Currently, in the fast changing world we do not release once a year but twice a day. With a traditional security team that needs to check each release this will be a problem. We all know that security is important, since we don't want our application to be in the news because of a hack. A security department which acts as a tollgate can help in keeping applications secure, but conflicts with the flexibility we would like to have. This talk will provide you with some key takeaways on how you as a Developer can both release fast and often and be secure at the same time.

1. @coduinix
PRACTICAL
SECURITY
- Hinse ter Schuur

2. @coduinix
WHO DOESN'T LIKE COOKIES

3. @coduinix
A BIT OVERKILL?

4. @coduinix
WHO AM I?
{
"name": "Hinse ter Schuur",
"role": "Software Engineer",
"company": "SDB Java",
"expertise": ["Java", "Scala", "Security"]
}

5. @coduinix
DISCLAIMER
This presentation represent my
personal opinion based on things I've
seen in different companies and on
blogs & videos on the web...

6. @coduinix
DISCLAIMER (1)
... It's not a complete approach, just key
elements for a practical approach on
security.

7. @coduinix
DEVOPS

8. @coduinix
DEPLOYMENTS
From:
Couple of times per year
To:
Multiple times per day

9. @coduinix
SECURITY
Is important
Is a challenge
Failure destroys trust

10. @coduinix
DEVOPS & SECURITY == PROBLEM

11. @coduinix
DEVOPS & SECURITY != PROBLEM

12. @coduinix
DEVOPS & SECURITY == SOLUTION

13. @coduinix
DEVSECOPS / SECDEVOPS
Embed security in DevOps
Security first?

14. @coduinix
BizArchSecDevTestOps?

15. @coduinix
NO SILVER BULLET
People
Processes
Tools

16. @coduinix
PEOPLE

17. @coduinix
AWARENESS
Whole organization
Organize awareness events about
impact of breaches
type of breaches

18. @coduinix
ENGINEERS

19. @coduinix
EMBED SECURITY IN TEAMS
Security-minded engineer(s) in team
Keep them trained
Spread knowledge
Look at security angle of features

20. @coduinix
SECURITY ENGINEERS
Highly trained specialists
Raise awareness
Empower DevOps teams
Focus on the interesting things

21. @coduinix
PROCESSES

22. @coduinix
THREAT MODEL

23. @coduinix
THREAT AGENTS
Who could it be?
What are they looking for?
Money
Data
Stepping stone

24. @coduinix
ATTACK VECTORS
Type of vulnerabilities that would give access
Rank them by impact and likelihood (risk)

25. @coduinix
COUNTERMEASURES
Risk order
Input for design

26. @coduinix
DOCUMENT
Keep it for future reference
Adjust with new insights

27. @coduinix
COLLABORATIVE EFFORT
Stakeholders
DevOps team
Security specialist

28. @coduinix
METHODOLOGIES
A lot on the web
Can start lightweight: Threat Modelling Express

29. @coduinix
DESIGN REVIEWS

30. @coduinix
AUTHENTICATION AND AUTHORIZATION
Mechanisms
Username password
Tokens
MFA
Role-based access

31. @coduinix
DATA
Which data needs to be stored
Where is it stored
Encryption

32. @coduinix
Most secure way to store data is to NOT
store the data

33. @coduinix
COMMUNICATION
Which systems
Transport-level security

34. @coduinix
MONITOR

35. @coduinix
IDENTITY & MONITOR
Identify critical parts of codebase
Monitor
Notify

36. @coduinix
NOTIFY VS BLOCK
No manual security approval for every change
Notify if interesting things happen
Trigger for discussion

37. @coduinix
TOOLS

38. @coduinix
STATIC SCANNING

39. @coduinix
CODE SCANNING
Scan application code
Could range from:
Simple regex to
Advanced code path analysis

40. @coduinix
WHEN TO SCAN
Developers machine
Build pipeline
At least regular

41. @coduinix
ALERTING/BLOCKING
Start simple
Few false positives
Priorities from threat model

42. @coduinix
FOR EXAMPLE
Find Security Bugs

43. @coduinix
DEPENDENCY SCANNING

44. @coduinix
DEPENDENCIES

45. @coduinix
SCAN
Known vulnerabilities
Build time
Keep scanning a er deployment

46. @coduinix
FOR EXAMPLE
OWASP dependency checker

47. @coduinix
TRUSTWORTHINESS
Check central repos on:
Usage/downloads
Update frequency

48. @coduinix
DYNAMIC SCANNING

49. @coduinix
AUTOMATED
TLS
Security HTTP headers

50. @coduinix
MANUAL
PEN-test
Bug bounty

51. @coduinix
SELECT / PROVIDE LIBRARIES
Make it easy to do things secure
Select hardened frameworks
Provide secure libraries

52. @coduinix
WRAPPING UP

53. @coduinix
EMBRACE DEVOPS
Reduce time-to-repair for vulnerabilities
More ways to detect attackers

54. @coduinix
BE AWARE
Awareness is key
You will be a target

55. @coduinix
DON'T OVER DO
Threat model
Prevent alert fatigue

56. @coduinix
QUESTIONS
Which questions do you have?
Just ask:
In person
Via Twitter - @coduinix

57. @coduinix
REFERENCES
Threat Modelling Express:
Find Security Bugs:
Dependency Check:
https://www.infoq.com/articles/threat-modeling-
express/
https://find-sec-bugs.github.io/
https://jeremylong.github.io/DependencyCheck/