2. ● Agile and Security
● Vulnerability management
● Application security testing methodologies
● CI/CD pipeline phases with integrated security checks
● Demo
● Limitations of tools
● Final thoughts
Agenda
3. Agile and Security
● Agile development and Security
● Manual testing and compliance checking cannot keep up with
the speed of delivery
● Security teams that try to reduce risk by minimizing change are
irrelevant in an Agile world
● Instead of doing security, enable security (DevSecOps)
○ Document techniques
○ Build capability to develop and deploy secure services
○ Build tools and automation
4. Vulnerability management
● Vulnerability scanning and patching
● Some ways of getting vulnerability information:
○ Automated Security Testing (AST) tools
○ Software Component Analysis (SCA) tools
○ Scanning container images
○ Scanning cloud instances (AWS Inspector)
○ Bug reports from partners, users, …
○ ...
● Automate and streamline scanning and run it often - as part of
build pipelines
● The information should be consolidated, tracked and reported
● Handle vulnerabilities as any other software defects - “Shift Left”
to reduce the cost of defects
8. Limitations of tools
● Automated web vulnerability scans run through a set of
well-known attacks and look for well-known vulnerabilities and
common mistakes
● Can't find holes in business logic
● Some types of vulnerabilities are difficult to detect such as
authentication problems, access control issues
● Understand what you are getting out of the tools and how much
you can rely on them
9. Final thoughts
● Tools that require significant effort from developers will end up
not being used
○ Long output with irrelevant information
● Handle false positives
● Do not introduce a new scan to pipelines without setting a
baseline first
● Avoid disruption
● Roll out incrementally (one aspect at a time, get feedback while
iterating)
● Do not stop with the automated security testing