SlideShare une entreprise Scribd logo

Taking AppSec to 11 - BSides Austin 2016

M
Matt Tesauro

This document summarizes Matt Tesauro's presentation "Taking AppSec to 11" given at Bsidess Austin 2016. The presentation discusses implementing application security (AppSec) pipelines to improve workflows and optimize critical resources like AppSec personnel. Key points include automating repetitive tasks, driving consistency, increasing visibility and metrics, and reducing friction between development and AppSec teams. An AppSec pipeline provides a reusable and consistent process for security activities to follow through intake, testing, and reporting stages. The goal is to optimize people's time spent on customization and analysis rather than setup and configuration.

Internet
1  sur  73
Télécharger pour lire hors ligne
Taking AppSec to 11 AppSec Pipelines, DevOps, and Making Things Better. BSidess Austin 2016 Matt Tesauro, Infinitiv
Assembly Lines
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
#1 - Workflow Look at your purpose and those processes which aid it
Timeline Business Operations Customer Flow [rate] – the speed work goes through the process Development
#1 Workflow First of the three ways - Each Step Repeatable - Never Pass on Defects - Local optimizations with a global view
AppSec Pipelines Figuring out your workflow
AppSec Pipelines
Key Features of AppSec Pipelines ◇ Designed for iterative improvement ◇ Provides a reusable path for AppSec activities to follow ◇ Provides a consistent process for both the team and our constituency ◇ One way flow with well-defined states ◇ Relies heavily on automation ◇ Grow in functionality organically over time ◇ Gracefully interconnects with the development process
Pearson AppSec Pipeline
Integrating into the DevOps Pipeline DevOps Pipeline AppSec Pipeline
“ Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
Key Goals of AppSec Pipelines ◇ Optimize the critical resource - AppSec personnel ■ Automate all the things that don’t require a human brain ■ Drive up consistency ■ Increase tracking of work status ■ Increase flow through the system ■ Increase visibility and metrics ■ Reduce any dev team friction with application security
Pipeline - Intake ◇ “First Impression” ◇ Major categories of Intake ■ Existing App ■ New App ■ Previously tested App ■ App to re-test findings ◇ Key Concepts ■ Ask for data about Apps only once ■ Have data reviewed when an App returns ■ Adapt data collected based on broad categories of Apps
Pipeline - Testing ◇ Inbound request triage ◇ Ala Carte App Sec ■ Dynamic Testing ■ Static Testing ■ Re-Testing mitigated findings ■ Mix and match based on risk ◇ Key Concepts ■ Activities can be run in parallel ■ Automation on setup, configuration, data export ◇ People focus on customization rather than setup
Pipeline - Testing ◇ Results from your CI/CD could flow into Threadfix from build Pipeline ◇ Gauntlt runs results could also flow into the AppSec Pipeline ◇ Choose the tools that make sense for you organization
Pipeline - Deliver ◇ Source of truth for all AppSec activities ◇ ThreadFix is used to ■ Dedup / Consolidate findings ■ Normalize scanner data ■ Generate Metrics ■ Push issues to bug trackers ◇ Report and metrics automation ■ REST + tfclient ◇ Source of many touch points with external teams
◇ Allow us to have visibility into WIP ◇ Better understand/track/optimize flow of engagements ◇ Average static test takes ... ◇ Great increase in consistency ◇ Easier re-allocation of engagements between staff ◇ Each step has a well defined interface ◇ Knowing who has what allows for more informed “cost of switching” conversations ◇ Flexible enough for a range of skills and app maturity Why we like AppSec Pipelines
~5x increase 2014 44 assessments 2015 ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
Bag of Holding aka BoH github.com/PearsonEducation/bag-of-holding
◇ Manages the Application Security Program ◇ Application Repository ◇ Engagement Tracking ◇ Report Repository ◇ Comments on any application, engagement or activity ◇ Data Classification and PII data ◇ Time taken on secure software activities ◇ Historical knowledge of past assessments ◇ Credential repository ◇ Environment details What does BoH do?
Scheduling of Secure Software Activities
Application Repository
Application Security Profile
Defect Dojo ◇ DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
Now with more OWASP!
Open yourself to upstream and downstream information #2 - Improve Feedback
AppSec ChatOps aka Will
Your command line where you have your conversations.
AppSec Help
AppSec Advice
Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
BOH/Threadfix/Static Integration Setup recurring static analysis in about 10 minutes!
Create a culture of innovation and experimentation #3 - Continual Experimentation & Learning
“I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times.”
Dev & AppSec Tool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.
Demo Time A quick bit of show and tell...
