring Periodic pentesting Validation SAST Fast feedback loop DevSecOps Secure Deployment https://azsk.azurewebsites.net/
Static Application Security Testing https://owasp.org/www-community/Source_Code_Analysis_Tools https://github.com/features/security + • Scales well (only needs the code) • Finds vulnerabilities earlier in the process •Highlights the precise source files, line numbers, subsections of lines - • Many types of security vulnerabilities are difficult to find automatically • High numbers of false positives • Frequently can’t find configuration issues, since they are not represented in the code •Difficult to ‘prove’ that an identified security issue is an actual vulnerability https://sonarcloud.io/
#10: Dynamic Application Security Testing - • Not highly scalable • No code visibility • Slow scans + • Technology independent • Low false positives • Identifies configuration issues https://docs.microsoft.com/en-us/previous-versions/software-testing/cc162782(v=msdn.10) https://www.g2.com/categories/dynamic-application-security-testing-dast https://marketplace.visualstudio.com/search?term=security&target=AzureDevOps&category=All%20categories&sortBy=Relevance
SAST DAST White box security testing The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach. Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach. Requires source code. SAST doesn’t require a deployed application. It analyzes the sources code or binary without executing the application. Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application. Finds vulnerabilities earlier in the SDLC. The scan can be executed as soon as code is deemed feature-complete. Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete. Less expensive to fix vulnerabilities. Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle. More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. Can’t discover run-time and environment-related issues. Since the tool scans static code, it can’t discover run-time vulnerabilities. Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities. Supports all kinds of software. Examples include web applications, web services, and thick clients. Typically scans only apps like web applications and web services. DAST is not useful for other types of software.
Where do I start? aka.ms/sdlc Implement Use the implementers’ resources guides to create an implementation plan that advances your SDL maturity. Self-assess Review the self- assessment guide to assess your organization’s current SDL maturity level. Identify Identify where your organization falls on the SDL Optimization Maturity Model.
Thank you! Any questions?

Recomendados

DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2Dinis Cruz
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 

Recomendados

DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015Shannon Lietz
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2Dinis Cruz
 
BSides Vienna 2015
BSides Vienna 2015BSides Vienna 2015
BSides Vienna 2015Daniel Liber
 
Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24 webinar - The economics of penetration testing in the new threat la...
Outpost24 webinar - The economics of penetration testing in the new threat la...Outpost24
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Continuous Delivery (The newest)
Continuous Delivery (The newest)Continuous Delivery (The newest)
Continuous Delivery (The newest)Eduards Sizovs
 
Software Craftsmanship Essentials
Software Craftsmanship EssentialsSoftware Craftsmanship Essentials
Software Craftsmanship EssentialsEduards Sizovs
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing codeZivtech, LLC
 
Making disaster routine
Making disaster routineMaking disaster routine
Making disaster routinePeter Varhol
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev opsAgile Montréal
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 

Más contenido relacionado

La actualidad más candente

Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevSecCon
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Continuous Delivery (The newest)
Continuous Delivery (The newest)Continuous Delivery (The newest)
Continuous Delivery (The newest)Eduards Sizovs
 
Software Craftsmanship Essentials
Software Craftsmanship EssentialsSoftware Craftsmanship Essentials
Software Craftsmanship EssentialsEduards Sizovs
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing codeZivtech, LLC
 
Making disaster routine
Making disaster routineMaking disaster routine
Making disaster routinePeter Varhol
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 

La actualidad más candente (20)

Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
Devops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter ChestnaDevops: Security's big opportunity by Peter Chestna
Devops: Security's big opportunity by Peter Chestna
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Continuous Delivery (The newest)
Continuous Delivery (The newest)Continuous Delivery (The newest)
Continuous Delivery (The newest)
 
Software Craftsmanship Essentials
Software Craftsmanship EssentialsSoftware Craftsmanship Essentials
Software Craftsmanship Essentials
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
The business case for contributing code
The business case for contributing codeThe business case for contributing code
The business case for contributing code
 
Making disaster routine
Making disaster routineMaking disaster routine
Making disaster routine
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
 

