SlideShare une entreprise Scribd logo

Realizing Near-Zero Security Flaws Through Continuous Improvement

Télécharger en tant que PPTX, PDF
N
Nicholas Percoco

Building enterprise software is difficult. Building secure enterprise software is even harder. In a modern, agile, software company, there are dozens of factors that could easily fight against a goal of building secure software. This talk will explore the pitfalls and achievements of attempting to reach "near-zero" security flaws in software products at a fast growing startup.

Logiciels
1  sur  49
—— GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2018 REALIZING NEAR-ZERO SECURITY FLAWS IN YOUR SOFTWARE Nick Percoco
SECTION 01 My Journey
3Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT BROUGHT ME HERE? • Wrote first computer program in 1981 • Chicagoland BBS rat in 80s and early 90s • Internet Security Systems in late 90s • Founder of SpiderLabs, Creator of THOTCON • Co-Founder of “I am The Cavalry” movement • Global Services lead at Rapid7 • Advisor to industry / non-industry startups • Chief Security Officer at Uptake • Launched Secure SDLC at hyper-growth startup
4Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT’S THIS TALK ABOUT? • Setting a vision • Starting small • Making mistakes • Learning • Failing • Evolving • Transparency
5Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 SCOPE
6Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 TEAM SIZE
7Copyright © 2018 Uptake – CONFIDENTIALSecurity at Uptake Program Structure UPTAKE SECURITY PROGRAM Risk & Compliance Security Cloud & Networking Application Security Threat Exposure Management Hackers & Hunters Security Audit MORETECHNICALMORECOMPLIANCE CSOOVERSIGHT&PROGRAMMANAGEMENT SecurityAdvisoryCouncil UptakeStakeholders CustomerStakeholders Physical Security Cryptography
8Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 NEAR-ZERO SECURITY FLAWS
SECTION 02 Start: A Complete Program Assessment
10Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 FOUR AREAS OF FOCUS – DIFFICULT QUESTIONS Inventory + Visibility — What applications do we have? — Who owns what? — How are we discovering/documenting? Discovery — How are we discovering security vulnerabilities? — Includes scans, pentests, bug bounty, internal reporting, etc. Management — How are we documenting vulnerabilities discovered? — How are we managing known vulnerabilities and remediations? Culture — How are we promoting security throughout our culture? — How are we gaining “buy-in” from engineering and product teams?
SECTION 03 Our Journey: Phase 1
12Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture
13Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Initial Team and Prod. Definitions Initial Team & Product Definitions — High level — Tried to align to agile teams Problem — Teams and products were continually changing — Non standardized “owners” - mixing of business and engineering teams — Unclear definitions - mixing “products” with “services”
14Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Initial Team and Prod. Definitions 3rd Party Pentest — Customer requirement driven — Brought in 3rd party for pentest — First time in-depth security testing was performed — Performed on just one product (the most mature)
15Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Security Code Scanning — Mentality was to just scan everything Problem — Organized on initial definitions — Did not map static scan profiles to our definitions — Did not have foresight for organization or easily visible metrics — Did not have clear ownerships for vulnerability fixes
16Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Onboarding Slides 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding New Hires — Overview of what security means and how to work with the team — Goal was to show value from security and break down barriers Problem — Overcoming problem of siloization
17Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Internal Pentesting — Thoughtfully choosing new applications, products, and acquisitions — Created a schedule to pentest everything at least once a year Problem — Ownership of issues found
18Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Bug Bounty — Recognize that we had more surface area for testing than could be handled by single team Problem — Were not able to use production client data — Heavy engineering investment for new environment — Needed more buy-in from engineering and support for remediation — Underestimated the effort required to stand this up — Overestimated our maturity
19Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Tracking — Tracked source of finding (eg pentest, static scan), severity, and exploitability — A central location to see vulnerabilities and risk Problem — Little monitoring of assignee or ownership — Little monitoring of validation of fixes
20Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engineering Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Assigning Issues — Added vulnerability tickets directly to engineering teams’ queues — Tickets ended up in backlogs Problem — Hard to see overview of risks per product — Tickets ended up being ignored/not updated
21Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Mtgs. / Office Hours Onboarding Slides Team Meetings/Office Hours — Meet with teams to walk through vulnerabilities — Created office hours for teams to come to us with questions and act as working sessions Problem — Teams looked at the office hours as a chore as opposed to useful
22Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Security Champions Team Mtgs. / Office Hours Onboarding Slides Security Champions — Cross organizational group to help bring security into all facets — Breakdown silos and disseminate best practices Problem — Keeping the interest of all involved — Teams changed quickly so the champions were needing to change often
23Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Inventory + Visibility Discovery Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Training — Engineering training: Required on a minimum of yearly basis — Company Training: More in depth onboarding slides Problem — Not hands on enough
24Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Individual Team Sign-Off — Decided we don’t know the engineering organization as well as the individual teams — Gave engineers tools to run their own scans and view their own results — Required engineering teams to “sign-off” that scans were clean before deploying Problem — Lost a lot of visibility into the pipeline — If something was released out of cycle, we were not informed
25Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery
SECTION 04 Our Journey: Phase 2
27Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Re-Evaluate Definitions and Ownership — Refined definitions of application vs. product vs. microservice — Distinguished between “Risk” and “Bug” — Defined ownership – risk is owned by product team, bug is owned by engineering team Problem — Still lacked cross-team acceptance and buy-in — Changing team perspectives was hard because they were used to operating on old inventory and definitions
28Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery APPSEC Jira APPSEC Jira — Migrated all tracking to a dedicated Jira project with custom workflows — Centralized “source of truth” for all owners, risks, findings, and engagements — Built in metrics and reporting (e.g. time to close, average risk, assignees, etc.) Problem — Product and Business side don’t check Jira regularly
29Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides APPSEC Dashboard — Using Uptake Design System, created centralized dashboard that pulled data from Jira and correlated with other tools — Single pane of glass for all security findings and statuses — Custom KPIs and familiar interface Problem — Helped with visibility and accountability, but still lacked clear ownership
30Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Leadership and Cross-Team Buy-In — Increased visibility and well documented Jira workflows led to leadership buy-in on ownership — Established SLAs on finding remediations using dashboard metrics — Product, Security and Engineering Leadership sent out communication Problem — New paradigm of ownership meant slow to adopt across all engineering teams — New workflows had to be adopted for certain teams
31Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Bug Bounty 2.0 — With leadership and cross-team buy in, revisited and re-launched Bug Bounty — Jira integration with Bug Bounty submissions fed directly into dashboard — Same SLAs applied to Bug Bounty findings Problem — Engineering buy-in for remediating findings, but still lacked buy-in for maintaining and updating Bug Bounty environment
32Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Container Metrics — With microservice ownership definitions, started pulling metrics on all running containers — Using container orchestration as “source of truth” for all applications running in production — Each container is tied to a product and has an owner Problem — Had visibility into what is running, but not direct 1:1 correlation to what is being scanned
33Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Culture Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Scanning Containers — Reorganized scanning pipeline to correlate directly to container metrics — Standard naming convention let us query scan results for every image and container in production Problem — 100% visibility, but data is “after- the-fact”
34Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Outreach and Training — AppSec has higher visibility and transparency within the organization — Started running trainings and tech-talks on scanning and penetration testing — Empowering engineering teams to do their own security testing
35Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics
SECTION 05 Our Journey: Phase 3
37Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Dashboard 2.0 — The AppSec Dashboard has proved successful — Want to implement more security metrics from other tools — Implement news and security communications/alerts
38Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Full CI/CD Integration — Engineering is re-working their CI/CD pipeline — Tightly integrate with all security tools and scanning — Aim for 100% code coverage in CI/CD before container is deployed — Feedback loop from discovered findings into unit tests
39Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Technical Trainings, CTFs, Events Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Security Events — Continue trainings and tech talks — Host internal CTFs to promote security testing — Increase developer involvement in penetration testing and validation testing
SECTION 06 Lessons Learned
41Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 LESSONS LEARNED Need to keep all four areas “in sync” — We jumped too far ahead in the Discovery lane too soon – had to play catch up with Inventory and Management — Culture cannot lag behind. Buy in and cross-team culture allows quicker progress in the other areas Honest self-assessments of maturity — Having tools in place does not equal maturity — Culture drives maturity Avoid silo-ing Security — Openness and cross-team communication leads to buy-in — Don’t just “chuck findings over the fence” Have clear definitions and ownership — Risk vs Bug — Application vs product vs microservice
43Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
44Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
45Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
46Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
47Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
48Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
Copyright © 2018 by Uptake Technologies Inc. All rights reserved. No parts of this document may be distributed, reproduced, transmitted, or stored electronically without Uptake’s prior written permission. This document contains Uptake's confidential and proprietary information. If a pre-existing contract containing disclosure and use restrictions exists between your company and Uptake, you and your company will use the information in this document subject to the terms of the pre-existing contract. If no such pre-existing contract exists, you and your Company agree to protect the information in this document and agree not to reproduce or disclose the information in any way. Uptake makes no warranties, express or implied, in this document. Uptake shall not be liable for damages of any kind arising out of use of this document. Any discussion of potential features is not a promise of future functionality.