Key Take Aways ◇ Automate, automate, automate ■ Look for “paper cuts” and fix those first ◇ Finding workflow – your AppSec Pipeline ■ Figure this out and standardize / optimize ◇ Create systems which can grow organically ■ App is never done, it’s just created to easily be added to over time ■ e.g. Finding blocks become templates for next report ◇ Learn to talk “dev”
Thanks! Matt Tesauro @matt_tesauro matt.tesauro@infinitiv.io matt.tesauro@owasp.org /in/matttesauro github.com/mtesauro
Resources Exercises left to the student
Orchestration ◇ Integrate Security Tools and Workflow Example: ◇ Generic API for dynamic scanning ■ URL ■ Credentials ■ Profile ■ Call any Dynamic Scanner: ○ OWASP ZAP ○ BurpSuite ○ AppScan
Gauntlt ◇ Open source, MIT License ◇ Gauntlt comes with pre-canned steps that hook security testing tools ◇ Gauntlt does not install tools ◇ Gauntlt wants to be part of the CI/CD pipeline ◇ Be a good citizen of exit status and stdout/stderr
Tiaga ◇ Project Management Software ■ Focused on usability and speed ■ Kanban / Scrum ■ Backlog ■ Tasks ■ Sprints ■ Issues ■ Wiki ◇ Open Source – Python / Django app ■ Entire functionality is driven by a REST API !! ■ https://taiga.io/
Defect Dojo ◇ DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
Experimentation Kick things up a notch
Findings directly to bug trackers ◇ PDFs are great, bugs are better ◇ Security issues are now part of the normal work flow ◇ ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag ◇ Attach a SLA to each severity level for findings ◇ Walk up the Org chart as things get older ◇ Bonus points for dashboards and defect tracker APIs ◇ Get management sold first
Agent – one mole to rule them all ◇ Add an agent to the standard deploy ◇ Add a dashboard to visualize state of infrastructure ◇ Roll your own or find a vendor Mozilla MIG
Turn Vuln Scanning on its Head ◇ Add value for your Ops teams ◇ Roll your own or find a vendor ◇ Reverse the scan then report standard
Related Presentations AppSec EU 2015 – Ops Track Keynote http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu https://www.youtube.com/watch?v=tDnyFitE0y4 AppSec EU 2015 – Building an AppSec Pipeline http://www.slideshare.net/weaveraaaron/building-an-appsec- pipeline-keeping-your-program-and-your-life-sane https://www.youtube.com/watch?v=1CDSOSl4DQU
Books to Read
#1 Workflow Each Step Repeatable ◇ Remove all haphazard and ad hoc work from the process ◇ Scripting languages are your friends ◇ Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine ◇ Make sure what you do can be done on 1 server or 10,000 servers
#1 Workflow Never Pass on Defects ◇ Test early and often ◇ Increase the rigor of testing as you work left to right ◇ When a failure occurs end that flow and start a new one after corrections ◇ The further right you are, the more expensive failure is so concentrate your early work on left side (intake) ◇ In AppSec, defects are false positives
#1 Workflow Local optimizations with a global view ◇ Ensure no single-step optimizations degrade the overall performance of the workflow ◇ Find the bottleneck in your workflow and start there ■ Upstream changes will just back things up ■ Downstream changes won't manifest since input is limited ◇ Each new optimization creates a new bottleneck ■ Iterate on this!
“ Spending time optimizing anything other than the critical resource is an illusion.
W. Edwards Deming
Japan's post-war miracle
Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the-assembly-line- ransom-e-olds-did/index.html W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle Image References
Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-program-and-your-life- sane Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now Goes to 11: https://arturogalletti.files.wordpress.com/2010/12/spinaltap.jpg Image References
What’s this? This is a free presentation template for Google Slides designed by SlidesCarnival. We believe that good design serves to better communicate ideas, so we create free quality presentation templates for you to focus on the content. Enjoy them at will and share with us your results at: twitter.com/SlidesCarnival facebook.com/slidescarnival About this template How can I use it? Open this document in Google Slides (if you are at slidescarnival. com use the button below this presentation) You have to be signed in to your Google account ◇ Edit in Google Slides Go to the File menu and select Make a copy. You will get a copy of this document on your Google Drive and will be able to edit, add or delete slides. ◇ Edit in Microsoft PowerPoint® Go to the File menu and select Download as Microsoft PowerPoint. You will get a .pptx file that you can edit in PowerPoint. Remember to download and install the fonts used in this presentation (you’ll find the links to the font files needed in the Presentation design slide) This template is free to use under Creative Commons Attribution license. If you use the graphic assets (photos, icons and typographies) provided with this presentation you must keep the Credits slide.

