×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Continuous Security Laura Bell SafeStack
Slide 2
Slide 2 text
Con$nuous Security Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
Slide 3
Slide 3 text
once upon a $me*… * Some'me in the last week for some of you
Slide 4
Slide 4 text
and the whole world went to hell
Slide 5
Slide 5 text
common misconcep$ons
Slide 6
Slide 6 text
it’s not my job (that’s why we have a security team)
Slide 7
Slide 7 text
it’s impossible so why try
Slide 8
Slide 8 text
we’ve always done this… nobody’s hacked us yet
Slide 9
Slide 9 text
we’re too li@le to fail (at security)
Slide 10
Slide 10 text
agility increases risk
Slide 11
Slide 11 text
what is con$nuous security?
Slide 12
Slide 12 text
design code stuff idea test deploy
Slide 13
Slide 13 text
design code stuff idea test deploy Ini'al Risk Assessment Design Review Code and Implementa'on Review Penetra'on Tes'ng
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
con$nuous
Slide 16
Slide 16 text
principles of con$nuous security
Slide 17
Slide 17 text
automated autonomous integrated repeatable scalable
Slide 18
Slide 18 text
automated “the best technical people I know work really hard to make themselves redundant”
Slide 19
Slide 19 text
Deployment Provisioning Tes$ng Sta$c analysis Vulnerability mgmt
Slide 20
Slide 20 text
autonomous “no boMlenecks, breakdowns or ripples”
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
Skills Authority Accountability every team
Slide 23
Slide 23 text
integrated “bite-‐sized security that works with every step of your lifecycle”
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
Woven in to keep you going Respected enough to stop you
Slide 26
Slide 26 text
repeatable “security fails when it’s a special event”
Slide 27
Slide 27 text
Every story Every sprint Every developer Every $me
Slide 28
Slide 28 text
Standard Security Stories h@p:/ /www.safecode.org
Slide 29
Slide 29 text
scalable “more than just a single team experiment”
Slide 30
Slide 30 text
Business as usual Managed Measured Controlled Universal Special Proof of concept Blue sky Experiment Innova$on
Slide 31
Slide 31 text
Case Study
Slide 32
Slide 32 text
Fast growing 110 developers Compliance environment New code Legacy code Mul$ple languages
Slide 33
Slide 33 text
Requirements Standard Security Stories Architecture Inclusion Reusable requirements
Slide 34
Slide 34 text
Code review IDE based free tools Peer Review Security guild
Slide 35
Slide 35 text
Tes$ng Automated ZAP tes$ng Selenium Standard security tests
Slide 36
Slide 36 text
Deployment Vulnerability checks Infrastructure as code On demand deployments
Slide 37
Slide 37 text
Collabora$on Security guild Chat ops Hack events
Slide 38
Slide 38 text
Good stuff speed of change skill level increase increased awareness priority of legacy use of security resource
Slide 39
Slide 39 text
Lessons learned security guilds tool cost tool quality approaches training at scale
Slide 40
Slide 40 text
achieving con$nuous security
Slide 41
Slide 41 text
choose tools wisely integra$ons with workflows, API, speed
Slide 42
Slide 42 text
easy to digest resources keep your examples, templates and reusable stuff as close to your developers as possible
Slide 43
Slide 43 text
educate everyone skills are the number one bo@leneck
Slide 44
Slide 44 text
give testers some love test environments, clean test data and tools
Slide 45
Slide 45 text
no special treatment legacy code needs security too
Slide 46
Slide 46 text
dev == test == prod remove the differences to remove deployment complexity
Slide 47
Slide 47 text
Ques$ons? Laura Bell F O U N D E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
Slide 48
Slide 48 text
@lady_nerd Laura Bell SafeStack Thanks for listening…