Recommandé

OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Codemotion
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...AgileNetwork
 

Recommandé

OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019Codemotion
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Kim van Wilgen - Continuous security - Codemotion Rome 2019
Kim van Wilgen - Continuous security - Codemotion Rome 2019Codemotion
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
A DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleA DevSecOps Tale of Business, Engineering, and People
A DevSecOps Tale of Business, Engineering, and PeopleJames Wickett
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...AgileNetwork
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Agile/Scrum for IT Risk Professionals
Agile/Scrum for IT Risk ProfessionalsAgile/Scrum for IT Risk Professionals
Agile/Scrum for IT Risk ProfessionalsDave Friesen
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
Agile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentAgile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentTechWell
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDiego Gabriel Cardoso
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDiego Gabriel Cardoso
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Bootstrapping UX
Bootstrapping UXBootstrapping UX
Bootstrapping UXJim Lane
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
XP2018 presentation for Phoenix Scrum User Group 2018
XP2018 presentation for Phoenix Scrum User Group 2018XP2018 presentation for Phoenix Scrum User Group 2018
XP2018 presentation for Phoenix Scrum User Group 2018Thene Sheehy
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software EngineerCraig Saunders
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 
Women in Innovation - Risk Register: What Could Possibly Go Wrong
Women in Innovation - Risk Register: What Could Possibly Go WrongWomen in Innovation - Risk Register: What Could Possibly Go Wrong
Women in Innovation - Risk Register: What Could Possibly Go WrongKTN
 
Don't Lose Sleep Over Lost IT Assets
Don't Lose Sleep Over Lost IT AssetsDon't Lose Sleep Over Lost IT Assets
Don't Lose Sleep Over Lost IT AssetsIvanti
 
Product Talks Meetup (16 April 2019) Sponsored by BCG DV
Product Talks Meetup (16 April 2019) Sponsored by BCG DVProduct Talks Meetup (16 April 2019) Sponsored by BCG DV
Product Talks Meetup (16 April 2019) Sponsored by BCG DVBrainmates Pty Limited
 

Contenu connexe

Tendances

Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Agile/Scrum for IT Risk Professionals
Agile/Scrum for IT Risk ProfessionalsAgile/Scrum for IT Risk Professionals
Agile/Scrum for IT Risk ProfessionalsDave Friesen
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019James Wickett
 
Agile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentAgile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentTechWell
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsJames Wickett
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDiego Gabriel Cardoso
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDiego Gabriel Cardoso
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Bootstrapping UX
Bootstrapping UXBootstrapping UX
Bootstrapping UXJim Lane
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
XP2018 presentation for Phoenix Scrum User Group 2018
XP2018 presentation for Phoenix Scrum User Group 2018XP2018 presentation for Phoenix Scrum User Group 2018
XP2018 presentation for Phoenix Scrum User Group 2018Thene Sheehy
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software EngineerCraig Saunders
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 