Recommandé

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 

Recommandé

Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...
Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Li...Matt Tesauro
 
Dev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroDev ops hackformers-matt-tesauro
Dev ops hackformers-matt-tesauroMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramAppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec ProgramMatt Tesauro
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureYury Tsarev
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 

Contenu connexe

Tendances

AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Matt Tesauro
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionDevOps.com
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept PresentationAbhay Bhargav
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecurePuppet
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 

Tendances (20)

AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program Building a Secure DevOps Pipeline - for your AppSec Program
Building a Secure DevOps Pipeline - for your AppSec Program
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
we45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are SecureSecurity & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 

En vedette

ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureYury Tsarev
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsBrendan Gregg
 
Five steps to Continuous Delivery
Five steps to Continuous DeliveryFive steps to Continuous Delivery
Five steps to Continuous DeliveryMarko Klemetti
 
DevOps by examples - DevOps@Work 2017
DevOps by examples - DevOps@Work 2017DevOps by examples - DevOps@Work 2017
DevOps by examples - DevOps@Work 2017Giulio Vian
 
SPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSasha Rosenbaum
 
Chaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsChaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsJos Boumans
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonSkelton Thatcher Consulting Ltd
 
A Coherent Discussion About Performance
A Coherent Discussion About PerformanceA Coherent Discussion About Performance
A Coherent Discussion About PerformanceTheo Schlossnagle
 
Monitoring Is Never Done
Monitoring Is Never DoneMonitoring Is Never Done
Monitoring Is Never DoneMelanie Cey
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCDevops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCJohn Willis
 
Test Automation In The Hands of "The Business"
Test Automation In The Hands of "The Business"Test Automation In The Hands of "The Business"
Test Automation In The Hands of "The Business"Greg Tutunjian
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupCheck my Website
 
Production testing through monitoring
Production testing through monitoringProduction testing through monitoring
Production testing through monitoringLeon Fayer
 
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...Skelton Thatcher Consulting Ltd
 
Metrics to Power DevOps
Metrics to Power DevOps Metrics to Power DevOps
Metrics to Power DevOpsCollabNet
 
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)Amazon Web Services
 
DevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a TransformationDevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a Transformationdev2ops
 
Stop using Nagios (so it can die peacefully)
Stop using Nagios (so it can die peacefully)Stop using Nagios (so it can die peacefully)
Stop using Nagios (so it can die peacefully)Andy Sykes
 

En vedette (20)

ContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven InfrastructureContainerCon - Test Driven Infrastructure
ContainerCon - Test Driven Infrastructure
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devops
 
Scaling Operations At Spotify
Scaling Operations At SpotifyScaling Operations At Spotify
Scaling Operations At Spotify
 
SREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREsSREcon 2016 Performance Checklists for SREs
SREcon 2016 Performance Checklists for SREs
 
Five steps to Continuous Delivery
Five steps to Continuous DeliveryFive steps to Continuous Delivery
Five steps to Continuous Delivery
 
DevOps by examples - DevOps@Work 2017
DevOps by examples - DevOps@Work 2017DevOps by examples - DevOps@Work 2017
DevOps by examples - DevOps@Work 2017
 
SPOF - Single "Person" of Failure
SPOF - Single "Person" of FailureSPOF - Single "Person" of Failure
SPOF - Single "Person" of Failure
 
Chaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systemsChaos patterns - architecting for failure in distributed systems
Chaos patterns - architecting for failure in distributed systems
 
