SlideShare una empresa de Scribd logo

Making security-agile matt-tesauro

Descargar como ODP, PDF
M
Matt Tesauro

Software development is happening faster then ever. Can your AppSec program keep up? This talk shows how an AppSec pipeline can help speed things up.

Internet
1 de 54
Making Security as Agile as Dev: Adding DevOps and TDD to your security program Matt Tesauro OWASP San Antonio March 2015
Who am I? 4 months with Pearson Application Security Lead Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer
Who am I? Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving the security of software ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, … conferences ● Application Security Training internationally
Making Security Agile
CI, CD, CD, TDD and API CI == Continuous Integration CD == Continuous Deployment CD == Continuous Delivery TDD == Test Driven Development API == Application Programming Interface
• Cycle time for software is getting shorter • Continuous delivery is a goal • Scanning windows are not viable • First mover / first to market advantage The Problem
The Problem – or at least more problems • Traditional software development left little time to test • DevOps, Agile and Continuous Delivery squeeze those windows even more • New languages and programming methods aren’t making this better • Growth of interpreted languages with loose typing hurts static analysis efforts • Few automated tools to test APIs especially RESTful APIs • Little time for any testing, manual testing is doomed
• Automated software testing • Automated operational infrastructure • Automated security testing THE SOLUTION
Think like a developer Sprints break software into little pieces… • Break your testing into little pieces • Use your threat model to know the crucial bits to test Long and short running tests • Testing time drives testing frequency • Code for tests needs to be optimized Smoke test versus full regression test • Smoke test early and often • Full regression tests on regular intervals
Maximize what you’ve got Make the most of your frameworks •Embrace, understand and fill gaps where necessary Make the best use of your time… • Make tests easily repeatable • Make tests easy to understand • Make tests abstract and combine-able • Ala carte tests for mixing and matching • Think about the Unix pipe | and its power
Under the constraints of DevOps, Continuous Deployment Your testing has to be nimble Dare I say…Agile In TDD, you know your code works when the tests pass In TD(S), you know your app has met the baseline when the tests pass Test Driven Development Security
A time to morn...
• Securing Infrastructure • Securing Apps and APIs • Securing Code Automate yourself into an agile state by...
Securing Infrastructure
Automating Infrastructure • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
Most of these work like... 1. Ad Hoc 2. Local runs 3. Hosted/SaaS 4. Private Hosted Node Node Node Node Node Node Node Node Node Node Node Node Node Node Node Sys Admin The Mother Ship
Cookbooks, Stacks, Playbooks, ... • Most have methods to bundle / share automation routines • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra points.
Grouping & Tagging • Tagging your servers applies the required set of automation • A base set of for all servers • Each server can have multiple tags • Map tags to security requirements Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache Works for Clouds Too!
Inspector – you need one • For each group and/or tag • Review the recipe, do a PR • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security, Scalability, Compliance • Vuln scanners – manual or auto • Jenkins Job + Lynis (open source)
Agent – one mole to rule them all • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
Turn Vuln scanning on its head • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
Securing Apps and APIs
Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog • Occasional security sprints • Learn how the team treats issues • ThreadFix is nice for metrics and pumping issues into issue trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
Reports = Findings + Automation • Consider markup for findings • Markdown, Wiki Text, asciidoc • Pandoc to convert to whatever • HTML, PDF, .doc, .odt, ... • Keep testers writing the least possible • Template and re-use boiler plate items • New finding == new template for next time • Web app to keep things consistent • Push or Pull from Threadfix via API
Leverage existing consistencies • Requires consistent (generally automated) input • Find these and write some scripts • Automate the drudgery • Examples: • Automate finding/bug submission • Automate report PDF generation • API documentation to basic testing harness • Sec tool output – combine and convert
Securing Code
Start with the developers • Finding details have to be detailed enough to: • Reproduce the issue after 6 months • Allow QA/QE to test the issue • Allow developers to find/fix the issue • Consider quick and dirty scripts to reproduce issue • Script to abuse an API • Web page of reflective XSS findings • Gauntlt - http://gauntlt.org/ • Once findings start flowing, look for training requests
Cherry pick what you look at • Threat Models are your friends • Focus on weak, unclear or suspicious areas • Focus on connections with external systems • Focus on format translations (XML to JSON) • When code changes in those areas, • Red flag it for review • Change +2 to +3 to before accepting pull request • Use search features in source code management • Start a list of problematic methods, calls, etc
No False Positive, period. • If you can automate code review, you still must triage • 1 false positive == 100 valid bugs • If results aren't actionable, fail • Stick to diff analysis • Threat Modeling + “Scary Parts” + Code diffs == Quick triage of code changes • Automate where you can, iterate until you're happy • Need to build cred points with the dev teams
Quiet is better then wrong • Hire or befriend developers • Need to speak their language, not security's • Suggest requirements not implementation • Mitigation suggestions either generic or in the language the app is written in • Remember: Fast deploys also means fast fixes • Trying to shrink any vuln window not eliminate • Be prepared to retest / verify fix quickly
What is happening at Pearson?
Say hello to my little friend...
The AppSec Pipeline
Key Features of AppSec Pipelines • Designed for iterative improvement • Provides a reusable path for AppSec activities to follow • Provides a consistent process for both the team and our constituency • One way flow with well-defined states • Relies heavily on automation • Has the ability to grow in functionality organically over time • Gracefully interconnects with the development process
Spending time optimizing anything other than the critical resource is an illusion.
Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel • Automate all the things that don’t require a human brain • Drive up consistency • Increase tracking of work status • Increase flow through the system • Increase visibility and metrics • Reduce any dev team impedance with application security
Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
Pipeline – the Middle • Inbound request triage • Ala Carte App Sec • Dynamic Testing • Static Testing • Re-Testing mitigated findings • Mix and match based on risk • Key Concepts • Activities can be run in parallel • Automation on setup, configuration, data export • Focus on customization rather than setup
Pipeline – the End • Source of truth for all AppSec activities • ThreadFix is used to • Dedup / Consolidate findings • Normalize scanner data • Generate Metrics • Push issues to bug trackers • Report and metrics automation • REST + tfclient • Source of many touch points with external teams
Why we like AppSec Pipelines • Allow us to have visibility into WIP • Better understand/track/optimize flow of engagements • Average static test takes ... • Great increase in consistency • Easier re-allocation of engagements between staff • Each step has a well defined interface • Knowing who has what allows for more informed “cost of switching” conversations • Flexible enough for a range of skills and app maturity
Key Take Aways...
• Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • Finding blocks become templates for next time • Learn to talk “dev”
The AppSec Pipeline
Change is here and more is coming... "Whosoever desires constant success must change his conduct with the times." — Niccolo Machiavelli
Questions? Thank You
5 Stages of Grief This agile thing is a fad... Waterfall is the only way to produce quality software...
5 Stages of Grief There's no way I can test in that time frame... If I see another freaking sticky note...
5 Stages of Grief Well, I think I can test some of it in two days... I guess I can test it after its deployed to prod...
5 Stages of Grief After that launch, I updated my LinkedIn profile... Game over man, GAME OVER... (Thanks Aliens)
5 Stages of Grief So when can you add a story to work on that auth regression... After reviewing your deployment recipe, we filed a pull request to fix...

