SlideShare une entreprise Scribd logo

Add Security Testing Tools to Your Delivery Pipeline

T
TechWell

Gene Gotimer is a senior architect at Coveros, Inc. who presented on adding security testing tools to the delivery pipeline. He discussed how security is often neglected until late in the process, forcing teams to choose between fixing issues and delaying release or accepting security risks. Gotimer argued for incorporating security testing earlier in the pipeline using various tools to detect obvious security problems and make it easier to find less obvious issues through repeated testing as code is improved. This allows developing better security processes and releasing more securely without delays.

Logiciels
1  sur  33
Télécharger pour lire hors ligne
T8 Session 10/27/2016 11:30AM Add Security Testing Tools to Your Delivery Pipeline Presented by: Gene Gotimer Coveros, Inc. Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888-­‐268-­‐8770 ·∙ 904-­‐278-­‐0524 - info@techwell.com - http://www.starcanada.techwell.com/
Gene Gotimer Coveros, Inc. Gene Gotimer is a senior architect at Coveros, Inc., a software company that uses agile methods to accelerate the delivery of secure, reliable software. As a consultant, Gene works with his customers build software better, faster, and more securely by introducing agile development and DevOps practices. He has many years of experience in web-based enterprise application design, and extensive experience establishing and using development ecosystems such as continuous integration, continuous delivery, DevOps, secure software development, source code control, build management, release management, issue tracking, project planning and tracking, and a variety of software assurance tools and supporting processes. Gene feels strongly the repeatability, quality, and security are all strongly intertwined; each of them is dependent on the other two, which just makes DevOps that much more crucial to software development.
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene Add Security Testing Tools to Your Delivery Pipeline Gene Gotimer Senior Architect
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene About Coveros • Coveros builds security-critical applications using agile methods. • Coveros Services • Agile transformations • Agile development and testing • DevOps and continuous integration • Application security analysis • Agile & Security training • Government qualifications • DCAA approved rates and accounting • TS facility clearance Areas of Expertise
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene Select Clients
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene Security Testing
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene Information Security • Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. • The key concepts of information security include: • Confidentiality • Integrity • Availability • + Authenticity • + Non-Repudiation
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene Security Testing • Often put off until late or ignored completely Fix security issues and delay release? Release on time and accept security risks?
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene Return on Investment “Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.” -- Bruce Schneier, Schneier on Security https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene Security in the Delivery Pipeline
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene Security Tools “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” -- Bruce Schneier, Secrets & Lies
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene Security Testing Process 1. Use tools to help detect the obvious security problems 2. Remediate 3. Search for less obvious security problems 4. Repeat Better security process Fewer obvious security issues Better security Time to find less obvious security issues
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene Incorporate Security Testing Do just enough of each type of testing early in the pipeline to determine if further testing is justified.
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene Tools to Consider Adding to the Process
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene It is easier to protect less mvn dependency:tree mvn dependency:analyze mvn com.ning.maven.plugins: maven-dependency-versions-check-plugin
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene Poor quality code is harder to maintain … and harder to secure
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene Make sure your tests actually test
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene Keep libraries up-to-date
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene Negative testing User role testing … what should users not be able to do?
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene Use a proxy OWASP ZAP … and piggy-back on functional tests passive proxy active scanner fuzzer
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene Repeatable, reliable deployments … and test that through practice
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene Audit yourself
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene Scan the web application
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene Scan the web server configuration
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene Scan the system … before and after installing software
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 24@CoverosGene Scan all the systems … don’t forget the infrastructure
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 25@CoverosGene Keep packages up-to-date
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 26@CoverosGene Test performance … even if you just watch the trends
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 27@CoverosGene Test the database … for security and performance
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 28@CoverosGene Protect against hackers … even on development and test systems
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 29@CoverosGene Continuously improve A little better is still better. Keep improving. … and don’t expect perfectly secure
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 30@CoverosGene Find more tools
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 31@CoverosGene Questions? Gene Gotimer gene.gotimer@coveros.com @CoverosGene

Recommandé

Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test Automation
TechWell
 
A DevOps Primer: Whole Team Approaches for Better Software Quality
A DevOps Primer: Whole Team Approaches for Better Software QualityA DevOps Primer: Whole Team Approaches for Better Software Quality
A DevOps Primer: Whole Team Approaches for Better Software Quality
TechWell
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
TechWell
 