Un-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew SkeltonUn-broken Logging - Operability.io 2015 - Matthew Skelton
Un-broken Logging - Operability.io 2015 - Matthew Skelton
 
A Coherent Discussion About Performance
A Coherent Discussion About PerformanceA Coherent Discussion About Performance
A Coherent Discussion About Performance
 
Monitoring Is Never Done
Monitoring Is Never DoneMonitoring Is Never Done
Monitoring Is Never Done
 
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYCDevops and Immutable infrastructure - Cloud Expo 2015 NYC
Devops and Immutable infrastructure - Cloud Expo 2015 NYC
 
Test Automation In The Hands of "The Business"
Test Automation In The Hands of "The Business"Test Automation In The Hands of "The Business"
Test Automation In The Hands of "The Business"
 
Time to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setupTime to say goodbye to your Nagios based setup
Time to say goodbye to your Nagios based setup
 
Production testing through monitoring
Production testing through monitoringProduction testing through monitoring
Production testing through monitoring
 
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
Continuous Delivery Tools Collaboration Conways Law - QCon London - Matthew S...
 
Metrics to Power DevOps
Metrics to Power DevOps Metrics to Power DevOps
Metrics to Power DevOps
 
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)
AWS re:Invent 2016: Fraud Detection with Amazon Machine Learning on AWS (FIN301)
 
DevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a TransformationDevOps Kaizen: Practical Steps to Start & Sustain a Transformation
DevOps Kaizen: Practical Steps to Start & Sustain a Transformation
 
Stop using Nagios (so it can die peacefully)
Stop using Nagios (so it can die peacefully)Stop using Nagios (so it can die peacefully)
Stop using Nagios (so it can die peacefully)
 

Similaire à Taking AppSec to 11 - BSides Austin 2016

DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationMaruti Gollapudi
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAdam Stephensen
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeSteve Mercier
 
DevOps Deconstructed
DevOps DeconstructedDevOps Deconstructed
DevOps DeconstructedJeremy Pullen
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseBitbar
 
DevOps with Microsoft Stack
DevOps with Microsoft StackDevOps with Microsoft Stack
DevOps with Microsoft StackDeepti Jain
 
Testing in the new age of DevOps
Testing in the new age of DevOpsTesting in the new age of DevOps
Testing in the new age of DevOpsMoataz Mahmoud
 
DevOps Foundations
DevOps FoundationsDevOps Foundations
DevOps FoundationsAmr Fawzy
 
Rapise Overview Presentation (2021)
Rapise Overview Presentation (2021)Rapise Overview Presentation (2021)
Rapise Overview Presentation (2021)Inflectra
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOpsEklove Mohan
 
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
SoCal DevOps Meetup 1/26/2017 - Habitat by ChefSoCal DevOps Meetup 1/26/2017 - Habitat by Chef
SoCal DevOps Meetup 1/26/2017 - Habitat by ChefTrevor Hess
 
Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Dynatrace
 
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAmazon Web Services
 
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS Matt Ray
 
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree AnikeyRoy
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021William Caban
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationXebia India
 

Similaire à Taking AppSec to 11 - BSides Austin 2016 (20)

DevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay ApplicationDevOps Pipeline for Liferay Application
DevOps Pipeline for Liferay Application
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as CodeConfoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
Confoo-Montreal-2016: Controlling Your Environments using Infrastructure as Code
 
DevOps Deconstructed
DevOps DeconstructedDevOps Deconstructed
DevOps Deconstructed
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the Enterprise
 
DevOps with Microsoft Stack
DevOps with Microsoft StackDevOps with Microsoft Stack
DevOps with Microsoft Stack
 
Testing in the new age of DevOps
Testing in the new age of DevOpsTesting in the new age of DevOps
Testing in the new age of DevOps
 
DevOps Foundations
DevOps FoundationsDevOps Foundations
DevOps Foundations
 
Rapise Overview Presentation (2021)
Rapise Overview Presentation (2021)Rapise Overview Presentation (2021)
Rapise Overview Presentation (2021)
 
Getting to Walk with DevOps
Getting to Walk with DevOpsGetting to Walk with DevOps
Getting to Walk with DevOps
 
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
SoCal DevOps Meetup 1/26/2017 - Habitat by ChefSoCal DevOps Meetup 1/26/2017 - Habitat by Chef
SoCal DevOps Meetup 1/26/2017 - Habitat by Chef
 
Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...Pay pal paypal continuous performance as a self-service with fully-automated...
Pay pal paypal continuous performance as a self-service with fully-automated...
 
