Design: analyze requirements and identify solutions • Build: develop the product as per requirements • Test: combine automation and manual testing to check the software for bugs • Deploy: move the latest build to production environment (packaging, environment configuration, and installation) • Maintain: continuous monitoring, maintenance, feedback SDLC - Software Development Lifecycle
threats, such as structural vulnerabilities or absence of appropriate safeguards using systematic analysis. (OWASP10) • Assess Scope - What are we working on? • Identify what can go wrong - What can go wrong? • Manage risk - What are we going to do about it? • Assess your work - Did we do a good job?
• test application source code for a range of known security vulnerabilities • scan codebase for security vulnerabilities Software Composition Analysis (SCA) • an application security methodology • track and analyze any open source component brought into a project • SCA is used to scan dependencies for security vulnerabilities
penetration tests to find vulnerabilities • simulates real-world attacks for critical threats (XSS, SQL injection, CSRF) Penetration Testing (Pen Tests) • identify vulnerabilities in systems and applications before they can be exploited • provides insight into the security posture of a system • provides visibility into potential risks
security scans are conducted on source code written for cloud infrastructure • code is secure before it is deployed Secure Release Management • process of controlling and managing system and application releases • ensuring that the release meets organization security standards
should be performed with some regularity • allow for swift identification and remediation of security vulnerabilities Continuous monitoring • tracks new vulnerabilities • monitors your code for changes
Application Security Team (AppSec) • responsible for the security assurance of every new feature developed • there were nearly 39,000 commits created by over 900 authors (Jul 2022) Key challenges: • software changes are constantly increasing • new changes are integrated and deployed every day • engineers tend to prioritise development of functionalities over security • internal application security team is not big enough • security processes automation is required • more pipeline integrated tools increase job execution time • negatively affects development experience • triaging all of the security findings
every 24h of a working day were about 950 new pull requests • nearly 1.85 commits per PR • automated scans executed with a frequency of 3–4 times per minute • 81% of the commits had a final destination to the main branch
• Security static analysis tools can easily be shifted left to an earlier phase in the SDLC • communicating security issues to developers as early as possible • scan code changes during the pull request phase (trigger scan on PR create) • place Security Drone in a Kubernetes cluster (scan the code independently from CI/CD pipelines)
Security Drone performed over 39,000 scans (Jul 2022) • median scanning time is below 112 seconds • 19 SAST and 63 IaC custom rules used • productionize Security Drone for the next eight months without issues • lowered the false positive rate to ~3.8% FP rate • scans 100% of the code in Revolut • 1700 pull requests scanned / 24h • 3900 associated scans performed / 24h Key achievements • adopted a shift-left approach to security • fix security issues before going into production • only merged security issues are reported to AppSec Team (easy triage) • save hundreds of hours of manual reviews • Parallel scans = Happy developers • Median scanning time: ~11s SAST, ~22s IaC & ~101s SCA
sibiuwebmeetup
akihisaikeda
suikabar
kmd2kmd
handlename
chiroruxx
nakahara
j_lee
yusukebe
mizchi
hjmkth
matsuo_atsushi
rollbear
jakevdp
tmiket
helmedeiros
uxyall
addyosmani
minecr
techseoconnect
aleyda
kevinliebholz
matthewcrist
lfama
sarafernandez
