Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing you from being responsible for your company's next security disaster[Xgeeks]

Otavio Santana
September 16, 2021

Preventing you from being responsible for your company's next security disaster[Xgeeks]

Currently, we see several cases of security breaches that caused a loss of millions, either as credibility or as new fines. As a result, new data protection laws emerge.
Betting on information security guarantees quality and helps prevent these headaches, in addition to avoiding scandals that could make a software project unfeasible.
The company and its team are aware of the importance of safety and prevention; it is necessary to develop a DevSecOps culture. In this talk, you will learn more about this working model and how to prevent you or someone on your team from being responsible for the next security disaster.

Otavio Santana

September 16, 2021
Tweet

More Decks by Otavio Santana

Other Decks in Technology

Transcript

  1. >_<
    @zupinnovation zup.com.br
    Preventing you from being
    responsible for your company's
    next security disaster
    Otavio Santana
    @otaviojava

    View full-size slide

  2. <>
    @zupinnovation zup.com.br
    Who am I?
    Otavio Santana
    Distinguished Engineer
    @otaviojava
    ● Pas Jean Valjean
    ● Java Champion
    ● JCP-EC-EG-EGL
    ● Apache Committer
    ● Eclipse Committer
    ● Eclipse Project Leader
    ● Book and blog writer
    who

    View full-size slide

  3. <>
    @zupinnovation zup.com.br
    Who am I?
    Wilian Gabriel da Silva
    Tech Lead
    @wiliangds
    ● Golang Developer
    ● JS/TS Developer
    ● Python Developer
    ● Compilers Developer
    ● Blog writer
    ● Youtube recorder
    ● Zup Open Source Committer

    View full-size slide

  4. <>
    @zupinnovation zup.com.br
    Who does
    need security?
    A brief context

    View full-size slide

  5. <>
    @zupinnovation zup.com.br
    The biggest data breaches of the 21st century
    Ref:
    https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
    Accounts
    Yahoo
    + Pieces of user data
    Alibaba
    + 700 million users
    LinkedIn
    Accounts
    Sina Weibo
    +
    Facebook
    3 bi 1.1 bi 700 mi
    538 mi
    Accounts
    533 mi

    View full-size slide

  6. <>
    @zupinnovation zup.com.br
    800 and 1,500 businesses around the world have been affected
    IBM’s Data Breach
    Study
    $300 million $7 million
    Target paid this amount for
    breach remediation
    Can a data breach really bankrupt your business?

    View full-size slide

  7. <>
    @zupinnovation zup.com.br
    Security is a nutshell
    Confidentiality
    Integrity
    Availability

    View full-size slide

  8. <>
    @zupinnovation zup.com.br
    "Small" mistake > Big consequences
    1. Code Vulnerability
    2. Operations Vulnerability

    View full-size slide

  9. <>
    @zupinnovation zup.com.br
    Code Vulnerability
    Every 3 out of 4 applications
    ● Injection
    ● Cross-Site Scripting (XSS)
    ● Buffer Overflow
    ● Broken Authentication
    ● Sensitive Data Exposure
    ● Broken Access Control

    View full-size slide

  10. <>
    @zupinnovation zup.com.br
    Operations Vulnerability
    “New research shows 75% of ‘open’ Redis servers infected”
    ● Default, blank, and weak username/password.
    ● Extensive user and group privileges

    View full-size slide

  11. <>
    @zupinnovation zup.com.br
    The top code
    vulnerability issues

    View full-size slide

  12. <>
    @zupinnovation zup.com.br
    SQL Injection

    View full-size slide

  13. <>
    @zupinnovation zup.com.br
    Sanitize all input

    View full-size slide

  14. <>
    @zupinnovation zup.com.br
    Scan dependencies
    vulnerabilities

    View full-size slide

  15. <>
    @zupinnovation zup.com.br
    "Avengers assemble!"
    What can we do to avoid these
    mistakes?

    View full-size slide

  16. <>
    @zupinnovation zup.com.br
    Breaking down the silos
    Avoid delay
    Integration
    Prevent

    View full-size slide

  17. <>
    @zupinnovation zup.com.br
    Agile
    2001
    DevOps
    2010
    DevSecOps
    2015
    We evolved until...

    View full-size slide

  18. <>
    @zupinnovation zup.com.br
    DevSecOps

    View full-size slide

  19. <>
    @zupinnovation zup.com.br
    “DevSecOps is
    DevOps done
    securely”
    “DevOps has provided speed
    and quality benefits with
    continuous development and
    deployment methods, but it
    does not guarantee the security
    of an entire organization.”
    “Whether you call it "DevOps"
    or "DevSecOps," it has always
    been ideal to include security
    as an integral part of the
    entire app life cycle.”
    Definition through bibliography

    View full-size slide

  20. <>
    @zupinnovation zup.com.br
    Layered security

    View full-size slide

  21. <>
    @zupinnovation zup.com.br
    The 12 Factors App
    1. Codebase
    2. Dependencies
    3. Config
    4. Backing services
    5. Build, release, run
    6. Process
    7. Port binding
    8. Concurrency
    9. Disposability
    10. Dev/prod parity
    11. Logs
    12. Admin processes

    View full-size slide

  22. <>
    @zupinnovation zup.com.br
    Tools
    What can help you on this challenge?

    View full-size slide

  23. <>
    @zupinnovation zup.com.br
    Tools
    Avoid security issues
    700
    mi
    Identify vulnerabilities Monitoring bugs

    View full-size slide

  24. <>
    @zupinnovation zup.com.br
    Horusec is an open-source framework that
    enhances the identification of vulnerabilities in
    your project with just one command.

    View full-size slide

  25. <>
    @zupinnovation zup.com.br

    View full-size slide

  26. <>
    @zupinnovation zup.com.br
    Demo

    View full-size slide

  27. <>
    @zupinnovation zup.com.br
    And more...
    ● Language Analysis
    ● Integrate with CI/CD
    ● Fancy Dashboard
    ● Extensible

    View full-size slide

  28. @zupinnovation zup.com.br
    <>
    Zup at TDC

    View full-size slide

  29. <>
    @zupinnovation zup.com.br
    Thank you!
    Otávio Santana
    @otaviojava
    Distinguished Engineer
    @zupInnovation
    Wilian Gabriel da Silva
    @wiliangds
    Tech Lead
    Q&A

    View full-size slide

  30. <>
    @zupinnovation zup.com.br
    Thank you!
    Otávio Santana
    @otaviojava
    Distinguished Engineer
    @zupInnovation
    Q&A

    View full-size slide