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon WayAWS18 Startup Day Toronto- Launching your Application the Amazon Way
AWS18 Startup Day Toronto- Launching your Application the Amazon Way
 
OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS OpsWorks for Chef Automate - Auckland AWS
OpsWorks for Chef Automate - Auckland AWS
 
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
 
Forward5 Auxis VMware
Forward5 Auxis VMwareForward5 Auxis VMware
Forward5 Auxis VMware
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 

Plus de Matt Tesauro

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Matt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API LandscapeMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with ScissorsMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Matt Tesauro
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012Matt Tesauro
 

Plus de Matt Tesauro (18)

Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023Tenants for Going at DevSecOps Speed - LASCON 2023
Tenants for Going at DevSecOps Speed - LASCON 2023
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Practical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful ProgramsPractical DevSecOps: Fundamentals of Successful Programs
Practical DevSecOps: Fundamentals of Successful Programs
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Landmines in the API Landscape
Landmines in the API LandscapeLandmines in the API Landscape
Landmines in the API Landscape
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
The Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security TestingThe Final Frontier, Automating Dynamic Security Testing
The Final Frontier, Automating Dynamic Security Testing
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Running FaaS with Scissors
Running FaaS with ScissorsRunning FaaS with Scissors
Running FaaS with Scissors
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013Testing at-cloud-speed sans-app-sec-austin-2013
Testing at-cloud-speed sans-app-sec-austin-2013
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Dernier

办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...rrouter90
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 

Dernier (9)

