Save 37% off PRO during our Black Friday Sale! »

Continuous Security

B114ea20c4172d8f92f3ff42a8cf8ea4?s=47 Laura Bell
September 01, 2015

Continuous Security

Presented at AgileNZ by Laura Bell

B114ea20c4172d8f92f3ff42a8cf8ea4?s=128

Laura Bell

September 01, 2015
Tweet

Transcript

  1. Continuous Security Laura Bell SafeStack

  2. Con$nuous   Security Laura  Bell F O U N D

    E R   &   L E A D   C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
  3. once  upon  a  $me*… *  Some'me  in  the  last  week

     for  some  of  you  
  4. and  the  whole  world went  to  hell

  5. common  misconcep$ons

  6. it’s  not  my  job   (that’s  why  we  have  a

     security  team)
  7. it’s  impossible  so  why  try

  8. we’ve  always  done  this… nobody’s  hacked  us  yet

  9. we’re  too  li@le  to  fail     (at  security)

  10. agility  increases  risk

  11. what  is  con$nuous  security?

  12. design   code  stuff   idea   test   deploy

     
  13. design   code  stuff   idea   test   deploy

      Ini'al  Risk   Assessment   Design     Review   Code  and   Implementa'on   Review   Penetra'on   Tes'ng  
  14. None
  15. con$nuous

  16. principles  of  con$nuous  security

  17. automated   autonomous   integrated   repeatable   scalable

  18. automated “the  best  technical  people  I  know  work   really

     hard  to  make  themselves  redundant”
  19. Deployment Provisioning Tes$ng Sta$c  analysis Vulnerability  mgmt

  20. autonomous “no  boMlenecks,  breakdowns  or  ripples”

  21. None
  22. Skills Authority Accountability every  team

  23. integrated “bite-­‐sized  security  that  works  with  every  step   of

     your  lifecycle”
  24. None
  25. Woven  in  to  keep  you  going Respected  enough  to  stop

     you
  26. repeatable “security  fails  when  it’s  a  special  event”

  27. Every  story Every  sprint Every  developer Every  $me

  28. Standard  Security  Stories h@p:/ /www.safecode.org

  29. scalable “more  than  just   a  single  team   experiment”

  30. Business  as  usual Managed Measured Controlled Universal Special Proof  of

     concept Blue  sky Experiment Innova$on
  31. Case  Study

  32. Fast  growing   110  developers   Compliance  environment   New

     code   Legacy  code   Mul$ple  languages  
  33. Requirements Standard  Security   Stories Architecture   Inclusion Reusable  

    requirements
  34. Code  review IDE  based  free  tools Peer  Review Security  guild

     
  35. Tes$ng Automated  ZAP   tes$ng Selenium Standard  security   tests

  36. Deployment Vulnerability  checks Infrastructure  as  code On  demand  deployments

  37. Collabora$on Security  guild Chat  ops Hack  events

  38. Good  stuff    speed  of  change skill  level  increase increased

     awareness priority  of  legacy  use  of  security  resource
  39. Lessons  learned  security  guilds tool  cost tool  quality approaches training

     at  scale
  40. achieving  con$nuous  security

  41. choose  tools  wisely   integra$ons  with  workflows,  API,  speed

  42. easy  to  digest  resources   keep  your  examples,  templates  and

        reusable  stuff  as  close  to  your  developers     as  possible
  43. educate  everyone   skills  are  the  number  one  bo@leneck

  44. give  testers  some  love   test  environments,  clean  test  data

     and  tools
  45. no  special  treatment   legacy  code  needs  security  too

  46. dev  ==  test  ==  prod   remove  the  differences  to

     remove     deployment  complexity
  47. Ques$ons? Laura  Bell F O U N D E R

      &   L E A D   C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
  48. @lady_nerd Laura Bell SafeStack Thanks for listening…