SlideShare a Scribd company logo

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

NSC42 Ltd
NSC42 Ltd

Title: The Security Phoenix Subtitle: From the ashes of DEVOPS Synopsis: The talk will take the audience on a path to integrate security in development covering aspect like SDLC, People and Technology, Metrix, and maturity matrix. The Talk will focus on several aspect like: • Visibility of vulnerabilities in production • Traceability of software built and source of the component • Visualization of vulnerabilities and target (Divide in quarter, Build vs Fix) • Maturity matrix and path to evolution with KCI • Advanced concepts like breaking the build, license to operate If time is available, the talk will explore some additional lesson learned rough length: Compressed 25+5 min long version 30 min Audience Take Away: ● How to build a cybersecurity programme with people and technology at the heart ● How and why to trace component and how they are built ● Why visibility in production and traceability is important ● How to set targets for product teams and what to measure in various phases ● How to involve risk assessment and where to apply governance ● Use cases to visualize vulnerabilities

Education
1 of 44
Download to read offline
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes APPSEC California 2020 @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Scanners Triage and Visualizers Security Phoenix – People & Trust + Verify Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Maturity Matrix & Education PUBLIC Security Phoenix – Visibility Problem Security Phoenix – The cake and traceability problem
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) PUBLIC DEV-OPS+ SEC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core pillars of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 6 PUBLIC Why do we worry about security? The Problem Landscape
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 PUBLIC 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 8 PUBLIC Image Credit Information is Beautiful
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 9 PUBLIC From Dev to prod and cakes The Visibility Problem
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Understanding the room you walk in – Asset Register 10
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To understand shine a light 11
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Better to have full visibility 12
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 13 PUBLIC The software security cake The Problem Traceability Problem
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo So how we do it? Easy as baking a cake 14
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Road to Production: the cake analogy 15 The Objective of the various areas are • Ingredients • Recipe • Stock List (asset Register) Design Operate The Objective of the various areas are • Sell The cake • Restock the cake on the shelf Build/Test The Objective of the various areas are • Combine ingredients (libraries+Code) • Bake the cake • Test the cake Security Design Act as Health Inspector • Verify Ingredients are not mouldy • Verify Recipe does not contain poison • Stock List (asset Register) – verify the component used in the cake are genuine Act as Health Inspector • That the cake is made up of genuine ingredients (from asset register) • Test the cake for mould Security Build & Test Act as Health Inspector • Verify Cake on the shop are made of genuine ingredients (from asset register) • Verify expiry data of Cake • Test the cake for mould Secure Operate PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 16 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Vulnerability management Lifecycle Discover 01 02 03 04 05 06 Vuln Mngmn Lifecycle Software Asset Register Scan Code/Infra/network Triage/ Assess Triage & identify False Positives Tweak Scan Profiles Prioritize Visualize Prioritize vuln (Start Easy) Network Location Exploitability … Graph – Up/down trending of prj Build vs FIX Time to Fix Remediate/ Risk Verify Fix Code and redeploy in test Test implemented Fix
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 18 PUBLIC The Software Asset Register The Appsec Lifecycle & Shift Left
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Asset Register Part A 19 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Git to People: Who does what where Visualizer 20 DEV Security Production Security git ls-tree -r -z --name-only HEAD -- update- tools-mac.sh | xargs -0 -n1 git blame --line- porcelain HEAD |grep "^author "|sort|uniq - c|sort -nr For Every Repo List of committers E-Mail/HR DB Build vs FIX & Tickets App scan? PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 21 PUBLIC How to Embed DEV-SEC-OPS The People & Technology part
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part B 23 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 24 PUBLIC Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Production Security SET Targets For Prod & DEV Vuln
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part C 25 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 26 DEV Security Production Security PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 27 PUBLIC Example of a dashboard for Vulnerability Visualization DEV Security Production Security
