How To Move Mountains - ToorCon 2017

•

1 j'aime•414 vues

Presenting a framework for building an AppSec program in a DevOps environment; specifically one that is moving towards CI/CD. Abstract: Pentesters are tired of breaking things, writing a report, and walking away. Security teams are caught in a backlog that prevents them from ever staying ahead. Developers curse security for slowing them down. How can we address these seemingly incompatible and insurmountable issues in an organization, especially at scale? The answer to this may be found in a practice called "DevSecOps" that has been gaining momentum in large organizations that need to move fast and ensure a high level of security across their applications and operations. It is a practice that attempts to address all of these issues through two core principles- automation and education. Using experience gained from working with several large fortune 500 companies, this talk will cover the basics of DevSecOps, and dive into specific tools and processes that organizations of any size can implement to immediately improve their speed of delivery while maintaining a strong and measurable security baseline.

Logiciels

How To Move Mountains
Aaron Hnatiw
aaron@securitycompass.com
Twitter: @insp3ctre
www.securitycompass.com

Senior Security Researcher, Security Compass
Aaron Hnatiw
• College professor of application security
• Developer
• System administrator
• Security consultant
• Network security engineer
Twitter: @insp3ctre

DevOps: the solution is the
problem (for security)

Continuous Learning
1.Threat modelling
2.Regular check-ins
3.Open ofﬁce
4.Maintain interest

WHERE TO START
▸ SD Elements
▸ OWASP Top 10 Cheat Sheet
▸ CWE/SANS Top 25 Most Dangerous Software Errors
▸ Again- old ﬁndings and mistakes

WHERE TO START (OTHER TOOLS)
▸ Lemur (Netﬂix): https://github.com/Netﬂix/lemur
▸ Repokid (Netﬂix): https://github.com/Netﬂix/repokid
▸ Simian Army (Netﬂix): https://github.com/Netﬂix/SimianArmy
▸ Phan (Etsy): https://github.com/etsy/phan
▸ Elastalert (Yelp): https://github.com/Yelp/elastalert
▸ Brakeman: http://brakemanscanner.org/
▸ Twitter uses this and hired the developer

WHERE TO START (AWS)
▸ AWS CodePipeline
▸ AWS Inspector
▸ CloudFormation
▸ AWS Conﬁg
▸ AWS CloudWatch Events
▸ Action with Lambda

▸ Education
▸ Developers are being asked to write code securely. Enable this through
Continuous Learning (CI/CD... CL!)
▸ Automation
▸ Build an integrated system that ﬁnds security issues easily and
automatically, with actionable results
▸ Remediation
▸ CI/CD allows us to push out security ﬁxes faster than ever before
Education + Automation = Remediation
Aaron Hnatiw
aaron@securitycompass.com
Twitter: @insp3ctre
www.securitycompass.com

Contenu connexe

Tendances

Building Security Controls around Attack Models

SeniorStoryteller

The Joy of Proactive Security

Andy Hoernecke

Application Security at DevOps Speed - DevOpsDays Singapore 2016

Stefan Streichsbier

Why does security matter for devops by Caroline Wong

DevSecCon

Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“. AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...

Matt Tesauro

How to adapt the SDLC to the era of DevSecOps

Zane Lackey

Secure Software Development Lifecycle - Devoxx MA 2018

Imola Informatica

we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle. Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.

