Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Software Security: In the World of Cloud & CI-CD

OWASP Delhi November Meet - Software Security: In the World of Cloud & CI-CD by Aniket Kulkarni

  • Identifiez-vous pour voir les commentaires

Software Security: In the World of Cloud & CI-CD

  1. 1. 26 Nov 2015 Venue: Akamai, Singapore OWASP Singapore. 28 Nov 2015 Venue: Airtel, Delhi-India. OWASP, Delhi-India. Remote WebEx From Singapore. Software Security: “In The World Of, Cloud & CI-CD” -Aniket Kulkarni Software Security Architect (BigdataCloudMobileWeb)
  2. 2. Agenda  Cloud & It’s Snapshots  Definition Of Todays Client’s  Users Angle To cloud  Changing Landscape Of Customer Requirements  CI, CD  An Era Of Dashboards  Secure SDLC: CI-CD Way
  3. 3. Cloud Computing? Cloud computing: Also known as on-demand computing, is a kind of internet-based computing, where shared resources and information are provided to computers and other devices on-demand.
  4. 4. Cloud Snapshots
  5. 5. Client’s Today ? CLOUD
  6. 6. Continuous Integration-CI.  Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day.  Each check-in is then verified by an automated build, allowing teams to detect problems early.
  7. 7. Continuous Delivery-CD.  Continuous Delivery (CD): is a software engineering approach in which teams keep producing valuable software in short cycles and ensure that the software can be reliably released at any time.  It aims at, building, testing, and releasing software, faster and more frequently.
  8. 8. Continuous Deployment-CD.  Continuous Deployment (CD): Is next phase to continuous delivery.  Every change that passes the automated tests get deployed on production automatically.
  9. 9. Users Angle To Cloud. Client Side Subscribed USER1 Free USER3 Subscribed USER2 Application Server Storage ServiceI & AM Notification Service
  10. 10. An Era Of Dashboards.
  11. 11. Changing Landscape Of Requirements  On Going Customer Demands  Associated Market Competitions  Product Research Outcomes “Constant Rotating Eyeball On Product In Production, Hosted On Cloud, with constant changes”
  12. 12. Challenges For Business Stakeholders  How to manage security posture of 150+ cloud products ?  Shall we invest for Security (Yes/NO) ?  If yes, how much ? Confused for decision ?  Invested $X million. How much secure we are ?  We are 100% Compliance done! Are We Secure now?  Are we satisfying customer demands ?
  13. 13. S-SDLC (CI-CD): Component Repository External Repositories Internal ComponentsOrganization Repository (Ex:NexusArtifactory)
  14. 14. S-SDLC (CI-CD): 3rd Party External Component Security External Repositories Internal Components Organization Repository (Ex: Nexus Artifactory) 3rd Party Component Security Tools (Ex: Sonatype CLM) Continuous Dashboard Update
  15. 15. S-SDLC (CI-CD): Development External Repositories Internal Components Organization Repository (Ex: Nexus Artifactory) Static Source Code Analysis Tool (Ex: Fortify) Continuous Dashboard Update
  16. 16. S-SDLC (CI-CD): QA • Internal Automation Frameworks • Mostly Python Scripts Actual Web Product Hosted On Staging Dynamic Analysis Tool Run Manual Dashboard Update InternalExternal Penetration Tests Continuous Dashboard Update Interactive Application Security Testing (Ex: Contrast)
  17. 17. S-SDLC (CI-CD): SASTDASTIAST SAST DAST IAST • Uses source code to find vulnerabilities without running the application. • Misses run time vulnerabilities. • Many false positives • Analyzes application in its running state by fuzzing with malicious payloads from outside • Misses business logic vulnerabilities • Many false positives • Analyzes application in its running state by deploying sensors inside the app. • Finds most of the things which SAST and DAST misses • Almost NoLess false positives
  18. 18. S-SDLC (CI-CD): Typical IAST Deployment Custom Code Java Runtime Application Server Frameworks Libraries IAST Engine Security Information To Dashboard Web Application Data From Passive Sensors
  19. 19. S-SDLC (CI-CD): Compact View DEVELOPMENTCOMPONENT SELECTION QA IASTSTAGING All Set For Product Release ? 
  20. 20. Rethinking challenges! How we appear on challenges now ?  How to manage security posture of 150+ cloud products?  Shall we invest for Security (Yes/NO) ?  If yes, how much ? Confused for decision ?  Invested $X million. How much secure we are ?  We are 100% Compliance done! Are We Secure now?  Are we satisfying customer demands ?
  21. 21. Key Points Take Away  Cloud & CI,CD  Software product Business challenges  Pitching security in fast pace environment: -3rd party component security -Security at Development -Security at QA -Security at StagingProduction  Solutions that we have for this fast pace environment  Security an input for business decisions  Deciding factor for security investment & ROI
  22. 22. Q & A
  23. 23. Thank you, Aniket Kulkarni - Software Security Architect (BigdataCloudMobileWeb) Autodesk Singapore Research & Development Center Singapore.

×