SlideShare ist ein Scribd-Unternehmen logo

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

New Relic
New Relic

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including: - How do we ensure that the code we deploy is secure when it was only written just this morning? - How can we provide the security our customers expect without impacting our speed and agility? - How can we insert security into an SDLC when there is no formal SDLC? - How do you deal with auditors that don't understand DevOps and Continuous Deployment? At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Technologie
1 von 111
Downloaden Sie, um offline zu lesen
AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13
Wednesday, November 6, 13
Speed Wednesday, November 6, 13
Speed Security Wednesday, November 6, 13
Speed vs. Security Wednesday, November 6, 13
Wednesday, November 6, 13
Accelerating Development Cycles Wednesday, November 6, 13
Accelerating Development Cycles Boxed Software Waterfall 1 Year Wednesday, November 6, 13
Accelerating Development Cycles Web 1.0 3 months Waterfall Wednesday, November 6, 13
Accelerating Development Cycles 4 week Wednesday, November 6, 13 Web 2.0 Agile
Accelerating Development Cycles 2x week DevOps Wednesday, November 6, 13
Accelerating Development Cycles daily Continuous Deployment DevOps Wednesday, November 6, 13
Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
Accelerating Development Cycles daily hourly Wednesday, November 6, 13 Continuous Deployment DevOps
Traditional (Waterfall) SDLC Requirements Wednesday, November 6, 13 Design Development Tes2ng Release Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Define functional (features) and nonfunctional requirements (capabilities) Wednesday, November 6, 13 Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Translate requirements into architecture and detailed design Wednesday, November 6, 13 Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Build it! Wednesday, November 6, 13 Release Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Produc2on Ensure functional and non-functional requirements Wednesday, November 6, 13
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Ship or push live Wednesday, November 6, 13 Release Produc2on
Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Maintain and patch as needed Wednesday, November 6, 13 Produc2on
Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
Checkpoints Controls Formal Processes Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Wednesday, November 6, 13
Continuous Deployment Security Requirements Low to No friction (can’t slow us down) Transparent No significant changes to development processes Make us More Secure Wednesday, November 6, 13
Continuous Deployment Security Requirements Strategies & Tactics Low to No friction (can’t slow us down) Automation Transparent Training & Empowerment No significant changes to development processes Lightweight Processes Make us More Secure Triage Quickly Detect & Respond Wednesday, November 6, 13
Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements Design Requirements & Design • Functional & Non-Functional security requirement • Architectural • Review Threat Modeling Development Development, Testing & Release Release Testing, • Secure Coding • • Practices Static Analysis White Box Testing • Dynamic • • Separation Analysis Requirements Testing • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Required Security Evaluation < 25 Minute Meeting 1.Technical Overview 2.Business Context 3.Developer Concerns Wednesday, November 6, 13
Security Evaluation Outcomes Wednesday, November 6, 13
Security Evaluation Outcomes • Low Risk • Simple Guidance Wednesday, November 6, 13
Security Evaluation Outcomes • Higher Risk • Deep Dive • Whiteboarding • Threat Model Wednesday, November 6, 13
Security Evaluation Follow-Up Wednesday, November 6, 13
Security Evaluation Follow-Up • Document • Follow Up Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Threat Modeling Wednesday, November 6, 13
Threat Modeling Identify your assets and the threats against them Wednesday, November 6, 13
Threat Modeling Identify your assets and the threats against them Focus your resources on the greatest risks Wednesday, November 6, 13
Threat Modeling @ New Relic Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Wednesday, November 6, 13
Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Address or Accept Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Secure Libraries & Services Authentication Service Security Event Logging Service Input Validation Regex Patterns Encryption Libraries Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Brakeman + Jenkins brakemanscanner.org Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Triage Process Dangerous Methods Sensitive Modules Security Keywords Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Wednesday, November 6, 13
Wednesday, November 6, 13
Wednesday, November 6, 13
Two Sets of (masked) eyes on every change Wednesday, November 6, 13
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
Continuous Deployment Security Requirements & Design • • Required Security Evaluation Lightweight Targeted Threat Modeling Development, Testing, & Release • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Automated • Penetration Commit Triage Testing Quick Detection • & Recovery • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production
Powered By... Wednesday, November 6, 13
Powered By... Automation Training & Empowerment Lightweight Processes Triage Quick Detection & Response Wednesday, November 6, 13
Auditors Wednesday, November 6, 13
Auditors Compensating Controls Wednesday, November 6, 13
Auditors Compensating Controls Tell the Story Wednesday, November 6, 13
Thank You! Wednesday, November 6, 13
Thank You! shaun@newrelic.com security@newrelic.com Wednesday, November 6, 13
Image Attribution Slide  14 Checkpoint  Rheinpark  by   h1p://www.flickr.com/photos/kecko/3179561892/ Wednesday, November 6, 13