Recomendados

AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 

Recomendados

AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Taking AppSec to 11 - BSides Austin 2016
Taking AppSec to 11 - BSides Austin 2016Matt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...LEYAUTOEMPLEO
 
Mrst m4 portafolio actividad integradora
Mrst m4 portafolio actividad integradoraMrst m4 portafolio actividad integradora
Mrst m4 portafolio actividad integradoraMirii Serrano Torres
 

Más contenido relacionado

La actualidad más candente

Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with PythonAbhay Bhargav
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 

La actualidad más candente (20)

Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec Perspective
 

Destacado

Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...LEYAUTOEMPLEO
 
Mrst m4 portafolio actividad integradora
Mrst m4 portafolio actividad integradoraMrst m4 portafolio actividad integradora
Mrst m4 portafolio actividad integradoraMirii Serrano Torres
 
Resumen el quijote 3 capitulo
Resumen el quijote 3 capituloResumen el quijote 3 capitulo
Resumen el quijote 3 capituloyoquetu
 
Las redes sociales Facebook, Twitter y Youtube en el sector comercial
Las redes sociales Facebook, Twitter y Youtube en el sector comercialLas redes sociales Facebook, Twitter y Youtube en el sector comercial
Las redes sociales Facebook, Twitter y Youtube en el sector comercialAna López Marín
 
Emprendimiento tecno hospital mejorada
Emprendimiento tecno hospital mejoradaEmprendimiento tecno hospital mejorada
Emprendimiento tecno hospital mejoradaLiilo Zq
 
Adliner_adinch_eng
Adliner_adinch_engAdliner_adinch_eng
Adliner_adinch_engadliner
 
Trabajo de halloween mariel
Trabajo de halloween marielTrabajo de halloween mariel
Trabajo de halloween mariel6cdigital
 
