Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Security
Search
Laura Bell
September 01, 2015
Technology
3
1.1k
Continuous Security
Presented at AgileNZ by Laura Bell
Laura Bell
September 01, 2015
Tweet
Share
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
240
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
140
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
58
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
82
Practical tools for privacy audit
ladynerd
0
180
For the greater good? Open sourcing weaponisable code
ladynerd
1
310
Other Decks in Technology
See All in Technology
マルチデータプロダクト開発・運用に耐えるためのデータ組織・アーキテクチャの遷移
mtpooh
1
400
スタートアップ1人目QAエンジニアが QAチームを立ち上げ、“個”からチーム、 そして“組織”に成長するまで / How to set up QA team at reiwatravel
mii3king
1
330
FastConnect の冗長性
ocise
1
9.5k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
6
57k
開発者が自律的に AWS Security Hub findings に 対応する仕組みと AWS re:Invent 2024 登壇体験談 / Developers autonomously report AWS Security Hub findings Corresponding mechanism and AWS re:Invent 2024 presentation experience
kaminashi
0
170
テストアーキテクチャ設計で実現する高品質で高スピードな開発の実践 / Test Architecture Design in Practice
ropqa
3
470
飲食店予約台帳を支えるインタラクティブ UI 設計と実装
siropaca
5
950
これからSREになる人と、これからもSREをやっていく人へ
masayoshi
6
4k
ゆもつよがこの30年間自ら経験してきたQA、テストの歴史と未来
ymty
4
670
バックエンドエンジニアのためのフロントエンド入門 #devsumiC
panda_program
14
4.4k
さいきょうのアーキテクチャを生み出すセンスメイキング
jgeem
0
410
リーダブルテストコード 〜メンテナンスしやすい テストコードを作成する方法を考える〜 #DevSumi #DevSumiB / Readable test code
nihonbuson
5
2.1k
Featured
See All Featured
How to Ace a Technical Interview
jacobian
276
23k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
20
2.4k
Automating Front-end Workflow
addyosmani
1367
200k
YesSQL, Process and Tooling at Scale
rocio
171
14k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
How STYLIGHT went responsive
nonsquared
98
5.3k
Product Roadmaps are Hard
iamctodd
PRO
50
11k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
29
2.2k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
Keith and Marios Guide to Fast Websites
keithpitt
410
22k
Testing 201, or: Great Expectations
jmmastey
41
7.2k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
Transcript
Continuous Security Laura Bell SafeStack
Con$nuous Security Laura Bell F O U N D
E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
once upon a $me*… * Some'me in the last week
for some of you
and the whole world went to hell
common misconcep$ons
it’s not my job (that’s why we have a
security team)
it’s impossible so why try
we’ve always done this… nobody’s hacked us yet
we’re too li@le to fail (at security)
agility increases risk
what is con$nuous security?
design code stuff idea test deploy
design code stuff idea test deploy
Ini'al Risk Assessment Design Review Code and Implementa'on Review Penetra'on Tes'ng
None
con$nuous
principles of con$nuous security
automated autonomous integrated repeatable scalable
automated “the best technical people I know work really
hard to make themselves redundant”
Deployment Provisioning Tes$ng Sta$c analysis Vulnerability mgmt
autonomous “no boMlenecks, breakdowns or ripples”
None
Skills Authority Accountability every team
integrated “bite-‐sized security that works with every step of
your lifecycle”
None
Woven in to keep you going Respected enough to stop
you
repeatable “security fails when it’s a special event”
Every story Every sprint Every developer Every $me
Standard Security Stories h@p:/ /www.safecode.org
scalable “more than just a single team experiment”
Business as usual Managed Measured Controlled Universal Special Proof of
concept Blue sky Experiment Innova$on
Case Study
Fast growing 110 developers Compliance environment New
code Legacy code Mul$ple languages
Requirements Standard Security Stories Architecture Inclusion Reusable
requirements
Code review IDE based free tools Peer Review Security guild
Tes$ng Automated ZAP tes$ng Selenium Standard security tests
Deployment Vulnerability checks Infrastructure as code On demand deployments
Collabora$on Security guild Chat ops Hack events
Good stuff speed of change skill level increase increased
awareness priority of legacy use of security resource
Lessons learned security guilds tool cost tool quality approaches training
at scale
achieving con$nuous security
choose tools wisely integra$ons with workflows, API, speed
easy to digest resources keep your examples, templates and
reusable stuff as close to your developers as possible
educate everyone skills are the number one bo@leneck
give testers some love test environments, clean test data
and tools
no special treatment legacy code needs security too
dev == test == prod remove the differences to
remove deployment complexity
Ques$ons? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
@lady_nerd Laura Bell SafeStack Thanks for listening…