Similar a SDLC & DevSecOps

Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev opsAgile Montréal
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)Qualitest
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
Will The Test Leaders Stand Up?
Will The Test Leaders Stand Up?Will The Test Leaders Stand Up?
Will The Test Leaders Stand Up?Paul Gerrard
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 

Similar a SDLC & DevSecOps (20)

Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)DevSecOps - It can change your life (cycle)
DevSecOps - It can change your life (cycle)
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
Will The Test Leaders Stand Up?
Will The Test Leaders Stand Up?Will The Test Leaders Stand Up?
Will The Test Leaders Stand Up?
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 

Último

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Último (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

SDLC & DevSecOps

  • 1. Magnus Klaaborg Stubman, Improsec A/S Irina Kostina, Microsoft Security Development Lifecycle methodology & DevSecOps
  • 2. Equifax breach 2017 Equifax's CEO and other executives resigned following a backlash over the hack at the company that compromised the data of 143 million people The thieves spent 76 days within Equifax's network before they were detected. $700 million to settle federal and state investigations $425 million to directly help consumers affected by the breach $1.4 billion: Amount Equifax has spent on upgrading its security in the wake of the incident
  • 3. In contrast with: SQL Injection : Extracts Starbucks Enterprise Accounting, Financial, Payroll Database Bounty : 4000$ https://hackerone.com/reports/531051
  • 4. Development Methodologies SDLC Dev Test Deploy to ProductionDev
  • 5. Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
  • 6. Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ?
  • 7. Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev ? ?
  • 8. Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to ProductionTest Dev Test Dev Test Dev
  • 9. Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to Production Test Test Test
  • 10. Development Methodologies SDLC Dev Test Deploy to ProductionDev Dev Deploy to Production Test Test Test Training Training
  • 11. Development Methodologies SDLC Dev Test Deploy to ProductionDevTraining
  • 20. Development Methodologies SDLC How easy/hard is it to get rid of the solution?
  • 21. Development Methodologies SDLC How easy/hard is it to get rid of the solution? How easy/hard is it to move the solution?
  • 22. Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all
  • 23. Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability
  • 24. Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability
  • 25. Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time
  • 26. Development Methodologies - summarized SDLC • Your mileage may very – one size does not fit all • Waterfall approach may increase reliability, but reduce predictability • Agile approach may increase predictability, but reduce reliability • Training is a one time cost, and gives value over time • Ask yourself: • What do you need? • What works in your organization?
  • 27. Internal Quality Assurance (QA) SDLC • Definition of Done: • Implemented according to Standards • Unit test cases has been written for all functionality • Documented • Code reviewed by colleague • Documentation review by colleague • dependency-check reports 0 vulnerabilities
  • 28.
  • 29.
  • 30.
  • 31.
  • 33. Security – all or nothing?
  • 34. Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories?
  • 35. Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over?
  • 36. Security – all or nothing? • Cost • Productivity hit • Security hit • Horror stories? • Start over? • The most important step is the first! • Get started • Incremental improvements • Try, try and try again
  • 38.
  • 39. Segmentation / Isolation / Separation
  • 40.
  • 42.
  • 43.
  • 44. Simplicity Silver Bullets • Complex code • Hard to read
  • 45. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review
  • 46. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain
  • 47. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features
  • 48. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate
  • 49. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction
  • 50. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest
  • 51. Simplicity Silver Bullets • Complex code • Hard to read • Hard to review • Hard to maintain • Hard to add new features • Hard to replace/deprecate • Lower developer satisfaction • Harder to pentest Expensive!
  • 52.
  • 53. Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach
  • 54. Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach
  • 55. Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning.
  • 56. Security as a Cultural Phenomenon • Policies, guidelines from management → top-down approach • Security awareness, security trainings → bottom-up approach • Code review after pentest → teammeeting, walk through vulnerabilities, talk about mitigations pros/cons. No finger pointing, only learning. • "What are we doing to prevent this from being abused/exploited?"
  • 57. Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