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects - Part D fix 28 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triaging Vulnerabilities 29 DEV Security Production Security Security Scanners Potential Defects Triage Real Defects Vuln Scoring Is it a false positive? PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch SupportFunctions PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch Support Functions OS Framework Library Code 3rd Party DefectTypes Prioritized Vulnerabilities Can they be fixed? RiskWork Ticket Yes No Threat Modelling Prioritized Vulnerability (with Context) Compensating Control Increased Impact/ Probability NoYesMitigation BIA - Impact Exploitability - Likelyhood PODs DEV Sec Champion Risk person Lead Appsec Sec Arch SupportFunctions How exploitable? Maturity Level Maturity level PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 30 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 31 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code >> Set Thresholds: Bild vs Fix, Vulnerability trending People & Education PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 32 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 33 Developer can operate fast and deploy if they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 34 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education: PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 35 PUBLIC Bringing all together Maturity Model & Recap
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 36 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To Achieve High Maturity what do you do 37 PUBLIC DEV Security Production Security Mat urity Task How much 1 No Peer Review 1 No Code Scanning 1 No library update 1 No risk management 1 No visibility on vulnerabilities 1 No knowledge of pods 1 No team to pod mapping 1 No Documentation of Fixes 2 Peer Revew 2 Team to Pod to Stash recorded 2 Onboarded application on code scanners 2 Libray scanning 2 triage of vulnerabilities (base) - Consider only high medium and low 2 Manual Evaluation of team and Allocation of Licence to Operate 2 No SLA 2 No Documentaiton 2 Adoption Dashboard 3 Peer Review with Toolset 3 Updated Teams and asset register 3 Basic Triage of vulnerabilities 3 Code Scan with Pipeline Break & Basic SLA 3 Adoption Dashboard (advanced) Per A.C. and Per Region 3 Risk Assessment from code scanning with record in Risk management Register 3 Automated Licence to operate: Code Scanning, Libraries, Internal Training 4 Fix time of vulnerabilities recorded 4 T-Shirt Sizing of fixes and Adaptation of SLA based on fixes 4 Visualization of pod to fix 4 segmentation dev and prod 4 Fix ticket in Jira & Build vs Fix Concept 4 Fuzzing (basic with generic per app) 5 Automated Licence to operate: Code Scanning, Libraries, Internal Training, Build Vs Fix 5 Automated Fuzzing & Library of tests Level 1 Level 2 Level 3 Level 4 Level 5 Intial Manage d Defined Quantitatively Managed Optimized Security Design AS-IS->TO- BE Security Design Governance AS-IS TO-BE Security Build & Test AS-IS TO-BE Security Operate AS-IS-> TO-BE Appsec Security Education AS-IS TO-BE Application Security Risk Management AS-IS TO-BE Reporting Frequency KCI Mat rutiy Build/Test Prereq -> 0 Who is working on which repository Monthly 1 Team On-boarded on scanners (per pod) Monthly 1 Code Scanning Frequency per project (min 1 per week) Monthly 1 Dashboard for Scanners created Monthly 2 Number of vulnerabilities ticket recorded Weekly 2 Dashboard for vulnerabilities - Onboarded Projects Weekly 2 Vulnerability Fixed (quarter) Monthly/ Quarterly Checks 3 Project imported in Kennar and Enriched Vulnerabilities (kennar) Monthly 3 Projects breaching the Build vs Fix target Monthly/ Quarter Checks 4 Fixes per thematic in SLA Monthly 4 SLA for Fixes (breached/achieved) Monthly 4 Team Achieving Licence to operate and Out of the licence Monthly 5 Build vs fix Monthly 5 Licence to operate Monthly Overall Maturity Maturity Steps KCI
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 38 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 39 Learning & Education PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 40 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Does develops have a single solution? Security is everybody’s job PUBLIC
Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42 PUBLIC
Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20 https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info: Francesco.Cipollone@cloudsecurityalliance.org.ukPUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 43 PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 44 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 PUBLIC

Recommended

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.DevOps.com
 
Upskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsUpskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsDevOps.com
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 
About StarForce Technologies
About StarForce TechnologiesAbout StarForce Technologies
About StarForce TechnologiesStarForce Technologies
 
Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Marc Lijour, OCT, BSc, MBA
 
DEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkDEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkFelipe Prado
 
Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Roberto Natella
 

Recommended

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.DevOps.com
 
Upskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsUpskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsDevOps.com
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 
About StarForce Technologies
About StarForce TechnologiesAbout StarForce Technologies
About StarForce TechnologiesStarForce Technologies
 
Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Marc Lijour, OCT, BSc, MBA
 
DEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkDEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkFelipe Prado
 
Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Roberto Natella
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Carlo Bonamico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
Culture of Security
Culture of SecurityCulture of Security
Culture of SecurityFlevy.com Best Practices
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyreggievarn
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensGert Molkens
 
Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Cloud Security Alliance, UK chapter
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 

More Related Content

What's hot

Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Carlo Bonamico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyreggievarn
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensGert Molkens
 

What's hot (10)

Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security Workshop
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
Culture of Security
Culture of SecurityCulture of Security
Culture of Security
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varney
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkens
 

Similar to The security phoenix - from the ashes of DEV-OPS Appsec California 2020

Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Cloud Security Alliance, UK chapter
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 

Similar to The security phoenix - from the ashes of DEV-OPS Appsec California 2020 (20)

Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit27.2.15 lab investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospective
 

Recently uploaded

Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfssuserdda66b
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 

Recently uploaded (20)

Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

  • 1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes APPSEC California 2020 @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo PUBLIC
  • 2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Scanners Triage and Visualizers Security Phoenix – People & Trust + Verify Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Maturity Matrix & Education PUBLIC Security Phoenix – Visibility Problem Security Phoenix – The cake and traceability problem
  • 3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein PUBLIC
  • 4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) PUBLIC DEV-OPS+ SEC
  • 5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core pillars of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng PUBLIC
  • 6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 6 PUBLIC Why do we worry about security? The Problem Landscape
  • 7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 PUBLIC 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it
  • 8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 8 PUBLIC Image Credit Information is Beautiful
  • 9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 9 PUBLIC From Dev to prod and cakes The Visibility Problem
  • 10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Understanding the room you walk in – Asset Register 10
  • 11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To understand shine a light 11
  • 12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Better to have full visibility 12
  • 13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 13 PUBLIC The software security cake The Problem Traceability Problem
  • 14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo So how we do it? Easy as baking a cake 14
  • 15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Road to Production: the cake analogy 15 The Objective of the various areas are • Ingredients • Recipe • Stock List (asset Register) Design Operate The Objective of the various areas are • Sell The cake • Restock the cake on the shelf Build/Test The Objective of the various areas are • Combine ingredients (libraries+Code) • Bake the cake • Test the cake Security Design Act as Health Inspector • Verify Ingredients are not mouldy • Verify Recipe does not contain poison • Stock List (asset Register) – verify the component used in the cake are genuine Act as Health Inspector • That the cake is made up of genuine ingredients (from asset register) • Test the cake for mould Security Build & Test Act as Health Inspector • Verify Cake on the shop are made of genuine ingredients (from asset register) • Verify expiry data of Cake • Test the cake for mould Secure Operate PUBLIC
  • 16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 16 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC
  • 17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Vulnerability management Lifecycle Discover 01 02 03 04 05 06 Vuln Mngmn Lifecycle Software Asset Register Scan Code/Infra/network Triage/ Assess Triage & identify False Positives Tweak Scan Profiles Prioritize Visualize Prioritize vuln (Start Easy) Network Location Exploitability … Graph – Up/down trending of prj Build vs FIX Time to Fix Remediate/ Risk Verify Fix Code and redeploy in test Test implemented Fix
  • 18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 18 PUBLIC The Software Asset Register The Appsec Lifecycle & Shift Left
  • 19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Asset Register Part A 19 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Git to People: Who does what where Visualizer 20 DEV Security Production Security git ls-tree -r -z --name-only HEAD -- update- tools-mac.sh | xargs -0 -n1 git blame --line- porcelain HEAD |grep "^author "|sort|uniq - c|sort -nr For Every Repo List of committers E-Mail/HR DB Build vs FIX & Tickets App scan? PUBLIC
  • 21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 21 PUBLIC How to Embed DEV-SEC-OPS The People & Technology part
  • 22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
