>_< @zupinnovation zup.com.br Preventing you from being responsible for your company's next security disaster Otavio Santana @otaviojava

<> @zupinnovation zup.com.br Who am I? Otavio Santana Distinguished Engineer @otaviojava ● Pas Jean Valjean ● Java Champion ● JCP-EC-EG-EGL ● Apache Committer ● Eclipse Committer ● Eclipse Project Leader ● Book and blog writer who

<> @zupinnovation zup.com.br Who am I? Wilian Gabriel da Silva Tech Lead @wiliangds ● Golang Developer ● JS/TS Developer ● Python Developer ● Compilers Developer ● Blog writer ● Youtube recorder ● Zup Open Source Committer

<> @zupinnovation zup.com.br Who does need security? A brief context

<> @zupinnovation zup.com.br The biggest data breaches of the 21st century Ref: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html Accounts Yahoo + Pieces of user data Alibaba + 700 million users LinkedIn Accounts Sina Weibo + Facebook 3 bi 1.1 bi 700 mi 538 mi Accounts 533 mi

<> @zupinnovation zup.com.br 800 and 1,500 businesses around the world have been affected IBM’s Data Breach Study $300 million $7 million Target paid this amount for breach remediation Can a data breach really bankrupt your business?

<> @zupinnovation zup.com.br Security is a nutshell Confidentiality Integrity Availability

<> @zupinnovation zup.com.br "Small" mistake > Big consequences 1. Code Vulnerability 2. Operations Vulnerability

<> @zupinnovation zup.com.br Code Vulnerability Every 3 out of 4 applications ● Injection ● Cross-Site Scripting (XSS) ● Buffer Overflow ● Broken Authentication ● Sensitive Data Exposure ● Broken Access Control

<> @zupinnovation zup.com.br Operations Vulnerability “New research shows 75% of ‘open’ Redis servers infected” ● Default, blank, and weak username/password. ● Extensive user and group privileges

<> @zupinnovation zup.com.br The top code vulnerability issues

<> @zupinnovation zup.com.br SQL Injection

<> @zupinnovation zup.com.br Sanitize all input

<> @zupinnovation zup.com.br Scan dependencies vulnerabilities

<> @zupinnovation zup.com.br "Avengers assemble!" What can we do to avoid these mistakes?

<> @zupinnovation zup.com.br Breaking down the silos Avoid delay Integration Prevent

<> @zupinnovation zup.com.br Agile 2001 DevOps 2010 DevSecOps 2015 We evolved until...

<> @zupinnovation zup.com.br DevSecOps

<> @zupinnovation zup.com.br “DevSecOps is DevOps done securely” “DevOps has provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization.” “Whether you call it "DevOps" or "DevSecOps," it has always been ideal to include security as an integral part of the entire app life cycle.” Definition through bibliography

<> @zupinnovation zup.com.br Layered security

<> @zupinnovation zup.com.br The 12 Factors App 1. Codebase 2. Dependencies 3. Config 4. Backing services 5. Build, release, run 6. Process 7. Port binding 8. Concurrency 9. Disposability 10. Dev/prod parity 11. Logs 12. Admin processes

<> @zupinnovation zup.com.br Tools What can help you on this challenge?

<> @zupinnovation zup.com.br Tools Avoid security issues 700 mi Identify vulnerabilities Monitoring bugs

<> @zupinnovation zup.com.br Horusec is an open-source framework that enhances the identification of vulnerabilities in your project with just one command.

<> @zupinnovation zup.com.br

<> @zupinnovation zup.com.br Demo

<> @zupinnovation zup.com.br And more... ● Language Analysis ● Integrate with CI/CD ● Fancy Dashboard ● Extensible

@zupinnovation zup.com.br <> Zup at TDC

<> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer @zupInnovation Wilian Gabriel da Silva @wiliangds Tech Lead Q&A

<> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer @zupInnovation Q&A