办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 

Taking AppSec to 11 - BSides Austin 2016

  • 1. Taking AppSec to 11 AppSec Pipelines, DevOps, and Making Things Better. BSidess Austin 2016 Matt Tesauro, Infinitiv
  • 2.
  • 4.
  • 5. The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
  • 6. #1 - Workflow Look at your purpose and those processes which aid it
  • 7. Timeline Business Operations Customer Flow [rate] – the speed work goes through the process Development
  • 8. #1 Workflow First of the three ways - Each Step Repeatable - Never Pass on Defects - Local optimizations with a global view
  • 10.
  • 12.
  • 13. Key Features of AppSec Pipelines ◇ Designed for iterative improvement ◇ Provides a reusable path for AppSec activities to follow ◇ Provides a consistent process for both the team and our constituency ◇ One way flow with well-defined states ◇ Relies heavily on automation ◇ Grow in functionality organically over time ◇ Gracefully interconnects with the development process
  • 15. Integrating into the DevOps Pipeline DevOps Pipeline AppSec Pipeline
  • 16. “ Spending time optimizing anything other than the critical resource is an illusion. W. Edwards Deming
  • 17. Key Goals of AppSec Pipelines ◇ Optimize the critical resource - AppSec personnel ■ Automate all the things that don’t require a human brain ■ Drive up consistency ■ Increase tracking of work status ■ Increase flow through the system ■ Increase visibility and metrics ■ Reduce any dev team friction with application security
  • 18. Pipeline - Intake ◇ “First Impression” ◇ Major categories of Intake ■ Existing App ■ New App ■ Previously tested App ■ App to re-test findings ◇ Key Concepts ■ Ask for data about Apps only once ■ Have data reviewed when an App returns ■ Adapt data collected based on broad categories of Apps
  • 19. Pipeline - Testing ◇ Inbound request triage ◇ Ala Carte App Sec ■ Dynamic Testing ■ Static Testing ■ Re-Testing mitigated findings ■ Mix and match based on risk ◇ Key Concepts ■ Activities can be run in parallel ■ Automation on setup, configuration, data export ◇ People focus on customization rather than setup
  • 20. Pipeline - Testing ◇ Results from your CI/CD could flow into Threadfix from build Pipeline ◇ Gauntlt runs results could also flow into the AppSec Pipeline ◇ Choose the tools that make sense for you organization
  • 21. Pipeline - Deliver ◇ Source of truth for all AppSec activities ◇ ThreadFix is used to ■ Dedup / Consolidate findings ■ Normalize scanner data ■ Generate Metrics ■ Push issues to bug trackers ◇ Report and metrics automation ■ REST + tfclient ◇ Source of many touch points with external teams
  • 22. ◇ Allow us to have visibility into WIP ◇ Better understand/track/optimize flow of engagements ◇ Average static test takes ... ◇ Great increase in consistency ◇ Easier re-allocation of engagements between staff ◇ Each step has a well defined interface ◇ Knowing who has what allows for more informed “cost of switching” conversations ◇ Flexible enough for a range of skills and app maturity Why we like AppSec Pipelines
  • 23. ~5x increase 2014 44 assessments 2015 ~200 assessments Changes from 2014 to 2015: - Created the AppSec Pipeline - initial launch in March 2015 - AppSec team numbers dropped - lost a couple of key people approx 3.5 FTEs - Two of the AppSec team members went meta for most of 2015
  • 24. Bag of Holding aka BoH github.com/PearsonEducation/bag-of-holding
  • 25. ◇ Manages the Application Security Program ◇ Application Repository ◇ Engagement Tracking ◇ Report Repository ◇ Comments on any application, engagement or activity ◇ Data Classification and PII data ◇ Time taken on secure software activities ◇ Historical knowledge of past assessments ◇ Credential repository ◇ Environment details What does BoH do?
  • 29. Defect Dojo ◇ DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
  • 30.
  • 31. Now with more OWASP!
  • 32. Open yourself to upstream and downstream information #2 - Improve Feedback
  • 33.
  • 35. Your command line where you have your conversations.
  • 38. Threadfix Integration And more: • Create an Application • Get Summary Metrics for AppSec Program
  • 40. Create a culture of innovation and experimentation #3 - Continual Experimentation & Learning
  • 41.
  • 42. “I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times.”
  • 43.
  • 44. Dev & AppSec Tool Integration OWASP ZAP Proxy BuildManageCode Store RAPTOR Deploy OWASP ZAP Proxy *Not a comprehensive list. The OWASP DevOps AppSec Pipeline will have a complete listing.
  • 45.
  • 46.
  • 47. Demo Time A quick bit of show and tell...
  • 48. Key Take Aways ◇ Automate, automate, automate ■ Look for “paper cuts” and fix those first ◇ Finding workflow – your AppSec Pipeline ■ Figure this out and standardize / optimize ◇ Create systems which can grow organically ■ App is never done, it’s just created to easily be added to over time ■ e.g. Finding blocks become templates for next report ◇ Learn to talk “dev”
  • 51. Orchestration ◇ Integrate Security Tools and Workflow Example: ◇ Generic API for dynamic scanning ■ URL ■ Credentials ■ Profile ■ Call any Dynamic Scanner: ○ OWASP ZAP ○ BurpSuite ○ AppScan
  • 52. Gauntlt ◇ Open source, MIT License ◇ Gauntlt comes with pre-canned steps that hook security testing tools ◇ Gauntlt does not install tools ◇ Gauntlt wants to be part of the CI/CD pipeline ◇ Be a good citizen of exit status and stdout/stderr