Guia CIC v1.0
Guia CIC v1.0Guia CIC v1.0
Guia CIC v1.0Itx
 
Tips for Defining Your Brand Voice
Tips for Defining Your Brand VoiceTips for Defining Your Brand Voice
Tips for Defining Your Brand VoiceSharyn Sheldon
 
Seguridad Informacion Laura
Seguridad Informacion LauraSeguridad Informacion Laura
Seguridad Informacion Lauramlaumolina
 
Herramientas 'low cost' y técnicas sencillas para comunicar en Internet
Herramientas 'low cost' y técnicas sencillas para comunicar en InternetHerramientas 'low cost' y técnicas sencillas para comunicar en Internet
Herramientas 'low cost' y técnicas sencillas para comunicar en InternetAlvaro Pareja
 
HawkinsFoundHalfPageFlyer
HawkinsFoundHalfPageFlyerHawkinsFoundHalfPageFlyer
HawkinsFoundHalfPageFlyerDonald Hawkins
 
El halcón común o peregrinos
El halcón común o peregrinosEl halcón común o peregrinos
El halcón común o peregrinosNela Torres
 
S'cool Agenda 2007/2008
S'cool Agenda 2007/2008S'cool Agenda 2007/2008
S'cool Agenda 2007/2008Thomas Müller
 
Hauseinfuehrung deutsch
Hauseinfuehrung deutschHauseinfuehrung deutsch
Hauseinfuehrung deutschEUROPAGES
 
El arte de ser vago: Clean Code
El arte de ser vago: Clean CodeEl arte de ser vago: Clean Code
El arte de ser vago: Clean CodeCamilo Galiana
 

Destacado (20)

Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
Desarrollando el Acceso a la Sociedad de la Información en América Latina: ...
 
Mrst m4 portafolio actividad integradora
Mrst m4 portafolio actividad integradoraMrst m4 portafolio actividad integradora
Mrst m4 portafolio actividad integradora
 
Internet
InternetInternet
Internet
 
Resumen el quijote 3 capitulo
Resumen el quijote 3 capituloResumen el quijote 3 capitulo
Resumen el quijote 3 capitulo
 
Las redes sociales Facebook, Twitter y Youtube en el sector comercial
Las redes sociales Facebook, Twitter y Youtube en el sector comercialLas redes sociales Facebook, Twitter y Youtube en el sector comercial
Las redes sociales Facebook, Twitter y Youtube en el sector comercial
 
Emprendimiento tecno hospital mejorada
Emprendimiento tecno hospital mejoradaEmprendimiento tecno hospital mejorada
Emprendimiento tecno hospital mejorada
 
58808744 ferreteria-tesis
58808744 ferreteria-tesis58808744 ferreteria-tesis
58808744 ferreteria-tesis
 
Adliner_adinch_eng
Adliner_adinch_engAdliner_adinch_eng
Adliner_adinch_eng
 
edna uses Moodle
edna uses Moodleedna uses Moodle
edna uses Moodle
 
Trabajo de halloween mariel
Trabajo de halloween marielTrabajo de halloween mariel
Trabajo de halloween mariel
 
Guia CIC v1.0
Guia CIC v1.0Guia CIC v1.0
Guia CIC v1.0
 
Tips for Defining Your Brand Voice
Tips for Defining Your Brand VoiceTips for Defining Your Brand Voice
Tips for Defining Your Brand Voice
 
Células nk2
Células nk2Células nk2
Células nk2
 
Seguridad Informacion Laura
Seguridad Informacion LauraSeguridad Informacion Laura
Seguridad Informacion Laura
 
Herramientas 'low cost' y técnicas sencillas para comunicar en Internet
Herramientas 'low cost' y técnicas sencillas para comunicar en InternetHerramientas 'low cost' y técnicas sencillas para comunicar en Internet
Herramientas 'low cost' y técnicas sencillas para comunicar en Internet
 
HawkinsFoundHalfPageFlyer
HawkinsFoundHalfPageFlyerHawkinsFoundHalfPageFlyer
HawkinsFoundHalfPageFlyer
 
El halcón común o peregrinos
El halcón común o peregrinosEl halcón común o peregrinos
El halcón común o peregrinos
 
S'cool Agenda 2007/2008
S'cool Agenda 2007/2008S'cool Agenda 2007/2008
S'cool Agenda 2007/2008
 
Hauseinfuehrung deutsch
Hauseinfuehrung deutschHauseinfuehrung deutsch
Hauseinfuehrung deutsch
 
El arte de ser vago: Clean Code
El arte de ser vago: Clean CodeEl arte de ser vago: Clean Code
El arte de ser vago: Clean Code
 

Similar a Making security-agile matt-tesauro

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Preparing for DevOps
Preparing for DevOpsPreparing for DevOps
Preparing for DevOpsEklove Mohan
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test AutomationSauce Labs
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - FunaroCodemotion
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014David Funaro
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing ProcessSynerzip
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham.NET Conf UY
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...PROIDEA
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfssuserc5b30e
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAdam Stephensen
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 

Similar a Making security-agile matt-tesauro (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Preparing for DevOps
Preparing for DevOpsPreparing for DevOps
Preparing for DevOps
 
Enterprise PHP
Enterprise PHPEnterprise PHP
Enterprise PHP
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - Funaro
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing Process
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
 
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...
 