  • 58. Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting
  • 59. Security as a Cultural Phenomenon • OWASP • "Top 10": https://owasp.org/www-project-top-ten/ • Present one topic each once a week, during a lunchmeeting • Copenhagen: https://owasp.org/www-chapter-copenhagen/ • Aarhus: https://owasp.org/www-chapter-aarhus/
  • 60. Silver Bullets - summarized SDLC • Segmentation • Simplicity • Culture
  • 61. Provide Training Ensure everyone understands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
  • 62. Provide Training Ensure everyone understands security best practices. Define Security Requirements Continually update security requirements to reflect changes in functionality and to the regulatory and threat landscape. Define Metrics and Compliance Reporting Identify the minimum acceptable levels of security quality and how engineering teams will be held accountable. Perform Threat Modeling Use threat modeling to identify security vulnerabilities, determine risk, and identify mitigations. Establish Design Requirements Define standard security features that all engineers should use. Define and Use Cryptography Standards Ensure the right cryptographic solutions are used to protect data. Manage the Security Risk of Using Third- Party Components Keep an inventory of third- party components and create a plan to evaluate reported vulnerabilities. Use Approved Tools Define and publish a list of approved tools and their associated security checks. Perform Static Analysis Security Testing Analyze source code before compiling to validate the use of secure coding policies. Perform Dynamic Analysis Security Testing Perform run-time verification of fully compiled software to test security of fully integrated and running code. Perform Penetration Testing Uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. Establish a Standard Incident Response Process Prepare an Incident Response Plan to address new threats that can emerge over time. Microsoft SDL
  • 63. #5 : Threat Modeling
  • 65. Identify defects as early as possible Development Business requirements Operations Users Feedback loop Monitor
  • 67. Static Application Security Testing https://owasp.org/www-community/Source_Code_Analysis_Tools https://github.com/features/security + • Scales well (only needs the code) • Finds vulnerabilities earlier in the process •Highlights the precise source files, line numbers, subsections of lines - • Many types of security vulnerabilities are difficult to find automatically • High numbers of false positives • Frequently can’t find configuration issues, since they are not represented in the code •Difficult to ‘prove’ that an identified security issue is an actual vulnerability https://sonarcloud.io/
  • 68. #10: Dynamic Application Security Testing - • Not highly scalable • No code visibility • Slow scans + • Technology independent • Low false positives • Identifies configuration issues https://docs.microsoft.com/en-us/previous-versions/software-testing/cc162782(v=msdn.10) https://www.g2.com/categories/dynamic-application-security-testing-dast https://marketplace.visualstudio.com/search?term=security&target=AzureDevOps&category=All%20categories&sortBy=Relevance
  • 69. SAST DAST White box security testing The tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. This type of testing represents the developer approach. Black box security testing The tester has no knowledge of the technologies or frameworks that the application is built on. The application is tested from the outside in. This type of testing represents the hacker approach. Requires source code. SAST doesn’t require a deployed application. It analyzes the sources code or binary without executing the application. Requires a running application DAST doesn’t require source code or binaries. It analyzes by executing the application. Finds vulnerabilities earlier in the SDLC. The scan can be executed as soon as code is deemed feature-complete. Finds vulnerabilities toward the end of the SDLC Vulnerabilities can be discovered after the development cycle is complete. Less expensive to fix vulnerabilities. Since vulnerabilities are found earlier in the SDLC, it’s easier and faster to remediate them. Findings can often be fixed before the code enters the QA cycle. More expensive to fix vulnerabilities Since vulnerabilities are found toward the end of the SDLC, remediation often gets pushed into the next cycle. Critical vulnerabilities may be fixed as an emergency release. Can’t discover run-time and environment-related issues. Since the tool scans static code, it can’t discover run-time vulnerabilities. Can discover run-time and environment-related issues Since the tool uses dynamic analysis on an application, it is able to find run-time vulnerabilities. Supports all kinds of software. Examples include web applications, web services, and thick clients. Typically scans only apps like web applications and web services. DAST is not useful for other types of software.
  • 70.
  • 71. Where do I start? aka.ms/sdlc Implement Use the implementers’ resources guides to create an implementation plan that advances your SDL maturity. Self-assess Review the self- assessment guide to assess your organization’s current SDL maturity level. Identify Identify where your organization falls on the SDL Optimization Maturity Model.