Empfohlen

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
SeniorStoryteller
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
dev2ops
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platform
dcjuengst
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 

Empfohlen

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
SeniorStoryteller
 
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
Leveraging Your Company's DevOps Transformation (AppSec USA 2014)
dev2ops
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon
 
Master Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins PlatformMaster Continuous Delivery with CloudBees Jenkins Platform
Master Continuous Delivery with CloudBees Jenkins Platform
dcjuengst
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale
New Relic
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale
New Relic
 
New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019
New Relic
 
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
New Relic
 
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
New Relic
 
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をFutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
New Relic
 
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
New Relic
 
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
New Relic
 
Three Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemThree Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid Them
New Relic
 
Intro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringIntro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes Monitoring
New Relic
 
FS18 Chicago Keynote
FS18 Chicago Keynote FS18 Chicago Keynote
FS18 Chicago Keynote
New Relic
 
SRE-iously
SRE-iouslySRE-iously
SRE-iously
New Relic
 
10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You
New Relic
 
Ground Rules for Code Reviews
Ground Rules for Code ReviewsGround Rules for Code Reviews
Ground Rules for Code Reviews
New Relic
 
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
New Relic
 
Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic
New Relic
 
Host for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationHost for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost Optimization
New Relic
 
New Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWS
New Relic
 
Best Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineBest Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code Pipeline
New Relic
 
Top Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringTop Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with Monitoring
New Relic
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
hans926745
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 

Weitere ähnliche Inhalte

Mehr von New Relic

New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019
New Relic
 
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
New Relic
 
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
New Relic
 
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
New Relic
 
Intro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringIntro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes Monitoring
New Relic
 

Mehr von New Relic (20)

7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale
 
7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale7 Tips & Tricks to Having Happy Customers at Scale
7 Tips & Tricks to Having Happy Customers at Scale
 
New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019New Relic University at Future Stack Tokyo 2019
New Relic University at Future Stack Tokyo 2019
 
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
FutureStack Tokyo 19 -[事例講演]株式会社リクルートライフスタイル:年間9300万件以上のサロン予約を支えるホットペッパービューティ...
 
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
FutureStack Tokyo 19 -[New Relic テクニカル講演]モニタリングと可視化がデジタルトランスフォーメーションを救う! - サ...
 
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖をFutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
FutureStack Tokyo 19 -[特別講演]システム開発によろこびと驚きの連鎖を
 
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
FutureStack Tokyo 19 -[パートナー講演]アマゾン ウェブ サービス ジャパン株式会社: New Relicを活用したAWSへのアプリ...
 
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
FutureStack Tokyo 19_インサイトとデータを組織の力にする_株式会社ドワンゴ 池田 明啓 氏
 
Three Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid ThemThree Monitoring Mistakes and How to Avoid Them
Three Monitoring Mistakes and How to Avoid Them
 
Intro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes MonitoringIntro to Multidimensional Kubernetes Monitoring
Intro to Multidimensional Kubernetes Monitoring
 
FS18 Chicago Keynote
FS18 Chicago Keynote FS18 Chicago Keynote
FS18 Chicago Keynote
 
SRE-iously
SRE-iouslySRE-iously
SRE-iously
 
10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You10 Things You Can Do With New Relic - Number 9 Will Shock You
10 Things You Can Do With New Relic - Number 9 Will Shock You
 
Ground Rules for Code Reviews
Ground Rules for Code ReviewsGround Rules for Code Reviews
Ground Rules for Code Reviews
 
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
Understanding Microservice Latency for DevOps Teams: An Introduction to New R...
 
Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic Monitor all your Kubernetes and EKS stack with New Relic
Monitor all your Kubernetes and EKS stack with New Relic
 
Host for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost OptimizationHost for the Most: Cloud Cost Optimization
Host for the Most: Cloud Cost Optimization
 
New Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWSNew Relic Infrastructure in the Real World: AWS
New Relic Infrastructure in the Real World: AWS
 
Best Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code PipelineBest Practices for Measuring your Code Pipeline
Best Practices for Measuring your Code Pipeline
 
Top Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with MonitoringTop Three Mistakes People Make with Monitoring
Top Three Mistakes People Make with Monitoring
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