Tendances (19)

Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Agile/Scrum for IT Risk Professionals
Agile/Scrum for IT Risk ProfessionalsAgile/Scrum for IT Risk Professionals
Agile/Scrum for IT Risk Professionals
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
Agile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentAgile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software Development
 
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOpsNewOps Days 2019: The New Ways of Chaos, Security, and DevOps
NewOps Days 2019: The New Ways of Chaos, Security, and DevOps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteira
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Bootstrapping UX
Bootstrapping UXBootstrapping UX
Bootstrapping UX
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02
 
XP2018 presentation for Phoenix Scrum User Group 2018
XP2018 presentation for Phoenix Scrum User Group 2018XP2018 presentation for Phoenix Scrum User Group 2018
XP2018 presentation for Phoenix Scrum User Group 2018
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and How
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software Engineer
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
 

Similaire à Realizing Near-Zero Security Flaws Through Continuous Improvement

Women in Innovation - Risk Register: What Could Possibly Go Wrong
Women in Innovation - Risk Register: What Could Possibly Go WrongWomen in Innovation - Risk Register: What Could Possibly Go Wrong
Women in Innovation - Risk Register: What Could Possibly Go WrongKTN
 
Don't Lose Sleep Over Lost IT Assets
Don't Lose Sleep Over Lost IT AssetsDon't Lose Sleep Over Lost IT Assets
Don't Lose Sleep Over Lost IT AssetsIvanti
 
Product Talks Meetup (16 April 2019) Sponsored by BCG DV
Product Talks Meetup (16 April 2019) Sponsored by BCG DVProduct Talks Meetup (16 April 2019) Sponsored by BCG DV
Product Talks Meetup (16 April 2019) Sponsored by BCG DVBrainmates Pty Limited
 
Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security Sebastien Deleersnyder
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptxRethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptxInflectra
 
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?Leonard Lee
 
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...Richard Platt
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Capgemini
 
Risk-Based Testing for Agile Projects
Risk-Based Testing for Agile ProjectsRisk-Based Testing for Agile Projects
Risk-Based Testing for Agile ProjectsTechWell
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Splunk
 
Let's Make Pentesting Fun Again! Report writing in 5 minutes.
Let's Make Pentesting Fun Again! Report writing in 5 minutes.Let's Make Pentesting Fun Again! Report writing in 5 minutes.
Let's Make Pentesting Fun Again! Report writing in 5 minutes.DefCamp
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...Interset
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuiteDave R. Taylor
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
What We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATPWhat We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATPSymantec
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSplunk
 
VR Training: Tech Disruptor or Pet Rock?
VR Training: Tech Disruptor or Pet Rock?VR Training: Tech Disruptor or Pet Rock?
VR Training: Tech Disruptor or Pet Rock?Jim Piechocki
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 

Similaire à Realizing Near-Zero Security Flaws Through Continuous Improvement (20)

Women in Innovation - Risk Register: What Could Possibly Go Wrong
Women in Innovation - Risk Register: What Could Possibly Go WrongWomen in Innovation - Risk Register: What Could Possibly Go Wrong
Women in Innovation - Risk Register: What Could Possibly Go Wrong
 
Don't Lose Sleep Over Lost IT Assets
Don't Lose Sleep Over Lost IT AssetsDon't Lose Sleep Over Lost IT Assets
Don't Lose Sleep Over Lost IT Assets
 
Product Talks Meetup (16 April 2019) Sponsored by BCG DV
Product Talks Meetup (16 April 2019) Sponsored by BCG DVProduct Talks Meetup (16 April 2019) Sponsored by BCG DV
Product Talks Meetup (16 April 2019) Sponsored by BCG DV
 
Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptxRethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
Rethinking Risk-Based Project Management in the Emerging IT initiatives.pptx
 
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
neXt Curve reThink: What Meltdown & Spectre Mean for IoT Past, Present & Future?
 
