Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Security
Search
Laura Bell
September 01, 2015
Technology
3
1k
Continuous Security
Presented at AgileNZ by Laura Bell
Laura Bell
September 01, 2015
Tweet
Share
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
200
Hackcon 11 - Protecting our people
ladynerd
0
210
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
330
Better Connected
ladynerd
0
49
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
77
Practical tools for privacy audit
ladynerd
0
160
For the greater good? Open sourcing weaponisable code
ladynerd
1
290
Other Decks in Technology
See All in Technology
JBUG岡山 #6 WordCamp男木島の チームビルディング
takeshifurusato
0
150
開発生産性をむしろ向上させる セキュリティパートナーの作り方 / Dev Productivity Con 2024
flatt_security
0
360
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
Git 研修 Advanced【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
200
頼られるのが大好きな 皆さんへ - 支援相手との期待の合わせ方、突き放し方 -/For_people_who_like_to_be_relied_on
naitosatoshi
1
290
セキュリティ研修 Day1【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
160
CTOから見た事業開発とプロダクト開発 / My Perspective on Business and Product Development as CTO
keisuke69
4
960
推薦システムを本番導入する上で一番優先すべきだったこと~NewsPicks記事推薦機能の改善事例を元に~
morinota
0
120
年間一億円削減した時系列データベースのアーキテクチャ改善~不確実性の高いプロジェクトへの挑戦~
lycorptech_jp
PRO
3
2.9k
【基調講演】変える、今ここから ― IoTとAIで紡ぐ未来
soracom
PRO
0
320
What is DRE? - Road to SRE NEXT@広島
chanyou0311
3
630
可視化プラットフォームGrafanaの基本と活用方法の全て
hamadakoji
0
230
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
124
16k
Become a Pro
speakerdeck
PRO
15
4.8k
How To Stay Up To Date on Web Technology
chriscoyier
784
250k
Being A Developer After 40
akosma
72
580k
Art, The Web, and Tiny UX
lynnandtonic
291
20k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
29
2.5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
26
1.8k
Agile that works and the tools we love
rasmusluckow
325
20k
A Philosophy of Restraint
colly
200
16k
Fontdeck: Realign not Redesign
paulrobertlloyd
79
5.1k
Learning to Love Humans: Emotional Interface Design
aarron
269
39k
Building a Scalable Design System with Sketch
lauravandoore
458
32k
Transcript
Continuous Security Laura Bell SafeStack
Con$nuous Security Laura Bell F O U N D
E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
once upon a $me*… * Some'me in the last week
for some of you
and the whole world went to hell
common misconcep$ons
it’s not my job (that’s why we have a
security team)
it’s impossible so why try
we’ve always done this… nobody’s hacked us yet
we’re too li@le to fail (at security)
agility increases risk
what is con$nuous security?
design code stuff idea test deploy
design code stuff idea test deploy
Ini'al Risk Assessment Design Review Code and Implementa'on Review Penetra'on Tes'ng
None
con$nuous
principles of con$nuous security
automated autonomous integrated repeatable scalable
automated “the best technical people I know work really
hard to make themselves redundant”
Deployment Provisioning Tes$ng Sta$c analysis Vulnerability mgmt
autonomous “no boMlenecks, breakdowns or ripples”
None
Skills Authority Accountability every team
integrated “bite-‐sized security that works with every step of
your lifecycle”
None
Woven in to keep you going Respected enough to stop
you
repeatable “security fails when it’s a special event”
Every story Every sprint Every developer Every $me
Standard Security Stories h@p:/ /www.safecode.org
scalable “more than just a single team experiment”
Business as usual Managed Measured Controlled Universal Special Proof of
concept Blue sky Experiment Innova$on
Case Study
Fast growing 110 developers Compliance environment New
code Legacy code Mul$ple languages
Requirements Standard Security Stories Architecture Inclusion Reusable
requirements
Code review IDE based free tools Peer Review Security guild
Tes$ng Automated ZAP tes$ng Selenium Standard security tests
Deployment Vulnerability checks Infrastructure as code On demand deployments
Collabora$on Security guild Chat ops Hack events
Good stuff speed of change skill level increase increased
awareness priority of legacy use of security resource
Lessons learned security guilds tool cost tool quality approaches training
at scale
achieving con$nuous security
choose tools wisely integra$ons with workflows, API, speed
easy to digest resources keep your examples, templates and
reusable stuff as close to your developers as possible
educate everyone skills are the number one bo@leneck
give testers some love test environments, clean test data
and tools
no special treatment legacy code needs security too
dev == test == prod remove the differences to
remove deployment complexity
Ques$ons? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
@lady_nerd Laura Bell SafeStack Thanks for listening…