Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing you from being responsible for your company's next security disaster[Xgeeks]

Preventing you from being responsible for your company's next security disaster[Xgeeks]

Currently, we see several cases of security breaches that caused a loss of millions, either as credibility or as new fines. As a result, new data protection laws emerge.
Betting on information security guarantees quality and helps prevent these headaches, in addition to avoiding scandals that could make a software project unfeasible.
The company and its team are aware of the importance of safety and prevention; it is necessary to develop a DevSecOps culture. In this talk, you will learn more about this working model and how to prevent you or someone on your team from being responsible for the next security disaster.


Otavio Santana

September 16, 2021

More Decks by Otavio Santana

Other Decks in Technology


  1. >_< @zupinnovation zup.com.br Preventing you from being responsible for your

    company's next security disaster Otavio Santana @otaviojava
  2. <> @zupinnovation zup.com.br Who am I? Otavio Santana Distinguished Engineer

    @otaviojava • Pas Jean Valjean • Java Champion • JCP-EC-EG-EGL • Apache Committer • Eclipse Committer • Eclipse Project Leader • Book and blog writer who
  3. <> @zupinnovation zup.com.br Who am I? Wilian Gabriel da Silva

    Tech Lead @wiliangds • Golang Developer • JS/TS Developer • Python Developer • Compilers Developer • Blog writer • Youtube recorder • Zup Open Source Committer
  4. <> @zupinnovation zup.com.br Who does need security? A brief context

  5. <> @zupinnovation zup.com.br The biggest data breaches of the 21st

    century Ref: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html Accounts Yahoo + Pieces of user data Alibaba + 700 million users LinkedIn Accounts Sina Weibo + Facebook 3 bi 1.1 bi 700 mi 538 mi Accounts 533 mi
  6. <> @zupinnovation zup.com.br 800 and 1,500 businesses around the world

    have been affected IBM’s Data Breach Study $300 million $7 million Target paid this amount for breach remediation Can a data breach really bankrupt your business?
  7. <> @zupinnovation zup.com.br Security is a nutshell Confidentiality Integrity Availability

  8. <> @zupinnovation zup.com.br "Small" mistake > Big consequences 1. Code

    Vulnerability 2. Operations Vulnerability
  9. <> @zupinnovation zup.com.br Code Vulnerability Every 3 out of 4

    applications • Injection • Cross-Site Scripting (XSS) • Buffer Overflow • Broken Authentication • Sensitive Data Exposure • Broken Access Control
  10. <> @zupinnovation zup.com.br Operations Vulnerability “New research shows 75% of

    ‘open’ Redis servers infected” • Default, blank, and weak username/password. • Extensive user and group privileges
  11. <> @zupinnovation zup.com.br The top code vulnerability issues

  12. <> @zupinnovation zup.com.br SQL Injection

  13. <> @zupinnovation zup.com.br Sanitize all input

  14. <> @zupinnovation zup.com.br Scan dependencies vulnerabilities

  15. <> @zupinnovation zup.com.br "Avengers assemble!" What can we do to

    avoid these mistakes?
  16. <> @zupinnovation zup.com.br Breaking down the silos Avoid delay Integration

  17. <> @zupinnovation zup.com.br Agile 2001 DevOps 2010 DevSecOps 2015 We

    evolved until...
  18. <> @zupinnovation zup.com.br DevSecOps

  19. <> @zupinnovation zup.com.br “DevSecOps is DevOps done securely” “DevOps has

    provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization.” “Whether you call it "DevOps" or "DevSecOps," it has always been ideal to include security as an integral part of the entire app life cycle.” Definition through bibliography
  20. <> @zupinnovation zup.com.br Layered security

  21. <> @zupinnovation zup.com.br The 12 Factors App 1. Codebase 2.

    Dependencies 3. Config 4. Backing services 5. Build, release, run 6. Process 7. Port binding 8. Concurrency 9. Disposability 10. Dev/prod parity 11. Logs 12. Admin processes
  22. <> @zupinnovation zup.com.br Tools What can help you on this

  23. <> @zupinnovation zup.com.br Tools Avoid security issues 700 mi Identify

    vulnerabilities Monitoring bugs
  24. <> @zupinnovation zup.com.br Horusec is an open-source framework that enhances

    the identification of vulnerabilities in your project with just one command.
  25. <> @zupinnovation zup.com.br

  26. <> @zupinnovation zup.com.br Demo

  27. <> @zupinnovation zup.com.br And more... • Language Analysis • Integrate

    with CI/CD • Fancy Dashboard • Extensible
  28. @zupinnovation zup.com.br <> Zup at TDC

  29. <> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer

    @zupInnovation Wilian Gabriel da Silva @wiliangds Tech Lead Q&A
  30. <> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer

    @zupInnovation Q&A