Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security in an Agile World

Web App Security in an Agile World

Draft

Nick Galbreath

June 02, 2016
Tweet

More Decks by Nick Galbreath

Other Decks in Technology

Transcript

  1. Macro Trends Stacked Against Defenders Rate of internal change is

    increasing, general shift from fixed assets to dynamic.
 Security talent is in short supply and oversubscribed.
 
 Attack economics are getting better… for attackers. or are they?
  2. From $250 Million to $6.5 Billion: 
 The Bay Bridge

    Cost Overrun http://www.citylab.com/politics/2015/10/from-250-million-to-65-billion-the-bay-bridge-cost-overrun/410254/
  3. Every engineering organization in the world is trying to go

    faster by using cloud, devops, continuous integration, agile Or Planning To Do So, with Some Projects
  4. Even the State of California https://www.codeforamerica.org/blog/2015/11/30/a-new-approach-to-procuring-government-technology-in-california/ A New Approach to

    Procuring Government Technology in California What was going to be a business-as-usual procurement (a long, thousand- plus page contract for a complete solution, driven by requirements and a likely waterfall delivery) of a new Child Welfare System will now be a series of procurements for long-term services, not solutions, driven by understanding and meeting user needs, delivered iteratively. Child welfare services personnel in California investigate nearly half a million reports of severe maltreatment and life-threatening neglect to children a year. Of those half a million, around 80,000 reports are confirmed annually, 30,000 children must be removed from their homes, and at any time almost 100,000 children are living in foster care for their protection or live with their parents under close county protective supervision.
 The Child Welfare System was the perfect choice for a new approach because it’s too important to fail. NOVEMBER 30, 2015
  5. • Change is increasing • Hiring is challenging • Attack

    Economics is not look good • A bunch of stuff doesn't work
  6. ???

  7. Continuous Deployment:
 Moving Code from Dev to Production characterized by

    small changes, done more frequently, in a semi-automated way.
  8. Does not preclude • Code reviews • Architecture reviews •

    Testing • Two-man rules • Audibility • Compliance
  9. ✓ Formatting Checks ✓ Linting ✓ Static Analysis ✓ Security

    Checks ✓ Unit Tests ✓ Integration Tests ✓ Spelling Checks ✓ Login / Auth
  10. Average time to fix a vulnerability is 150 days after

    being reported…. you think that is due to technical reasons?
  11. — Zane Lackey “If you are on the Internet,
 you

    are already getting a free pen test. 
 
 You just aren’t getting the report.”
  12. Get The Report • Who are you attackers • What

    is their goal • Are they successful