we45 - SecDevOps Concept Presentation

Abhay Bhargav

DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases

DevSecCon

Shifting left – embedding security into the devops pipeline by Mike d. Kail

DevSecCon

IPNEC - Security Services

Abdus Saboor

Proactive Security AppSec Case Study

Andy Hoernecke

Security often isn’t the top priority for many developers, who already are juggling multiple projects and deadlines. In fact, security seems to get in the way of keeping up with the pace of business. However, developers control a critical piece of the security puzzle and need to be engaged in the security cause—no longer can they stand by and say the responsibility for security lies in the hands of the security team. Rather, security must be built-in from the start. In this webinar, Secure Code Warrior CTO Matias Madou will look at what we as security professionals have been doing wrong and how agile, DevSecOps and DevOps are changing the role of the developer. Madou will discuss current best practices and ways in which they often fall short of the goal of building in security from the start, and will share new methodologies being deployed at multiple global organizations that make developers want to be part of the solution. Madou will be joined by Alexandre Pluvinage, head of Cybersecurity and Fraud Awareness at ING Belgium and ING BD Netherlands, who will discuss how his team engaged developers to think with a security mindset and how they rolled out a security program for developers, and share the results of the program to date.

Improving Software Security in an Agile Environment: A Case Study

DevOps.com

Event logs provide valuable information to troubleshoot operational errors, and investigate potential security exposures. They are literally the bread crumbs of the IT world. As a result, a commonly-used approach is to collect logs from everything connected to the network "just in case" without thinking about what data is actually useful. But, as you're likely aware, the "collect everything" approach can actually make threat detection and incident response more difficult as you wade through massive amounts of irrelevant data. Join us for this session to learn practical strategies for defining what you actually need to collect (and why) to help you improve threat detection and incident response, and satisfy compliance requirements. In this session, you'll learn : *What log data you always need to collect and why *Best practices for network, perimeter and host monitoring *Key capabilities to ensure easy, reliable access to logs for incident response efforts *How to use event correlation to detect threats and add valuable context to your logs

How to Leverage Log Data for Effective Threat Detection

AlienVault

Ethical hacking course task 8

GURUPRASANTH33

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

Izar Tarandach

It is well known among security professionals that the weakest link in any organization's security is the employee- the so-called "human element". While endpoint security controls may mitigate this risk, they are nowhere close to removing it completely. This is where security training becomes essential. This talk will cover how to introduce and improve security training in any organization, along with industry best practices, and methods to keep knowledge retention high. The speaker will provide specific examples from his own experience of cases where a properly trained employee could have easily thwarted a devastating attack immediately. Will your employees be your weakest link, or your strongest asset?

Security Training: Making your weakest link the strongest - CircleCityCon 2017

Aaron Hnatiw

Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.

2016 virus bulletin

Adrian Sanabria

DevSecOps - It can change your life (cycle)

Qualitest

HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.

HouSecCon 2019: Offensive Security - Starting from Scratch

Spencer Koch

Tendances (20)

Building Security Controls around Attack Models

The Joy of Proactive Security

Application Security at DevOps Speed - DevOpsDays Singapore 2016

Why does security matter for devops by Caroline Wong

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...

How to adapt the SDLC to the era of DevSecOps

Secure Software Development Lifecycle - Devoxx MA 2018

we45 - SecDevOps Concept Presentation

DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases

Shifting left – embedding security into the devops pipeline by Mike d. Kail

IPNEC - Security Services

Proactive Security AppSec Case Study

Improving Software Security in an Agile Environment: A Case Study

How to Leverage Log Data for Effective Threat Detection

Ethical hacking course task 8

O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?

Security Training: Making your weakest link the strongest - CircleCityCon 2017

2016 virus bulletin

DevSecOps - It can change your life (cycle)

HouSecCon 2019: Offensive Security - Starting from Scratch

Similaire à How To Move Mountains - ToorCon 2017

Building an Open Source AppSec Pipeline

Matt Tesauro

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...

PROIDEA

Lessons from DevOps: Taking DevOps practices into your AppSec Life

Matt Tesauro

This talk will argue that DevOps methodologies can be applied to traditional application security practices. Only when developers and operations team members are enabled to make security a part of their everyday work will an organization's security culture change. We must meet security at the sweet spot between running a marathon and sprinting towards a software deployment. So put on your running shoes; it’s time for Dev{Sec}Ops!