  • 1. AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13
  • 8. Accelerating Development Cycles Boxed Software Waterfall 1 Year Wednesday, November 6, 13
  • 9. Accelerating Development Cycles Web 1.0 3 months Waterfall Wednesday, November 6, 13
  • 10. Accelerating Development Cycles 4 week Wednesday, November 6, 13 Web 2.0 Agile
  • 11. Accelerating Development Cycles 2x week DevOps Wednesday, November 6, 13
  • 13. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  • 14. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  • 15. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  • 16. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  • 17. Accelerating Development Cycles daily hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  • 18. Traditional (Waterfall) SDLC Requirements Wednesday, November 6, 13 Design Development Tes2ng Release Produc2on
  • 19. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Define functional (features) and nonfunctional requirements (capabilities) Wednesday, November 6, 13 Produc2on
  • 20. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Translate requirements into architecture and detailed design Wednesday, November 6, 13 Produc2on
  • 21. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Build it! Wednesday, November 6, 13 Release Produc2on
  • 22. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Produc2on Ensure functional and non-functional requirements Wednesday, November 6, 13
  • 23. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Ship or push live Wednesday, November 6, 13 Release Produc2on
  • 24. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Maintain and patch as needed Wednesday, November 6, 13 Produc2on
  • 25. Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  • 26. Checkpoints Controls Formal Processes Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  • 27. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 28. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 29. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 30. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 31. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 32. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 33. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 34. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 35. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 36. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 37. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 38. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 39. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 40. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 41. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  • 42. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  • 43. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  • 44. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  • 46. Continuous Deployment Security Requirements Low to No friction (can’t slow us down) Transparent No significant changes to development processes Make us More Secure Wednesday, November 6, 13
  • 47. Continuous Deployment Security Requirements Strategies & Tactics Low to No friction (can’t slow us down) Automation Transparent Training & Empowerment No significant changes to development processes Lightweight Processes Make us More Secure Triage Quickly Detect & Respond Wednesday, November 6, 13
  • 48. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 49. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 50. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 51. Continuous Deployment Security Requirements Design Requirements & Design • Functional & Non-Functional security requirement • Architectural • Review Threat Modeling Development Development, Testing & Release Release Testing, • Secure Coding • • Practices Static Analysis White Box Testing • Dynamic • • Separation Analysis Requirements Testing • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  • 52. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 53. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 54. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 55. Required Security Evaluation < 25 Minute Meeting 1.Technical Overview 2.Business Context 3.Developer Concerns Wednesday, November 6, 13
  • 57. Security Evaluation Outcomes • Low Risk • Simple Guidance Wednesday, November 6, 13
  • 58. Security Evaluation Outcomes • Higher Risk • Deep Dive • Whiteboarding • Threat Model Wednesday, November 6, 13
  • 60. Security Evaluation Follow-Up • Document • Follow Up Wednesday, November 6, 13
  • 61. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 62. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 64. Threat Modeling Identify your assets and the threats against them Wednesday, November 6, 13
  • 65. Threat Modeling Identify your assets and the threats against them Focus your resources on the greatest risks Wednesday, November 6, 13
  • 66. Threat Modeling @ New Relic Wednesday, November 6, 13
  • 67. Threat Modeling @ New Relic Decompose your Application Wednesday, November 6, 13
  • 68. Threat Modeling @ New Relic Decompose your Application Identify your Assets Wednesday, November 6, 13
  • 69. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Wednesday, November 6, 13
  • 70. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Wednesday, November 6, 13
  • 71. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Address or Accept Wednesday, November 6, 13
  • 72. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 73. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 74. Secure Libraries & Services Authentication Service Security Event Logging Service Input Validation Regex Patterns Encryption Libraries Wednesday, November 6, 13
  • 75. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 76. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 78. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 79. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 80. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 81. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  • 82. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 83. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 84. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 85. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  • 86. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 87. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 88. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 89. Triage Process Dangerous Methods Sensitive Modules Security Keywords Wednesday, November 6, 13
  • 90. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 91. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 92. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 93. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 94. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 95. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 99. Two Sets of (masked) eyes on every change Wednesday, November 6, 13
  • 100. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  • 101. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  • 102. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  • 103. Continuous Deployment Security Requirements & Design • • Required Security Evaluation Lightweight Targeted Threat Modeling Development, Testing, & Release • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Automated • Penetration Commit Triage Testing Quick Detection • & Recovery • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production
  • 105. Powered By... Automation Training & Empowerment Lightweight Processes Triage Quick Detection & Response Wednesday, November 6, 13
  • 108. Auditors Compensating Controls Tell the Story Wednesday, November 6, 13
  • 111. Image Attribution Slide  14 Checkpoint  Rheinpark  by   h1p://www.flickr.com/photos/kecko/3179561892/ Wednesday, November 6, 13