Weitere ähnliche Inhalte Kürzlich hochgeladen (20) FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic1. AppSec in a DevOps World
SHAUN GORDON
NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE
OCTOBER 23, 2013
Wednesday, November 6, 13
27. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
28. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
29. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
30. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
31. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
32. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
33. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
34. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
35. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
36. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
37. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
38. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
39. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
40. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
41. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Wednesday, November 6, 13
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
Production
•
•
Vulnerability
Scanning
Penetration
Testing
42. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
•
•
Vulnerability
Scanning
Penetration
Testing
43. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
•
•
Vulnerability
Scanning
Penetration
Testing
44. Traditional (Waterfall) SDLC Security
Requirements
•
Functional &
Non-Functional
security
requirement
Design
•
•
Architectural
Review
Threat Modeling
Development
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
Release
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
•
•
Vulnerability
Scanning
Penetration
Testing
47. Continuous Deployment Security
Requirements
Strategies & Tactics
Low to No friction (can’t slow us down)
Automation
Transparent
Training & Empowerment
No significant changes to development processes
Lightweight Processes
Make us More Secure
Triage
Quickly Detect & Respond
Wednesday, November 6, 13
48. Traditional (Waterfall) SDLC Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing
49. Continuous Deployment Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing
50. Continuous Deployment Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing
51. Continuous Deployment Security
Requirements
Design
Requirements & Design
• Functional &
Non-Functional
security
requirement
• Architectural
•
Review
Threat Modeling
Development
Development, Testing & Release Release
Testing,
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing
52. Continuous Deployment Security
Requirements & Design
•
Functional &
Non-Functional
security
requirement
•
•
Architectural
Review
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
53. Continuous Deployment Security
Requirements & Design
•
Functional &
Non-Functional
security
requirement
•
•
Architectural
Review
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
54. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
61. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
62. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
68. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Wednesday, November 6, 13
69. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Wednesday, November 6, 13
70. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threats
Wednesday, November 6, 13
71. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threats
Address or Accept
Wednesday, November 6, 13
72. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
Secure Coding
Practices
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
73. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
74. Secure Libraries & Services
Authentication Service
Security Event Logging Service
Input Validation Regex Patterns
Encryption Libraries
Wednesday, November 6, 13
75. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
76. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
78. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
White Box
Testing
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
79. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
80. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
81. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
•
•
• Separation
Dynamic
Analysis
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
Vulnerability
Scanning
Penetration
Testing
82. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
• Separation
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing
83. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
• Separation
Requirements
Testing
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing
84. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing
85. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Penetration
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
Penetration
Testing
86. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
87. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
88. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
90. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
91. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
92. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Separation
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
93. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Management
Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
94. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Management
Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
95. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Sidekick
Process
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
99. Two Sets of (masked) eyes on every change
Wednesday, November 6, 13
100. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
• Accountability
• Sidekick
Process
• Limits on Production Access
Wednesday, November 6, 13
Production
Development, Testing, & Release
Penetration
Testing
101. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Accountability
• Sidekick
Process
• Enabling Tools
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
Penetration
Testing
102. Continuous Deployment Security
Requirements & Design
•
Required Security Evaluation
•
Lightweight
Targeted
Threat Modeling
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Accountability
• Sidekick
Process
• Enabling Tools
Wednesday, November 6, 13
Production
Development, Testing, & Release
•
•
•
Automated
Commit Triage
Quick Detection
& Recovery
Penetration
Testing
103. Continuous Deployment Security
Requirements & Design
•
•
Required Security Evaluation
Lightweight
Targeted
Threat Modeling
Development, Testing, & Release
•
•
•
•
Secure Coding
Practices
Security
Libraries &
Services
Automated
Static Analysis
Testing Tools &
Training
• Continuous Scanning in Test, Staging, & Production
• Automated
• Penetration
Commit Triage
Testing
Quick Detection
•
& Recovery
• Accountability
• Sidekick
Process
• Enabling Tools
Wednesday, November 6, 13
Production