Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
DEVsec
OPsec
Tampere Goes Agile 2017
Antti.virtanen@solita.fi --//-- @Anakondantti
“THEY” ARE AFTER YOU
WHO? WHY?
BECAUSE LULZ
BECAUSE MONEY
HOW DO “THEY” GET IN?
CYBER CRIME 2010-­2020
.. FUNNY LIKE NPM INSTALL
http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry
WAT ?
CLOUD! AWESOME! AGILE!
A FIX IS
IMMINENT,
I PRESUME
RED TEAMING
IDS & SIEM
WAF
JUST
#DEVSEC +
#OPSEC =
#DEVSECOPS ?
DEVSEC MATURITY –
SOLITA SCALE (1-­5)
LEVEL 1, INTRO 👣
› Clear responsibility for security.
› Controlled process for access.
› Define policy and process.
› Asce...
LEVEL 2, BEGINNER 👣
› Tackle OWASP Top 10.
› Perform threat analysis.
› Invest in learning and
education.
› Practice.
› In...
LEVEL 3, DANCING 👣
› Audit logs.
› Process & env audit.
› Secure Programming
• Especially system integrations.
› Define pr...
PRO TIP: ATTACK YOURSELF TODAY!
LEVEL 4, TOOLS 👣 👞 👢
› Penetration testing.
› Automated vulnerability scans.
› Automated test cases for
security.
› Get ha...
PRO TIP:
GROW HACKERS!
HIRING IS DIFFICULT
LEVEL 5, LIKE A PRO 🐾
› Practice incident response.
› Hardened environments.
› Start Bug Bounty.
• (if appropriate)
› Form...
DEVSEC –
BUILD SECURITY IN!
Let’s get technical!
DEVSEC IS A TEAM EFFORT
https://github.com/lokori/docker-devsec-demo
Dev
Sec
Ops
Fix your processes!
Find developers with hacker mind.
Invest in people, not tools.
Leverage DevOps & automate....
FURTHER MATERIAL
› Security Pipeline PoC: https://github.com/lokori/docker-devsec-demo
› OWASP Top 10: https://www.owasp.o...
TOOLS AND PLATFORMS
› HackerOne (Bug Bounty platform): https://www.hackerone.com/
› BugCrowd (Bug Bounty platfrom): https:...
DevSec - build security in and dance like a pro!
Próxima SlideShare
Cargando en…5
×

DevSec - build security in and dance like a pro!

358 visualizaciones

Publicado el

How to build security in? How to perform the DevSec dance? Presentation from Tampere Goes Agile 2017.

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

DevSec - build security in and dance like a pro!

  1. 1. DEVsec OPsec Tampere Goes Agile 2017 Antti.virtanen@solita.fi --//-- @Anakondantti
  2. 2. “THEY” ARE AFTER YOU WHO? WHY?
  3. 3. BECAUSE LULZ BECAUSE MONEY
  4. 4. HOW DO “THEY” GET IN?
  5. 5. CYBER CRIME 2010-­2020
  6. 6. .. FUNNY LIKE NPM INSTALL
  7. 7. http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry WAT ?
  8. 8. CLOUD! AWESOME! AGILE!
  9. 9. A FIX IS IMMINENT, I PRESUME
  10. 10. RED TEAMING IDS & SIEM WAF
  11. 11. JUST #DEVSEC + #OPSEC = #DEVSECOPS ?
  12. 12. DEVSEC MATURITY – SOLITA SCALE (1-­5)
  13. 13. LEVEL 1, INTRO 👣 › Clear responsibility for security. › Controlled process for access. › Define policy and process. › Ascertain people follow it. › Motivate. Explain the reasons.
  14. 14. LEVEL 2, BEGINNER 👣 › Tackle OWASP Top 10. › Perform threat analysis. › Invest in learning and education. › Practice. › Involve customers. 👣👣
  15. 15. LEVEL 3, DANCING 👣 › Audit logs. › Process & env audit. › Secure Programming • Especially system integrations. › Define processes. Improve. › Create templates. › Involve customers.
  16. 16. PRO TIP: ATTACK YOURSELF TODAY!
  17. 17. LEVEL 4, TOOLS 👣 👞 👢 › Penetration testing. › Automated vulnerability scans. › Automated test cases for security. › Get hackers. › Get tools. › Practice.
  18. 18. PRO TIP: GROW HACKERS! HIRING IS DIFFICULT
  19. 19. LEVEL 5, LIKE A PRO 🐾 › Practice incident response. › Hardened environments. › Start Bug Bounty. • (if appropriate) › Form incident response team. › Go easy with bug bounty first.
  20. 20. DEVSEC – BUILD SECURITY IN! Let’s get technical!
  21. 21. DEVSEC IS A TEAM EFFORT
  22. 22. https://github.com/lokori/docker-devsec-demo
  23. 23. Dev Sec Ops Fix your processes! Find developers with hacker mind. Invest in people, not tools. Leverage DevOps & automate. Client Manager
  24. 24. FURTHER MATERIAL › Security Pipeline PoC: https://github.com/lokori/docker-devsec-demo › OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project › Kybertestaus, referenssi : https://github.com/solita/kyberoppi › Why and how web app security fails: https://www.slideshare.net/Solita_Oy/webapp-securitytut2017 › MOOC course on hacking and security: https://cybersecuritybase.github.io/ › Microsoft SDL: https://www.microsoft.com/en-us/sdl/
  25. 25. TOOLS AND PLATFORMS › HackerOne (Bug Bounty platform): https://www.hackerone.com/ › BugCrowd (Bug Bounty platfrom): https://www.bugcrowd.com/ › OSCP (proof of skills): https://www.offensive-security.com/information-security-certifications/oscp-offensive- security-certified-professional/ › Kali Linux: https://www.kali.org/ › ZAP Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project › Burp Proxy: https://portswigger.net/burp › Metasploit: https://www.metasploit.com/

×