$30 off During Our Annual Pro Sale. View Details »

Continuous Security

Laura Bell
September 01, 2015

Continuous Security

Presented at AgileNZ by Laura Bell

Laura Bell

September 01, 2015
Tweet

More Decks by Laura Bell

Other Decks in Technology

Transcript

  1. Continuous Security
    Laura Bell
    SafeStack

    View Slide

  2. Con$nuous  
    Security
    Laura  Bell
    F O U N D E R   &   L E A D   C O N S U LTA N T
    S A F E S TAC K
    @ l a d y _ n e rd
    l a u r a @ s a fe s t a c k . i o

    View Slide

  3. once  upon  a  $me*…
    *  Some'me  in  the  last  week  for  some  of  you  

    View Slide

  4. and  the  whole  world
    went  to  hell

    View Slide

  5. common  misconcep$ons

    View Slide

  6. it’s  not  my  job  
    (that’s  why  we  have  a  security  team)

    View Slide

  7. it’s  impossible  so  why  try

    View Slide

  8. we’ve  always  done  this…
    nobody’s  hacked  us  yet

    View Slide

  9. we’re  too  li@le  to  fail    
    (at  security)

    View Slide

  10. agility  increases  risk

    View Slide

  11. what  is  con$nuous  security?

    View Slide

  12. design   code  stuff  
    idea   test   deploy  

    View Slide

  13. design   code  stuff  
    idea   test   deploy  
    Ini'al  Risk  
    Assessment  
    Design    
    Review  
    Code  and  
    Implementa'on  
    Review  
    Penetra'on  
    Tes'ng  

    View Slide

  14. View Slide

  15. con$nuous

    View Slide

  16. principles  of  con$nuous  security

    View Slide

  17. automated  
    autonomous  
    integrated  
    repeatable  
    scalable

    View Slide

  18. automated

    “the  best  technical  people  I  know  work  
    really  hard  to  make  themselves  redundant”

    View Slide

  19. Deployment

    Provisioning

    Tes$ng

    Sta$c  analysis

    Vulnerability  mgmt

    View Slide

  20. autonomous

    “no  boMlenecks,  breakdowns  or  ripples”

    View Slide

  21. View Slide

  22. Skills
    Authority
    Accountability


    every  team

    View Slide

  23. integrated

    “bite-­‐sized  security  that  works  with  every  step  
    of  your  lifecycle”

    View Slide

  24. View Slide

  25. Woven  in  to  keep  you  going

    Respected  enough  to  stop  you

    View Slide

  26. repeatable

    “security  fails  when  it’s  a  special  event”

    View Slide

  27. Every  story
    Every  sprint
    Every  developer
    Every  $me


    View Slide

  28. Standard  Security  Stories
    h@p:/
    /www.safecode.org

    View Slide

  29. scalable

    “more  than  just  
    a  single  team  
    experiment”

    View Slide

  30. Business  as  usual
    Managed
    Measured
    Controlled
    Universal


    Special
    Proof  of  concept
    Blue  sky
    Experiment
    Innova$on


    View Slide

  31. Case  Study

    View Slide

  32. Fast  growing  
    110  developers  
    Compliance  environment  
    New  code  
    Legacy  code  
    Mul$ple  languages  

    View Slide

  33. Requirements
    Standard  Security  
    Stories

    Architecture  
    Inclusion

    Reusable  
    requirements


    View Slide

  34. Code  review
    IDE  based  free  tools

    Peer  Review

    Security  guild  


    View Slide

  35. Tes$ng
    Automated  ZAP  
    tes$ng

    Selenium

    Standard  security  
    tests


    View Slide

  36. Deployment
    Vulnerability  checks

    Infrastructure  as  code

    On  demand  deployments


    View Slide

  37. Collabora$on
    Security  guild

    Chat  ops

    Hack  events


    View Slide

  38. Good  stuff  

     speed  of  change
    skill  level  increase
    increased  awareness
    priority  of  legacy
     use  of  security  resource

    View Slide

  39. Lessons  learned
     security  guilds
    tool  cost
    tool  quality
    approaches
    training  at  scale

    View Slide

  40. achieving  con$nuous  security

    View Slide

  41. choose  tools  wisely  
    integra$ons  with  workflows,  API,  speed

    View Slide

  42. easy  to  digest  resources  
    keep  your  examples,  templates  and    
    reusable  stuff  as  close  to  your  developers    
    as  possible

    View Slide

  43. educate  everyone  
    skills  are  the  number  one  bo@leneck

    View Slide

  44. give  testers  some  love  
    test  environments,  clean  test  data  and  tools

    View Slide

  45. no  special  treatment  
    legacy  code  needs  security  too

    View Slide

  46. dev  ==  test  ==  prod  
    remove  the  differences  to  remove    
    deployment  complexity

    View Slide

  47. Ques$ons?
    Laura  Bell
    F O U N D E R   &   L E A D   C O N S U LTA N T
    S A F E S TAC K
    @ l a d y _ n e rd
    l a u r a @ s a fe s t a c k . i o

    View Slide

  48. @lady_nerd
    Laura Bell
    SafeStack
    Thanks for listening…

    View Slide