Supply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdfSupply Chain Security for Developers.pdf
Supply Chain Security for Developers.pdf
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 

Más de Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Matt Tesauro
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012Matt Tesauro
 

Más de Matt Tesauro (11)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Último

Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 

Último (20)

Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 

Making security-agile matt-tesauro

  • 1. Making Security as Agile as Dev: Adding DevOps and TDD to your security program Matt Tesauro OWASP San Antonio March 2015
  • 2. Who am I? 4 months with Pearson Application Security Lead Engineer Prior to Pearson ● Rackspace - Lead Engineer, Product Security ● AppSec consulting o VP Services, Praetorian o Consultant Trustwave’s Spiderlabs ● TEA - Senior Security Engineer ● DIR - Penetration Tester ● Texas A&M University o Systems Analyst, Sys Admin, Developer, DBA o Lecturer in MIS department ● Viatel - Internet App Developer
  • 3. Who am I? Other professional experience ● OWASP Live CD / OWASP WTE o Project lead 2008 to present o Over 300K downloads o http://appseclive.org ● OWASP Foundation Board of Directors o International charity focused on improving the security of software ● Multiple speaking engagements internationally at AppSec, DHS, ISC2, … conferences ● Application Security Training internationally
  • 5. CI, CD, CD, TDD and API CI == Continuous Integration CD == Continuous Deployment CD == Continuous Delivery TDD == Test Driven Development API == Application Programming Interface
  • 6. • Cycle time for software is getting shorter • Continuous delivery is a goal • Scanning windows are not viable • First mover / first to market advantage The Problem
  • 7. The Problem – or at least more problems • Traditional software development left little time to test • DevOps, Agile and Continuous Delivery squeeze those windows even more • New languages and programming methods aren’t making this better • Growth of interpreted languages with loose typing hurts static analysis efforts • Few automated tools to test APIs especially RESTful APIs • Little time for any testing, manual testing is doomed
  • 8. • Automated software testing • Automated operational infrastructure • Automated security testing THE SOLUTION
  • 9. Think like a developer Sprints break software into little pieces… • Break your testing into little pieces • Use your threat model to know the crucial bits to test Long and short running tests • Testing time drives testing frequency • Code for tests needs to be optimized Smoke test versus full regression test • Smoke test early and often • Full regression tests on regular intervals
  • 10. Maximize what you’ve got Make the most of your frameworks •Embrace, understand and fill gaps where necessary Make the best use of your time… • Make tests easily repeatable • Make tests easy to understand • Make tests abstract and combine-able • Ala carte tests for mixing and matching • Think about the Unix pipe | and its power
  • 11. Under the constraints of DevOps, Continuous Deployment Your testing has to be nimble Dare I say…Agile In TDD, you know your code works when the tests pass In TD(S), you know your app has met the baseline when the tests pass Test Driven Development Security
  • 12. A time to morn...
  • 13. • Securing Infrastructure • Securing Apps and APIs • Securing Code Automate yourself into an agile state by...
  • 15. Automating Infrastructure • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
  • 16. Most of these work like... 1. Ad Hoc 2. Local runs 3. Hosted/SaaS 4. Private Hosted Node Node Node Node Node Node Node Node Node Node Node Node Node Node Node Sys Admin The Mother Ship
  • 17. Cookbooks, Stacks, Playbooks, ... • Most have methods to bundle / share automation routines • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra points.
  • 18. Grouping & Tagging • Tagging your servers applies the required set of automation • A base set of for all servers • Each server can have multiple tags • Map tags to security requirements Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache Works for Clouds Too!
  • 19. Inspector – you need one • For each group and/or tag • Review the recipe, do a PR • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security, Scalability, Compliance • Vuln scanners – manual or auto • Jenkins Job + Lynis (open source)
  • 20. Agent – one mole to rule them all • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Roll your own or find a vendor Mozilla MIG
  • 21. Turn Vuln scanning on its head • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 23. Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog • Occasional security sprints • Learn how the team treats issues • ThreadFix is nice for metrics and pumping issues into issue trackers - http://code.google.com/p/threadfix/
  • 24. For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