Product Security

Steven Carlson

Owasp tds

snyff

Succeeding-Marriage-Cybersecurity-DevOps final

rkadayam

Presentation by Shannon Lietz Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t? Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path. Software needs to be awesome, resilient, available and “secure”, but Security has long been a big roadblock to fast deployments and software improvement. What if it wasn’t? Continuous delivery requires operational functions to shift left and for an iterative approach to be taken. Security has not been easy to shift left and taking an iterative approach requires everyone to take responsibility. With a continuos security approach and everyone in the Software Supply Chain taking on the tasks of including security, its possible to achieve Rugged Software. This talk aims to provide a journey towards this approach and provide the path.

2016 - Safely Removing the Last Roadblock to Continuous Delivery

devopsdaysaustin

ISACA Ireland Keynote 2015

Shannon Lietz

Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about: 1. How to balance the risk and controls in the "great shift left" paradigm (agile) 2. DevOps activities 3. How to seamlessly integrate security into DevOps 4. How to "shift left" the security" 5. Get started with Secure DevOps / DevSecOps 6. Case Study about DevSecOps implementation For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Eryk Budi Pratama

Safely Removing the Last Roadblock to Continuous Delivery

SeniorStoryteller

Security as Code

Ed Bellis

DevSecCon KeyNote London 2015

Shannon Lietz

DevSecCon Keynote

Shannon Lietz

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

Matt Tesauro

A journey into Application Security

Christian Martorella

BSides Vienna 2015

Daniel Liber

Application Security in an Agile World - Agile Singapore 2016

Stefan Streichsbier

DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx

DevSecCon

Testing and DevOps Culture: Lessons Learned

LB Denker

DevOps and AWS

Shiva Narayanaswamy

Similaire à How To Move Mountains - ToorCon 2017 (20)

Building an Open Source AppSec Pipeline

CONFidence 2015: Lessons from DevOps: Taking DevOps practices into your AppSe...

Lessons from DevOps: Taking DevOps practices into your AppSec Life

Product Security

Owasp tds

Succeeding-Marriage-Cybersecurity-DevOps final

2016 - Safely Removing the Last Roadblock to Continuous Delivery

ISACA Ireland Keynote 2015

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Safely Removing the Last Roadblock to Continuous Delivery

Security as Code

DevSecCon KeyNote London 2015

DevSecCon Keynote

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin

A journey into Application Security

BSides Vienna 2015

Application Security in an Agile World - Agile Singapore 2016

DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx

Testing and DevOps Culture: Lessons Learned

DevOps and AWS

Dernier

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein

masabamasaba

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified

Delhi Call girls

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

A Secure and Reliable Document Management System is Essential.docx

ComplianceQuest1

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

kalichargn70th171

In today's dynamic e-commerce landscape, the payment gateway emerges as a linchpin, ensuring smooth and secure transactions between buyers and sellers. In this discourse, we delve into the meticulous process of devising test cases tailored for scrutinizing payment gateways. Crafting precise test cases for payment gateways is a quintessential responsibility for testers operating within the service industry. This article meticulously explores pivotal scenarios integral to how to test payment gateways, coupled with essential guidelines for drafting effective test cases.

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

kalichargn70th171

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

Pharm-D Biostatistics and Research methodology

Anusha Are

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

Test automation is a cornerstone of software development and quality assurance in today's rapidly evolving digital landscape. Its significance cannot be overstated. Businesses can enhance efficiency, productivity, and accelerate software delivery to market through automation, streamlining testing processes effectively. This comprehensive guide addresses the best practices for test automation in 2024. It offers a detailed checklist to empower you to optimize your automation efforts and maintain a competitive edge.

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf

kalichargn70th171

MakeMyPass" Online Bus Pass Management System illustrates the flow of activities and actions that occur within the system to accomplish specific tasks or use cases. This type of diagram focuses on representing the sequence of activities and decision points involved in a particular process. Below is an example outline and description of key elements that could be included in an Activity Diagram for the system:

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

alwaysnagaraju26

Dernier (20)