  • 23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part B 23 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 24 PUBLIC Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Production Security SET Targets For Prod & DEV Vuln
  • 25. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part C 25 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 26. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 26 DEV Security Production Security PUBLIC
  • 27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 27 PUBLIC Example of a dashboard for Vulnerability Visualization DEV Security Production Security
  • 28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects - Part D fix 28 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 29. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triaging Vulnerabilities 29 DEV Security Production Security Security Scanners Potential Defects Triage Real Defects Vuln Scoring Is it a false positive? PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch SupportFunctions PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch Support Functions OS Framework Library Code 3rd Party DefectTypes Prioritized Vulnerabilities Can they be fixed? RiskWork Ticket Yes No Threat Modelling Prioritized Vulnerability (with Context) Compensating Control Increased Impact/ Probability NoYesMitigation BIA - Impact Exploitability - Likelyhood PODs DEV Sec Champion Risk person Lead Appsec Sec Arch SupportFunctions How exploitable? Maturity Level Maturity level PUBLIC
  • 30. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 30 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
  • 31. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 31 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code >> Set Thresholds: Bild vs Fix, Vulnerability trending People & Education PUBLIC
  • 32. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 32 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate PUBLIC
  • 33. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 33 Developer can operate fast and deploy if they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes PUBLIC
  • 34. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 34 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education: PUBLIC
  • 35. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 35 PUBLIC Bringing all together Maturity Model & Recap
  • 36. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 36 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
  • 37. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To Achieve High Maturity what do you do 37 PUBLIC DEV Security Production Security Mat urity Task How much 1 No Peer Review 1 No Code Scanning 1 No library update 1 No risk management 1 No visibility on vulnerabilities 1 No knowledge of pods 1 No team to pod mapping 1 No Documentation of Fixes 2 Peer Revew 2 Team to Pod to Stash recorded 2 Onboarded application on code scanners 2 Libray scanning 2 triage of vulnerabilities (base) - Consider only high medium and low 2 Manual Evaluation of team and Allocation of Licence to Operate 2 No SLA 2 No Documentaiton 2 Adoption Dashboard 3 Peer Review with Toolset 3 Updated Teams and asset register 3 Basic Triage of vulnerabilities 3 Code Scan with Pipeline Break & Basic SLA 3 Adoption Dashboard (advanced) Per A.C. and Per Region 3 Risk Assessment from code scanning with record in Risk management Register 3 Automated Licence to operate: Code Scanning, Libraries, Internal Training 4 Fix time of vulnerabilities recorded 4 T-Shirt Sizing of fixes and Adaptation of SLA based on fixes 4 Visualization of pod to fix 4 segmentation dev and prod 4 Fix ticket in Jira & Build vs Fix Concept 4 Fuzzing (basic with generic per app) 5 Automated Licence to operate: Code Scanning, Libraries, Internal Training, Build Vs Fix 5 Automated Fuzzing & Library of tests Level 1 Level 2 Level 3 Level 4 Level 5 Intial Manage d Defined Quantitatively Managed Optimized Security Design AS-IS->TO- BE Security Design Governance AS-IS TO-BE Security Build & Test AS-IS TO-BE Security Operate AS-IS-> TO-BE Appsec Security Education AS-IS TO-BE Application Security Risk Management AS-IS TO-BE Reporting Frequency KCI Mat rutiy Build/Test Prereq -> 0 Who is working on which repository Monthly 1 Team On-boarded on scanners (per pod) Monthly 1 Code Scanning Frequency per project (min 1 per week) Monthly 1 Dashboard for Scanners created Monthly 2 Number of vulnerabilities ticket recorded Weekly 2 Dashboard for vulnerabilities - Onboarded Projects Weekly 2 Vulnerability Fixed (quarter) Monthly/ Quarterly Checks 3 Project imported in Kennar and Enriched Vulnerabilities (kennar) Monthly 3 Projects breaching the Build vs Fix target Monthly/ Quarter Checks 4 Fixes per thematic in SLA Monthly 4 SLA for Fixes (breached/achieved) Monthly 4 Team Achieving Licence to operate and Out of the licence Monthly 5 Build vs fix Monthly 5 Licence to operate Monthly Overall Maturity Maturity Steps KCI
  • 38. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 38 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC
  • 39. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 39 Learning & Education PUBLIC
  • 40. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 40 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Does develops have a single solution? Security is everybody’s job PUBLIC
  • 41. Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42 PUBLIC
  • 42. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20 https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info: Francesco.Cipollone@cloudsecurityalliance.org.ukPUBLIC
  • 43. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 43 PUBLIC
  • 44. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 44 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 PUBLIC