We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including: - How do we ensure that the code we deploy is secure when it was only written just this morning? - How can we provide the security our customers expect without impacting our speed and agility? - How can we insert security into an SDLC when there is no formal SDLC? - How do you deal with auditors that don't understand DevOps and Continuous Deployment? At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

1. AppSec in a DevOps World
SHAUN GORDON
NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE
OCTOBER 23, 2013
Wednesday, November 6, 13

2. Wednesday, November 6, 13

3. Speed
Wednesday, November 6, 13

4. Speed
Security
Wednesday, November 6, 13

5. Speed
vs.
Security
Wednesday, November 6, 13

6. Wednesday, November 6, 13

7. Accelerating Development Cycles
Wednesday, November 6, 13

8. Accelerating Development Cycles
Boxed Software
Waterfall
1 Year
Wednesday, November 6, 13

9. Accelerating Development Cycles
Web 1.0
3 months Waterfall
Wednesday, November 6, 13

10. Accelerating Development Cycles
4 week
Wednesday, November 6, 13
Web 2.0
Agile

11. Accelerating Development Cycles
2x week
DevOps
Wednesday, November 6, 13

12. Accelerating Development Cycles
daily
Continuous
Deployment
DevOps
Wednesday, November 6, 13

13. Accelerating Development Cycles
hourly
Wednesday, November 6, 13
Continuous
Deployment
DevOps

14. Accelerating Development Cycles
hourly
Wednesday, November 6, 13
Continuous
Deployment
DevOps

15. Accelerating Development Cycles
3 months Waterfall
Agile
4 week
Wednesday, November 6, 13

16. Accelerating Development Cycles
3 months Waterfall
Agile
4 week
Wednesday, November 6, 13

17. Accelerating Development Cycles
daily
hourly
Wednesday, November 6, 13
Continuous
Deployment
DevOps

18. Traditional (Waterfall) SDLC
Requirements
Wednesday, November 6, 13
Design
Development
Tes2ng
Release
Produc2on

19. Traditional (Waterfall) SDLC
Requirements
Design
Development
Tes2ng
Release
Define functional (features) and nonfunctional requirements (capabilities)
Wednesday, November 6, 13
Produc2on

20. Traditional (Waterfall) SDLC
Requirements
Design
Development
Tes2ng
Release
Translate requirements into
architecture and detailed design
Wednesday, November 6, 13
Produc2on

21. Traditional (Waterfall) SDLC
Requirements
Design
Development
Tes2ng
Build it!
Wednesday, November 6, 13
Release
Produc2on

22. Traditional (Waterfall) SDLC
Requirements
Design
Development
Tes2ng
Release
Produc2on
Ensure functional and non-functional
requirements
Wednesday, November 6, 13

23. Traditional (Waterfall) SDLC
Requirements
Design
Development
Tes2ng
Ship or push live
Wednesday, November 6, 13
Release
Produc2on

24. Traditional (Waterfall) SDLC
Requirements
Design
Development
Tes2ng
Release
Maintain and patch as needed
Wednesday, November 6, 13
Produc2on

25. Traditional (Waterfall) SDLC Security
Wednesday, November 6, 13

26. Checkpoints
Controls
Formal Processes
Traditional (Waterfall) SDLC Security
Wednesday, November 6, 13

27. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

28. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

29. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

30. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

31. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

32. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

33. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

34. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

35. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

36. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

37. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

38. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

39. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

40. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

41. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing

42. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
•
•
Vulnerability
Scanning
Penetration
Testing

43. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
•
•
Vulnerability
Scanning
Penetration
Testing

44. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
•
•
Vulnerability
Scanning
Penetration
Testing

45. Continuous Deployment Security
Wednesday, November 6, 13

46. Continuous Deployment Security
Requirements
Low to No friction (can’t slow us down)
Transparent
No significant changes to development processes
Make us More Secure
Wednesday, November 6, 13

47. Continuous Deployment Security
Requirements
Strategies & Tactics
Low to No friction (can’t slow us down)
Automation
Transparent
Training & Empowerment
No significant changes to development processes
Lightweight Processes
Make us More Secure
Triage
Quickly Detect & Respond
Wednesday, November 6, 13

