Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevSecOps em Aplicações, Cloud, Artefatos

Carol
April 14, 2021
130

DevSecOps em Aplicações, Cloud, Artefatos

Desenvolvimento seguro no desenvolvimento de software. Aplicar segurança também na infraestrutura como código e outros artefatos das tecnologias que usamos.

Carol

April 14, 2021
Tweet

Transcript

  1. “ @krol_valencia 19 Static program analysis is the analysis of

    computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing Wikipedia
  2. @krol_valencia 1. Data Breaches 2. Misconfiguration 3. DDoS Attacks 4.

    Insufficient identity, credential, access and key management 5. Account hijacking 6. Man in the middle (MITM) 7 Insecure interfaces and APIs 8. Weak control plane 9. Limited cloud usage visibility 10. Abuse and nefarious use of cloud services Cloud Security Top threats 30
  3. @krol_valencia CIS Benchmar k OS - Configuration - Updates -

    Filesystem integrity - Boot settings Docker docker/docker- bench-security Kubernetes aquasecurity/kube -bench aquasecurity/kube -hunter 34
  4. @krol_valencia There is synergy in combining CWPP and CSPM capabilities…

    that scans workloads and configurations in development and protect workloads and configurations at runtime CSPM DevSecOps CWPP 35 2020 Market Guide for CWPP, Apr. 2020, by Neil MacDonald and Tom Croll
  5. @krol_valencia 36 • Gitlab: ◦ https://docs.gitlab.com/ee/user/application_security/sast/ ◦ https://docs.gitlab.com/ee/user/application_security/dast/ ◦ https://about.gitlab.com/blog/2019/08/12/developer-intro-

    sast-dast/ • Github: ◦ https://github.com/features/security ◦ https://help.github.com/en/github/managing-security- vulnerabilities • Node: https://owasp.org/www-project-node.js-goat/ • Go: https://github.com/OWASP/Go-SCP • Free for Open Source Application Security Tools: https://owasp.org/www- community/Free_for_Open_Source_Application_Security_Tools • DevSecOps list: https://github.com/krol3/devsecops-resources Resources