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...
Agile Hardware Product Development (NextGen NPD plus - MRO shop example) inc...
 
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
Improve the Security of Your Application Portfolio in a Few Days with On-Dema...
 
Risk-Based Testing for Agile Projects
Risk-Based Testing for Agile ProjectsRisk-Based Testing for Agile Projects
Risk-Based Testing for Agile Projects
 
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
Travis Perkins: Building a 'Lean SOC' over 'Legacy SOC'
 
Let's Make Pentesting Fun Again! Report writing in 5 minutes.
Let's Make Pentesting Fun Again! Report writing in 5 minutes.Let's Make Pentesting Fun Again! Report writing in 5 minutes.
Let's Make Pentesting Fun Again! Report writing in 5 minutes.
 
Dual-Track Agile at Scale
Dual-Track Agile at ScaleDual-Track Agile at Scale
Dual-Track Agile at Scale
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
What We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATPWhat We Learned as the First and Best Customer of Symantec ATP
What We Learned as the First and Best Customer of Symantec ATP
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
VR Training: Tech Disruptor or Pet Rock?
VR Training: Tech Disruptor or Pet Rock?VR Training: Tech Disruptor or Pet Rock?
VR Training: Tech Disruptor or Pet Rock?
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 

Dernier

Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 

Dernier (20)

Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 

Realizing Near-Zero Security Flaws Through Continuous Improvement

  • 1. —— GARTNER SECURITY & RISK MANAGEMENT SUMMIT 2018 REALIZING NEAR-ZERO SECURITY FLAWS IN YOUR SOFTWARE Nick Percoco
  • 3. 3Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT BROUGHT ME HERE? • Wrote first computer program in 1981 • Chicagoland BBS rat in 80s and early 90s • Internet Security Systems in late 90s • Founder of SpiderLabs, Creator of THOTCON • Co-Founder of “I am The Cavalry” movement • Global Services lead at Rapid7 • Advisor to industry / non-industry startups • Chief Security Officer at Uptake • Launched Secure SDLC at hyper-growth startup
  • 4. 4Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 WHAT’S THIS TALK ABOUT? • Setting a vision • Starting small • Making mistakes • Learning • Failing • Evolving • Transparency
  • 5. 5Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 SCOPE
  • 6. 6Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 TEAM SIZE
  • 7. 7Copyright © 2018 Uptake – CONFIDENTIALSecurity at Uptake Program Structure UPTAKE SECURITY PROGRAM Risk & Compliance Security Cloud & Networking Application Security Threat Exposure Management Hackers & Hunters Security Audit MORETECHNICALMORECOMPLIANCE CSOOVERSIGHT&PROGRAMMANAGEMENT SecurityAdvisoryCouncil UptakeStakeholders CustomerStakeholders Physical Security Cryptography
  • 8. 8Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 NEAR-ZERO SECURITY FLAWS
  • 9. SECTION 02 Start: A Complete Program Assessment
  • 10. 10Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 FOUR AREAS OF FOCUS – DIFFICULT QUESTIONS Inventory + Visibility — What applications do we have? — Who owns what? — How are we discovering/documenting? Discovery — How are we discovering security vulnerabilities? — Includes scans, pentests, bug bounty, internal reporting, etc. Management — How are we documenting vulnerabilities discovered? — How are we managing known vulnerabilities and remediations? Culture — How are we promoting security throughout our culture? — How are we gaining “buy-in” from engineering and product teams?
  • 12. 12Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture
  • 13. 13Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Initial Team and Prod. Definitions Initial Team & Product Definitions — High level — Tried to align to agile teams Problem — Teams and products were continually changing — Non standardized “owners” - mixing of business and engineering teams — Unclear definitions - mixing “products” with “services”
  • 14. 14Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Initial Team and Prod. Definitions 3rd Party Pentest — Customer requirement driven — Brought in 3rd party for pentest — First time in-depth security testing was performed — Performed on just one product (the most mature)
  • 15. 15Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Security Code Scanning — Mentality was to just scan everything Problem — Organized on initial definitions — Did not map static scan profiles to our definitions — Did not have foresight for organization or easily visible metrics — Did not have clear ownerships for vulnerability fixes
  • 16. 16Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Onboarding Slides 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding New Hires — Overview of what security means and how to work with the team — Goal was to show value from security and break down barriers Problem — Overcoming problem of siloization
  • 17. 17Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Internal Pentesting — Thoughtfully choosing new applications, products, and acquisitions — Created a schedule to pentest everything at least once a year Problem — Ownership of issues found
  • 18. 18Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Onboarding Slides Bug Bounty — Recognize that we had more surface area for testing than could be handled by single team Problem — Were not able to use production client data — Heavy engineering investment for new environment — Needed more buy-in from engineering and support for remediation — Underestimated the effort required to stand this up — Overestimated our maturity
  • 19. 19Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Tracking — Tracked source of finding (eg pentest, static scan), severity, and exploitability — A central location to see vulnerabilities and risk Problem — Little monitoring of assignee or ownership — Little monitoring of validation of fixes
  • 20. 20Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engineering Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Onboarding Slides Assigning Issues — Added vulnerability tickets directly to engineering teams’ queues — Tickets ended up in backlogs Problem — Hard to see overview of risks per product — Tickets ended up being ignored/not updated
  • 21. 21Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Mtgs. / Office Hours Onboarding Slides Team Meetings/Office Hours — Meet with teams to walk through vulnerabilities — Created office hours for teams to come to us with questions and act as working sessions Problem — Teams looked at the office hours as a chore as opposed to useful
  • 22. 22Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Discovery Management Culture Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Security Champions Team Mtgs. / Office Hours Onboarding Slides Security Champions — Cross organizational group to help bring security into all facets — Breakdown silos and disseminate best practices Problem — Keeping the interest of all involved — Teams changed quickly so the champions were needing to change often
  • 23. 23Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Inventory + Visibility Discovery Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Training — Engineering training: Required on a minimum of yearly basis — Company Training: More in depth onboarding slides Problem — Not hands on enough
  • 24. 24Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Individual Team Sign-Off — Decided we don’t know the engineering organization as well as the individual teams — Gave engineers tools to run their own scans and view their own results — Required engineering teams to “sign-off” that scans were clean before deploying Problem — Lost a lot of visibility into the pipeline — If something was released out of cycle, we were not informed
  • 25. 25Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 1: ESTABLISH TENT POLES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery
  • 27. 27Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Discovery Re-Evaluate Definitions and Ownership — Refined definitions of application vs. product vs. microservice — Distinguished between “Risk” and “Bug” — Defined ownership – risk is owned by product team, bug is owned by engineering team Problem — Still lacked cross-team acceptance and buy-in — Changing team perspectives was hard because they were used to operating on old inventory and definitions
  • 28. 28Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Culture Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Management Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Discovery APPSEC Jira APPSEC Jira — Migrated all tracking to a dedicated Jira project with custom workflows — Centralized “source of truth” for all owners, risks, findings, and engagements — Built in metrics and reporting (e.g. time to close, average risk, assignees, etc.) Problem — Product and Business side don’t check Jira regularly
  • 29. 29Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides APPSEC Dashboard — Using Uptake Design System, created centralized dashboard that pulled data from Jira and correlated with other tools — Single pane of glass for all security findings and statuses — Custom KPIs and familiar interface Problem — Helped with visibility and accountability, but still lacked clear ownership
  • 30. 30Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Leadership and Cross-Team Buy-In — Increased visibility and well documented Jira workflows led to leadership buy-in on ownership — Established SLAs on finding remediations using dashboard metrics — Product, Security and Engineering Leadership sent out communication Problem — New paradigm of ownership meant slow to adopt across all engineering teams — New workflows had to be adopted for certain teams
  • 31. 31Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Bug Bounty Label Goes Here Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Bug Bounty 2.0 — With leadership and cross-team buy in, revisited and re-launched Bug Bounty — Jira integration with Bug Bounty submissions fed directly into dashboard — Same SLAs applied to Bug Bounty findings Problem — Engineering buy-in for remediating findings, but still lacked buy-in for maintaining and updating Bug Bounty environment
  • 32. 32Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Container Metrics — With microservice ownership definitions, started pulling metrics on all running containers — Using container orchestration as “source of truth” for all applications running in production — Each container is tied to a product and has an owner Problem — Had visibility into what is running, but not direct 1:1 correlation to what is being scanned
  • 33. 33Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Culture Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Scanning Containers — Reorganized scanning pipeline to correlate directly to container metrics — Standard naming convention let us query scan results for every image and container in production Problem — 100% visibility, but data is “after- the-fact”
  • 34. 34Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Outreach and Training — AppSec has higher visibility and transparency within the organization — Started running trainings and tech-talks on scanning and penetration testing — Empowering engineering teams to do their own security testing
  • 35. 35Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 2: MATURE THE PROCESSES Inventory + Visibility Discovery Management Culture Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics
  • 37. 37Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Dashboard 2.0 — The AppSec Dashboard has proved successful — Want to implement more security metrics from other tools — Implement news and security communications/alerts
  • 38. 38Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Bug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Full CI/CD Integration — Engineering is re-working their CI/CD pipeline — Tightly integrate with all security tools and scanning — Aim for 100% code coverage in CI/CD before container is deployed — Feedback loop from discovered findings into unit tests
  • 39. 39Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 PHASE 3: FUTURE STATE Inventory + Visibility Discovery Management Culture Dashboard 2.0 Full CI/CD Dashboard 2.0 Technical Trainings, CTFs, Events Outreach and Training Cross Team Buy-in Developer Training (Codebashing) Security Champions Team Mtgs. / Office Hours Onboarding Slides Cross Team Buy-In APPSEC Dashboard APPSEC Jira Excel Sheet Engr. Jiras Scanning Containers Bug Bounty 2.0 Label Goes HereBug Bounty Pentesting 3rd Party Pentest Veracode / Blackduck Initial Team and Prod. Definitions Excel Sheet Team Signoff Re-evaluate Definitions and Ownership APPSEC Jira Container Metrics Security Events — Continue trainings and tech talks — Host internal CTFs to promote security testing — Increase developer involvement in penetration testing and validation testing
  • 41. 41Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018 LESSONS LEARNED Need to keep all four areas “in sync” — We jumped too far ahead in the Discovery lane too soon – had to play catch up with Inventory and Management — Culture cannot lag behind. Buy in and cross-team culture allows quicker progress in the other areas Honest self-assessments of maturity — Having tools in place does not equal maturity — Culture drives maturity Avoid silo-ing Security — Openness and cross-team communication leads to buy-in — Don’t just “chuck findings over the fence” Have clear definitions and ownership — Risk vs Bug — Application vs product vs microservice
  • 42.
  • 43. 43Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 44. 44Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 45. 45Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 46. 46Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 47. 47Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 48. 48Copyright © 2018 UptakeGartner Security & Risk Management Summit 2018
  • 49. Copyright © 2018 by Uptake Technologies Inc. All rights reserved. No parts of this document may be distributed, reproduced, transmitted, or stored electronically without Uptake’s prior written permission. This document contains Uptake's confidential and proprietary information. If a pre-existing contract containing disclosure and use restrictions exists between your company and Uptake, you and your company will use the information in this document subject to the terms of the pre-existing contract. If no such pre-existing contract exists, you and your Company agree to protect the information in this document and agree not to reproduce or disclose the information in any way. Uptake makes no warranties, express or implied, in this document. Uptake shall not be liable for damages of any kind arising out of use of this document. Any discussion of potential features is not a promise of future functionality.