Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ToorCon 2017 - How To Move Mountains

Aaron Hnatiw
September 02, 2017
Technology
0
88

ToorCon 2017 - How To Move Mountains

Presenting a framework for building an AppSec program in a DevOps environment; specifically one that is moving towards CI/CD.

Abstract:
Pentesters are tired of breaking things, writing a report, and walking away. Security teams are caught in a backlog that prevents them from ever staying ahead. Developers curse security for slowing them down. How can we address these seemingly incompatible and insurmountable issues in an organization, especially at scale? The answer to this may be found in a practice called "DevSecOps" that has been gaining momentum in large organizations that need to move fast and ensure a high level of security across their applications and operations. It is a practice that attempts to address all of these issues through two core principles- automation and education. Using experience gained from working with several large fortune 500 companies, this talk will cover the basics of DevSecOps, and dive into specific tools and processes that organizations of any size can implement to immediately improve their speed of delivery while maintaining a strong and measurable security baseline.

Aaron Hnatiw

September 02, 2017
Tweet

More Decks by Aaron Hnatiw

See All by Aaron Hnatiw
DerbyCon 2017 - Hacking Blockchains
insp3ctre
0
1.2k
CircleCityCon 2017 - Security Training: Making your weakest link the strongest
insp3ctre
0
41
Racing the Web - Hackfest 2016
insp3ctre
1
200

Other Decks in Technology

See All in Technology
データベース03: 関係データモデル
trycycle
0
100
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
150
開発パフォーマンスを最大化するための開発体制
ham0215
7
1.1k
20分で完全に理解するGrafanaダッシュボード
hamadakoji
5
900
いいたいことちゃんという
tkengo
0
240
【NW X Security JAWS#3】L3-4:AWS環境のIPv6移行に向けて知っておきたいこと
shotashiratori
1
670
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.6k
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
280
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
160
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
270
Microsoft for Startups Founders Hub_20240429 update
daikikanemitsu
1
2.4k
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
8
890

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
The Art of Programming - Codeland 2020
erikaheidi
43
12k
Web Components: a chance to create the future
zenorocha
306
41k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Build The Right Thing And Hit Your Dates
maggiecrowley
25
2k
The Brand Is Dead. Long Live the Brand.
mthomps
49
29k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
What the flash - Photography Introduction
edds
64
11k
Designing for humans not robots
tammielis
247
25k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Adopting Sorbet at Scale
ufuk
69
8.6k

Transcript

  1. How To Move Mountains Aaron Hnatiw [email protected] Twitter: @insp3ctre www.securitycompass.com

  2. Senior Security Researcher, Security Compass Aaron Hnatiw • College professor

    of application security • Developer • System administrator • Security consultant • Network security engineer Twitter: @insp3ctre

  3. What is this talk about?

  4. DevOps: the solution is the problem (for security)

  5. DevOps: The solution

  6. Speed of business

  7. Developers == QA, operations, security

  8. Waterfall SDLC > agile > CI/CD

  9. None
  10. None

  11. DevOps: The problem

  12. Security as gatekeepers

  13. 100:10:1

  14. None
  15. None

  16. DevOps && Security

  17. Gatekeepers

  18. Implementation

  19. Education

  20. Belt Program

  21. Security Champions

  22. Centre of Excellence

  23. Continuous Learning

  24. 1. Threat modelling

  25. 2. Regular check-ins

  26. 3. Open office

  27. 4. Maintain interest

  28. Continuous Learning 1.Threat modelling 2.Regular check-ins 3.Open office 4.Maintain interest

  29. Automation

  30. Build custom tooling

  31. None

  32. + Application Security Engineer

  33. Start small

  34. Modular tools

  35. Fool me twice...

  36. Unit tests

  37. Infrastructure as code

  38. Pentests++

  39. None

  40. Tuning

  41. API

  42. WHERE DO I START?

  43. WHERE TO START ▸ SD Elements ▸ OWASP Top 10

    Cheat Sheet ▸ CWE/SANS Top 25 Most Dangerous Software Errors ▸ Again- old findings and mistakes

  44. WHERE TO START (OTHER TOOLS) ▸ Lemur (Netflix): https://github.com/Netflix/lemur ▸

    Repokid (Netflix): https://github.com/Netflix/repokid ▸ Simian Army (Netflix): https://github.com/Netflix/SimianArmy ▸ Phan (Etsy): https://github.com/etsy/phan ▸ Elastalert (Yelp): https://github.com/Yelp/elastalert ▸ Brakeman: http://brakemanscanner.org/ ▸ Twitter uses this and hired the developer

  45. WHERE TO START (AWS) ▸ AWS CodePipeline ▸ AWS Inspector

    ▸ CloudFormation ▸ AWS Config ▸ AWS CloudWatch Events ▸ Action with Lambda

  46. ▸ Education ▸ Developers are being asked to write code

    securely. Enable this through Continuous Learning (CI/CD... CL!) ▸ Automation ▸ Build an integrated system that finds security issues easily and automatically, with actionable results ▸ Remediation ▸ CI/CD allows us to push out security fixes faster than ever before Education + Automation = Remediation Aaron Hnatiw [email protected] Twitter: @insp3ctre www.securitycompass.com