The Three Pillars Approach to an Agile Testing Strategy
The Three Pillars Approach to an Agile Testing StrategyThe Three Pillars Approach to an Agile Testing Strategy
The Three Pillars Approach to an Agile Testing Strategy
TechWell
 
Seven Steps to Pragmatic Mobile Testing
Seven Steps to Pragmatic Mobile TestingSeven Steps to Pragmatic Mobile Testing
Seven Steps to Pragmatic Mobile Testing
TechWell
 
Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using Selenium
TechWell
 
A Day in the Life of a Test Architect
A Day in the Life of a Test ArchitectA Day in the Life of a Test Architect
A Day in the Life of a Test Architect
TechWell
 
The Evolution of Test Automation for DevOps
The Evolution of Test Automation for DevOpsThe Evolution of Test Automation for DevOps
The Evolution of Test Automation for DevOps
TEST Huddle
 

Recommandé

Addressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test AutomationAddressing the Challenges of Mobile Test Automation
Addressing the Challenges of Mobile Test Automation
TechWell
 
A DevOps Primer: Whole Team Approaches for Better Software Quality
A DevOps Primer: Whole Team Approaches for Better Software QualityA DevOps Primer: Whole Team Approaches for Better Software Quality
A DevOps Primer: Whole Team Approaches for Better Software Quality
TechWell
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
TechWell
 
The Three Pillars Approach to an Agile Testing Strategy
The Three Pillars Approach to an Agile Testing StrategyThe Three Pillars Approach to an Agile Testing Strategy
The Three Pillars Approach to an Agile Testing Strategy
TechWell
 
Seven Steps to Pragmatic Mobile Testing
Seven Steps to Pragmatic Mobile TestingSeven Steps to Pragmatic Mobile Testing
Seven Steps to Pragmatic Mobile Testing
TechWell
 
Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using Selenium
TechWell
 
A Day in the Life of a Test Architect
A Day in the Life of a Test ArchitectA Day in the Life of a Test Architect
A Day in the Life of a Test Architect
TechWell
 
The Evolution of Test Automation for DevOps
The Evolution of Test Automation for DevOpsThe Evolution of Test Automation for DevOps
The Evolution of Test Automation for DevOps
TEST Huddle
 
Continuous Testing - The Final Frontier
Continuous Testing - The Final FrontierContinuous Testing - The Final Frontier
Continuous Testing - The Final Frontier
Jaco Greyling
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
Sauce Labs Webinar: Rising Importance of Software Testing
Sauce Labs Webinar: Rising Importance of Software TestingSauce Labs Webinar: Rising Importance of Software Testing
Sauce Labs Webinar: Rising Importance of Software Testing
Sauce Labs
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
Continuous Quality: What DevOps Means for QA
Continuous Quality: What DevOps Means for QAContinuous Quality: What DevOps Means for QA
Continuous Quality: What DevOps Means for QA
Jeff Sussna
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
Coveros, Inc.
 
Testing in the Dark
Testing in the DarkTesting in the Dark
Testing in the Dark
TechWell
 
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
Jules Pierre-Louis
 
What are the Cool Kids Doing With Continuous Delivery?
What are the Cool Kids Doing With Continuous Delivery?What are the Cool Kids Doing With Continuous Delivery?
What are the Cool Kids Doing With Continuous Delivery?
CA Technologies
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Deborah Schalm
 
Try: Fail, Try: Succeed by Tim Grant
Try: Fail, Try: Succeed by Tim GrantTry: Fail, Try: Succeed by Tim Grant
Try: Fail, Try: Succeed by Tim Grant
QA or the Highway
 
Testing in a DevOps team
Testing in a DevOps teamTesting in a DevOps team
Testing in a DevOps team
Laurent PY
 
DevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph OursDevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph Ours
QA or the Highway
 
Continuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareContinuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshare
QualiQuali
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
TechWell
 
Testing Comes into its Own in DevOps by Jack Maher
Testing Comes into its Own in DevOps by Jack MaherTesting Comes into its Own in DevOps by Jack Maher
Testing Comes into its Own in DevOps by Jack Maher
QA or the Highway
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
 
XebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOpsXebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOps
Bob Sokol
 
Continuous Quality: DevOps with Quality by Josh Eastman
Continuous Quality: DevOps with Quality by Josh EastmanContinuous Quality: DevOps with Quality by Josh Eastman
Continuous Quality: DevOps with Quality by Josh Eastman
QA or the Highway
 
Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
Testing in a Continuous Delivery Pipeline: Faster, Better, CheaperTesting in a Continuous Delivery Pipeline: Faster, Better, Cheaper
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 

Contenu connexe

Tendances

Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
TechWell
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
QASymphony
 
Continuous Quality: What DevOps Means for QA
Continuous Quality: What DevOps Means for QAContinuous Quality: What DevOps Means for QA
Continuous Quality: What DevOps Means for QA
Jeff Sussna
 
Testing in the Dark
Testing in the DarkTesting in the Dark
Testing in the Dark
TechWell
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
TechWell
 

Tendances (20)

Continuous Testing - The Final Frontier
Continuous Testing - The Final FrontierContinuous Testing - The Final Frontier
Continuous Testing - The Final Frontier
 
Integrating Automated Testing into DevOps
Integrating Automated Testing into DevOpsIntegrating Automated Testing into DevOps
Integrating Automated Testing into DevOps
 
Sauce Labs Webinar: Rising Importance of Software Testing
Sauce Labs Webinar: Rising Importance of Software TestingSauce Labs Webinar: Rising Importance of Software Testing
Sauce Labs Webinar: Rising Importance of Software Testing
 
Where Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOpsWhere Testers & QA Fit in the Story of DevOps
Where Testers & QA Fit in the Story of DevOps
 
Continuous Quality: What DevOps Means for QA
Continuous Quality: What DevOps Means for QAContinuous Quality: What DevOps Means for QA
Continuous Quality: What DevOps Means for QA
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
 
Testing in the Dark
Testing in the DarkTesting in the Dark
Testing in the Dark
 
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
 
The Human Side of DevSecOps
The Human Side of DevSecOpsThe Human Side of DevSecOps
The Human Side of DevSecOps
 
What are the Cool Kids Doing With Continuous Delivery?
What are the Cool Kids Doing With Continuous Delivery?What are the Cool Kids Doing With Continuous Delivery?
What are the Cool Kids Doing With Continuous Delivery?
 
Machine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOpsMachine Learning to Turbo-Charge the Ops Portion of DevOps
Machine Learning to Turbo-Charge the Ops Portion of DevOps
 
Try: Fail, Try: Succeed by Tim Grant
Try: Fail, Try: Succeed by Tim GrantTry: Fail, Try: Succeed by Tim Grant
Try: Fail, Try: Succeed by Tim Grant
 
Testing in a DevOps team
Testing in a DevOps teamTesting in a DevOps team
Testing in a DevOps team
 
DevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph OursDevOps the Big Picture for Testers by Joseph Ours
DevOps the Big Picture for Testers by Joseph Ours
 
Continuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshareContinuous testing webinar 041017 slideshare
Continuous testing webinar 041017 slideshare
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
 
Testing Comes into its Own in DevOps by Jack Maher
Testing Comes into its Own in DevOps by Jack MaherTesting Comes into its Own in DevOps by Jack Maher
Testing Comes into its Own in DevOps by Jack Maher
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
XebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOpsXebiaLabs Enterprise DevOps
XebiaLabs Enterprise DevOps
 
Continuous Quality: DevOps with Quality by Josh Eastman
Continuous Quality: DevOps with Quality by Josh EastmanContinuous Quality: DevOps with Quality by Josh Eastman
Continuous Quality: DevOps with Quality by Josh Eastman
 

Similaire à Add Security Testing Tools to Your Delivery Pipeline

Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
Testing in a Continuous Delivery Pipeline: Faster, Better, CheaperTesting in a Continuous Delivery Pipeline: Faster, Better, Cheaper
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
TechWell
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
Gene Gotimer
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to Practice
TechWell
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Coveros, Inc.
 

Similaire à Add Security Testing Tools to Your Delivery Pipeline (20)

Add Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery PipelineAdd Security Testing Tools to Your Delivery Pipeline
Add Security Testing Tools to Your Delivery Pipeline
 
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
Testing in a Continuous Delivery Pipeline: Faster, Better, CheaperTesting in a Continuous Delivery Pipeline: Faster, Better, Cheaper
Testing in a Continuous Delivery Pipeline: Faster, Better, Cheaper
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDC
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOps
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Tests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be MissingTests Your Pipeline Might Be Missing
Tests Your Pipeline Might Be Missing
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to Practice
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Beyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarBeyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinar
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance
 

Plus de TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
TechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
TechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
TechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
TechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
TechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
Ma 15
Ma 15Ma 15
Ma 15
TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
TechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
TechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
TechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
TechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
TechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 