  • 53. Tiaga ◇ Project Management Software ■ Focused on usability and speed ■ Kanban / Scrum ■ Backlog ■ Tasks ■ Sprints ■ Issues ■ Wiki ◇ Open Source – Python / Django app ■ Entire functionality is driven by a REST API !! ■ https://taiga.io/
  • 54.
  • 55.
  • 56. Defect Dojo ◇ DefectDojo is a tool created by the Security Engineering team at Rackspace to track testing efforts. ◇ Streamlines the testing process by offering features such as templating, report generation, metrics, and baseline self-service tools. ◇ Though it was designed with security folks in mind, there is nothing keeping QA/QE testers, or any other testers for that matter, from using it productively. ◇ https://github.com/rackerlabs/django-DefectDojo
  • 57.
  • 59. Findings directly to bug trackers ◇ PDFs are great, bugs are better ◇ Security issues are now part of the normal work flow ◇ ThreadFix is nice for pumping issues into defect trackers - http://code.google.com/p/threadfix/
  • 60. For the reticent: nag, nag, nag ◇ Attach a SLA to each severity level for findings ◇ Walk up the Org chart as things get older ◇ Bonus points for dashboards and defect tracker APIs ◇ Get management sold first
  • 61. Agent – one mole to rule them all ◇ Add an agent to the standard deploy ◇ Add a dashboard to visualize state of infrastructure ◇ Roll your own or find a vendor Mozilla MIG
  • 62. Turn Vuln Scanning on its Head ◇ Add value for your Ops teams ◇ Roll your own or find a vendor ◇ Reverse the scan then report standard
  • 63. Related Presentations AppSec EU 2015 – Ops Track Keynote http://www.slideshare.net/mtesauro/mtesauro-keynote-appseceu https://www.youtube.com/watch?v=tDnyFitE0y4 AppSec EU 2015 – Building an AppSec Pipeline http://www.slideshare.net/weaveraaaron/building-an-appsec- pipeline-keeping-your-program-and-your-life-sane https://www.youtube.com/watch?v=1CDSOSl4DQU
  • 65. #1 Workflow Each Step Repeatable ◇ Remove all haphazard and ad hoc work from the process ◇ Scripting languages are your friends ◇ Config Mgmt – Puppet, Chef, Salt, Ansible, CFEngine ◇ Make sure what you do can be done on 1 server or 10,000 servers
  • 66. #1 Workflow Never Pass on Defects ◇ Test early and often ◇ Increase the rigor of testing as you work left to right ◇ When a failure occurs end that flow and start a new one after corrections ◇ The further right you are, the more expensive failure is so concentrate your early work on left side (intake) ◇ In AppSec, defects are false positives
  • 67. #1 Workflow Local optimizations with a global view ◇ Ensure no single-step optimizations degrade the overall performance of the workflow ◇ Find the bottleneck in your workflow and start there ■ Upstream changes will just back things up ■ Downstream changes won't manifest since input is limited ◇ Each new optimization creates a new bottleneck ■ Iterate on this!
  • 68. “ Spending time optimizing anything other than the critical resource is an illusion.
  • 71. Henry Ford in a field: http://henryfordgiantdifferenceaward.weebly.com/works-cited.html Assembly Lines: http://www.pictofcar.website/henry-ford-assembly-line-diagram/ http://www.fasttrackteaching.com/burns/Unit_3_Industry/U3_Ford.html http://en.wikipedia.org/wiki/Assembly_line http://actionspeaksradio.org/tag/henry-ford/ http://blogs.internetautoguide.com/6582595/manufacturing/henry-ford-didnt-invent-the-assembly-line- ransom-e-olds-did/index.html W. Edward Deming http://www.motortrend.com/features/consumer/1005_30_who_count/photo_04.html Japan's Post War Miracle http://www2.fultonschools.org/teacher/robertsw1/thursday.nov1.htm http://dylewski.com.pl/menu-boczne/iluzja-pieniadza/usa-vs-japonia/ http://en.wikipedia.org/wiki/Japanese_post-war_economic_miracle Image References
  • 72. Thomas Edison: http://www.allposters.com/-sp/Thomas-Edison-Posters_i1859026_.htm Food line: http://www.slideshare.net/weaveraaaron/building-an-appsec-pipeline-keeping-your-program-and-your-life- sane Phoenix Project Book Cover: https://puppetlabs.com/blog/why-we-need-devops-now Goes to 11: https://arturogalletti.files.wordpress.com/2010/12/spinaltap.jpg Image References
  • 73. What’s this? This is a free presentation template for Google Slides designed by SlidesCarnival. We believe that good design serves to better communicate ideas, so we create free quality presentation templates for you to focus on the content. Enjoy them at will and share with us your results at: twitter.com/SlidesCarnival facebook.com/slidescarnival About this template How can I use it? Open this document in Google Slides (if you are at slidescarnival. com use the button below this presentation) You have to be signed in to your Google account ◇ Edit in Google Slides Go to the File menu and select Make a copy. You will get a copy of this document on your Google Drive and will be able to edit, add or delete slides. ◇ Edit in Microsoft PowerPoint® Go to the File menu and select Download as Microsoft PowerPoint. You will get a .pptx file that you can edit in PowerPoint. Remember to download and install the fonts used in this presentation (you’ll find the links to the font files needed in the Presentation design slide) This template is free to use under Creative Commons Attribution license. If you use the graphic assets (photos, icons and typographies) provided with this presentation you must keep the Credits slide.