  • 25. Reports = Findings + Automation • Consider markup for findings • Markdown, Wiki Text, asciidoc • Pandoc to convert to whatever • HTML, PDF, .doc, .odt, ... • Keep testers writing the least possible • Template and re-use boiler plate items • New finding == new template for next time • Web app to keep things consistent • Push or Pull from Threadfix via API
  • 26. Leverage existing consistencies • Requires consistent (generally automated) input • Find these and write some scripts • Automate the drudgery • Examples: • Automate finding/bug submission • Automate report PDF generation • API documentation to basic testing harness • Sec tool output – combine and convert
  • 28. Start with the developers • Finding details have to be detailed enough to: • Reproduce the issue after 6 months • Allow QA/QE to test the issue • Allow developers to find/fix the issue • Consider quick and dirty scripts to reproduce issue • Script to abuse an API • Web page of reflective XSS findings • Gauntlt - http://gauntlt.org/ • Once findings start flowing, look for training requests
  • 29. Cherry pick what you look at • Threat Models are your friends • Focus on weak, unclear or suspicious areas • Focus on connections with external systems • Focus on format translations (XML to JSON) • When code changes in those areas, • Red flag it for review • Change +2 to +3 to before accepting pull request • Use search features in source code management • Start a list of problematic methods, calls, etc
  • 30. No False Positive, period. • If you can automate code review, you still must triage • 1 false positive == 100 valid bugs • If results aren't actionable, fail • Stick to diff analysis • Threat Modeling + “Scary Parts” + Code diffs == Quick triage of code changes • Automate where you can, iterate until you're happy • Need to build cred points with the dev teams
  • 31. Quiet is better then wrong • Hire or befriend developers • Need to speak their language, not security's • Suggest requirements not implementation • Mitigation suggestions either generic or in the language the app is written in • Remember: Fast deploys also means fast fixes • Trying to shrink any vuln window not eliminate • Be prepared to retest / verify fix quickly
  • 33. Say hello to my little friend...
  • 35. Key Features of AppSec Pipelines • Designed for iterative improvement • Provides a reusable path for AppSec activities to follow • Provides a consistent process for both the team and our constituency • One way flow with well-defined states • Relies heavily on automation • Has the ability to grow in functionality organically over time • Gracefully interconnects with the development process
  • 36. Spending time optimizing anything other than the critical resource is an illusion.
  • 37. Key Goals of AppSec Pipelines • Optimize the critical resource - AppSec personnel • Automate all the things that don’t require a human brain • Drive up consistency • Increase tracking of work status • Increase flow through the system • Increase visibility and metrics • Reduce any dev team impedance with application security
  • 38. Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 39. Pipeline – the Middle • Inbound request triage • Ala Carte App Sec • Dynamic Testing • Static Testing • Re-Testing mitigated findings • Mix and match based on risk • Key Concepts • Activities can be run in parallel • Automation on setup, configuration, data export • Focus on customization rather than setup
  • 40. Pipeline – the End • Source of truth for all AppSec activities • ThreadFix is used to • Dedup / Consolidate findings • Normalize scanner data • Generate Metrics • Push issues to bug trackers • Report and metrics automation • REST + tfclient • Source of many touch points with external teams
  • 41. Why we like AppSec Pipelines • Allow us to have visibility into WIP • Better understand/track/optimize flow of engagements • Average static test takes ... • Great increase in consistency • Easier re-allocation of engagements between staff • Each step has a well defined interface • Knowing who has what allows for more informed “cost of switching” conversations • Flexible enough for a range of skills and app maturity
  • 43. • Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • Finding blocks become templates for next time • Learn to talk “dev”
  • 44.
  • 45.
  • 46.
  • 48. Change is here and more is coming... "Whosoever desires constant success must change his conduct with the times." — Niccolo Machiavelli
  • 50. 5 Stages of Grief This agile thing is a fad... Waterfall is the only way to produce quality software...
  • 51. 5 Stages of Grief There's no way I can test in that time frame... If I see another freaking sticky note...
  • 52. 5 Stages of Grief Well, I think I can test some of it in two days... I guess I can test it after its deployed to prod...
  • 53. 5 Stages of Grief After that launch, I updated my LinkedIn profile... Game over man, GAME OVER... (Thanks Aliens)
  • 54. 5 Stages of Grief So when can you add a story to work on that auth regression... After reviewing your deployment recipe, we filed a pull request to fix...