Plus de TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Dernier

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 

Dernier (20)

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

Add Security Testing Tools to Your Delivery Pipeline

  • 1. T8 Session 10/27/2016 11:30AM Add Security Testing Tools to Your Delivery Pipeline Presented by: Gene Gotimer Coveros, Inc. Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888-­‐268-­‐8770 ·∙ 904-­‐278-­‐0524 - info@techwell.com - http://www.starcanada.techwell.com/
  • 2. Gene Gotimer Coveros, Inc. Gene Gotimer is a senior architect at Coveros, Inc., a software company that uses agile methods to accelerate the delivery of secure, reliable software. As a consultant, Gene works with his customers build software better, faster, and more securely by introducing agile development and DevOps practices. He has many years of experience in web-based enterprise application design, and extensive experience establishing and using development ecosystems such as continuous integration, continuous delivery, DevOps, secure software development, source code control, build management, release management, issue tracking, project planning and tracking, and a variety of software assurance tools and supporting processes. Gene feels strongly the repeatability, quality, and security are all strongly intertwined; each of them is dependent on the other two, which just makes DevOps that much more crucial to software development.
  • 3. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1@CoverosGene Add Security Testing Tools to Your Delivery Pipeline Gene Gotimer Senior Architect
  • 4. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2@CoverosGene About Coveros • Coveros builds security-critical applications using agile methods. • Coveros Services • Agile transformations • Agile development and testing • DevOps and continuous integration • Application security analysis • Agile & Security training • Government qualifications • DCAA approved rates and accounting • TS facility clearance Areas of Expertise
  • 5. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3@CoverosGene Select Clients
  • 6. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4@CoverosGene Security Testing
  • 7. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5@CoverosGene Information Security • Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. • The key concepts of information security include: • Confidentiality • Integrity • Availability • + Authenticity • + Non-Repudiation
  • 8. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6@CoverosGene Security Testing • Often put off until late or ignored completely Fix security issues and delay release? Release on time and accept security risks?
  • 9. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7@CoverosGene Return on Investment “Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.” -- Bruce Schneier, Schneier on Security https://www.schneier.com/blog/archives/2008/09/security_roi_1.html
  • 10. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8@CoverosGene Security in the Delivery Pipeline
  • 11. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9@CoverosGene Security Tools “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” -- Bruce Schneier, Secrets & Lies
  • 12. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10@CoverosGene Security Testing Process 1. Use tools to help detect the obvious security problems 2. Remediate 3. Search for less obvious security problems 4. Repeat Better security process Fewer obvious security issues Better security Time to find less obvious security issues
  • 13. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11@CoverosGene Incorporate Security Testing Do just enough of each type of testing early in the pipeline to determine if further testing is justified.
  • 14. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12@CoverosGene Tools to Consider Adding to the Process
  • 15. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13@CoverosGene It is easier to protect less mvn dependency:tree mvn dependency:analyze mvn com.ning.maven.plugins: maven-dependency-versions-check-plugin
  • 16. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14@CoverosGene Poor quality code is harder to maintain … and harder to secure
  • 17. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15@CoverosGene Make sure your tests actually test
  • 18. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16@CoverosGene Keep libraries up-to-date
  • 19. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17@CoverosGene Negative testing User role testing … what should users not be able to do?
  • 20. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18@CoverosGene Use a proxy OWASP ZAP … and piggy-back on functional tests passive proxy active scanner fuzzer
  • 21. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19@CoverosGene Repeatable, reliable deployments … and test that through practice
  • 22. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20@CoverosGene Audit yourself
  • 23. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21@CoverosGene Scan the web application
  • 24. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22@CoverosGene Scan the web server configuration
  • 25. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23@CoverosGene Scan the system … before and after installing software
  • 26. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 24@CoverosGene Scan all the systems … don’t forget the infrastructure
  • 27. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 25@CoverosGene Keep packages up-to-date
  • 28. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 26@CoverosGene Test performance … even if you just watch the trends
  • 29. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 27@CoverosGene Test the database … for security and performance
  • 30. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 28@CoverosGene Protect against hackers … even on development and test systems
  • 31. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 29@CoverosGene Continuously improve A little better is still better. Keep improving. … and don’t expect perfectly secure
  • 32. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 30@CoverosGene Find more tools
  • 33. © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 31@CoverosGene Questions? Gene Gotimer gene.gotimer@coveros.com @CoverosGene