48. Traditional (Waterfall) SDLC Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing

49. Continuous Deployment Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing

50. Continuous Deployment Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing

51. Continuous Deployment Security
Requirements
Design
Requirements & Design
• Functional &
Non-Functional
security
requirement
• Architectural
•
Review
Threat Modeling
Development
Development, Testing & Release Release
Testing,
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing

52. Continuous Deployment Security
Requirements & Design
•
Functional &
Non-Functional
security
requirement
•
•
Architectural
Review
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

53. Continuous Deployment Security
Requirements & Design
•
Functional &
Non-Functional
security
requirement
•
•
Architectural
Review
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

54. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

55. Required Security Evaluation
< 25 Minute Meeting
1.Technical Overview
2.Business Context
3.Developer Concerns
Wednesday, November 6, 13

56. Security Evaluation Outcomes
Wednesday, November 6, 13

57. Security Evaluation Outcomes
• Low Risk
• Simple
Guidance
Wednesday, November 6, 13

58. Security Evaluation Outcomes
• Higher Risk
• Deep Dive
• Whiteboarding
• Threat Model
Wednesday, November 6, 13

59. Security Evaluation Follow-Up
Wednesday, November 6, 13

60. Security Evaluation Follow-Up
• Document
• Follow Up
Wednesday, November 6, 13

61. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

62. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

63. Threat Modeling
Wednesday, November 6, 13

64. Threat Modeling
Identify your assets and the
threats against them
Wednesday, November 6, 13

65. Threat Modeling
Identify your assets and the
threats against them
Focus your resources on the
greatest risks
Wednesday, November 6, 13

66. Threat Modeling @ New Relic
Wednesday, November 6, 13

67. Threat Modeling @ New Relic
Decompose your Application
Wednesday, November 6, 13

68. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Wednesday, November 6, 13

69. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Wednesday, November 6, 13

70. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threats
Wednesday, November 6, 13

71. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threats
Address or Accept
Wednesday, November 6, 13

72. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

73. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

74. Secure Libraries & Services
Authentication Service
Security Event Logging Service
Input Validation Regex Patterns
Encryption Libraries
Wednesday, November 6, 13

75. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

76. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

77. Brakeman
+
Jenkins
brakemanscanner.org
Wednesday, November 6, 13

78. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

79. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

80. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

81. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing

82. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
• Separation
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing

83. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
• Separation
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing

84. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing

85. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing

86. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

87. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

88. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

89. Triage Process
Dangerous Methods
Sensitive Modules
Security Keywords
Wednesday, November 6, 13

90. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

91. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

92. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

93. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Management
Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

94. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Management
Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

95. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Sidekick
Process
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

96. Wednesday, November 6, 13

97. Wednesday, November 6, 13

98. Wednesday, November 6, 13

99. Two Sets of (masked) eyes on every change
Wednesday, November 6, 13

100. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Sidekick
Process
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing

101. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Accountability
• Sidekick
Process
• Enabling Tools
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
Penetration
Testing

102. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Accountability
• Sidekick
Process
• Enabling Tools
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
Penetration
Testing

103. Continuous Deployment Security
Requirements & Design
•
•
Required Security Evaluation
Lightweight
Targeted
Threat Modeling
Development, Testing, & Release
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Automated
• Penetration
Commit Triage
Testing
Quick Detection
•
& Recovery
• Accountability
• Sidekick
Process
• Enabling Tools
Wednesday, November 6, 13
Production

104. Powered By...
Wednesday, November 6, 13

105. Powered By...
Automation
Training & Empowerment
Lightweight Processes
Triage
Quick Detection & Response
Wednesday, November 6, 13

106. Auditors
Wednesday, November 6, 13

107. Auditors
Compensating Controls
Wednesday, November 6, 13

108. Auditors
Compensating Controls
Tell the Story
Wednesday, November 6, 13

109. Thank You!
Wednesday, November 6, 13

110. Thank You!
shaun@newrelic.com
security@newrelic.com
Wednesday, November 6, 13

111. Image Attribution
Slide
14
Checkpoint
Rheinpark
by
h1p://www.flickr.com/photos/kecko/3179561892/
Wednesday, November 6, 13