Presented at AgileNZ by Laura Bell
Continuous SecurityLaura BellSafeStack
View Slide
Con$nuous Security Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
once upon a $me*… * Some'me in the last week for some of you
and the whole world went to hell
common misconcep$ons
it’s not my job (that’s why we have a security team)
it’s impossible so why try
we’ve always done this… nobody’s hacked us yet
we’re too li@le to fail (at security)
agility increases risk
what is con$nuous security?
design code stuff idea test deploy
design code stuff idea test deploy Ini'al Risk Assessment Design Review Code and Implementa'on Review Penetra'on Tes'ng
con$nuous
principles of con$nuous security
automated autonomous integrated repeatable scalable
automated “the best technical people I know work really hard to make themselves redundant”
Deployment Provisioning Tes$ng Sta$c analysis Vulnerability mgmt
autonomous “no boMlenecks, breakdowns or ripples”
Skills Authority Accountability every team
integrated “bite-‐sized security that works with every step of your lifecycle”
Woven in to keep you going Respected enough to stop you
repeatable “security fails when it’s a special event”
Every story Every sprint Every developer Every $me
Standard Security Stories h@p://www.safecode.org
scalable “more than just a single team experiment”
Business as usual Managed Measured Controlled Universal Special Proof of concept Blue sky Experiment Innova$on
Case Study
Fast growing 110 developers Compliance environment New code Legacy code Mul$ple languages
Requirements Standard Security Stories Architecture Inclusion Reusable requirements
Code review IDE based free tools Peer Review Security guild
Tes$ng Automated ZAP tes$ng Selenium Standard security tests
Deployment Vulnerability checks Infrastructure as code On demand deployments
Collabora$on Security guild Chat ops Hack events
Good stuff speed of change skill level increase increased awareness priority of legacy use of security resource
Lessons learned security guilds tool cost tool quality approaches training at scale
achieving con$nuous security
choose tools wisely integra$ons with workflows, API, speed
easy to digest resources keep your examples, templates and reusable stuff as close to your developers as possible
educate everyone skills are the number one bo@leneck
give testers some love test environments, clean test data and tools
no special treatment legacy code needs security too
dev == test == prod remove the differences to remove deployment complexity
Ques$ons? Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
@lady_nerdLaura BellSafeStackThanks for listening…
ladynerd
sansantech
oracle4engineer
yoshidashingo
upura
dahatake
wakamsha
shibuiwilliam
mtx2s
poteboy
kei_s
mosa_siru
line_developers_tw
eileencodes
afnizarnur
searls
deanohume
addyosmani
erikaheidi
dougneiner
destraynor
quramy
zakiyama
sugarenia
sachag