Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Secure Continuous Delivery

113 Aufrufe

Veröffentlicht am

When organisations begin to adopt Continuous Delivery, engineering teams begin to deliver at a pace that can create a strain on other parts of the business. Security teams often struggle to adapt to this faster delivery model, but that doesn’t need to be the case.
In this talk, Stuart will discuss a few ways you can take advantage of continuous delivery to make security a first class citizen of software engineering. Grounding the theory with real world experience, he’ll share a few stories of how other organisations have used these ideas to transform their delivery.

SPEAKER: Stuart Gunter

Stuart is the Security Practice Lead at Equal Experts. He has over 20 years experience in software engineering, architecture and security. He has worked with a variety of public and private sector organisations across a range of industries, helping them effectively embed security within agile delivery.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Secure Continuous Delivery

  1. 1. Secure Continuous Delivery with Stuart Gunter
  2. 2. A common approach to security
  3. 3. Shortcomings of the common approach
  4. 4. Contextual threat modelling What are we building? What could go wrong? What should we do about it? Is it correct?
  5. 5. Contextual threat modelling https://secure-delivery.playbook.ee/practices/build/stories-and-epics#iterative-and-incremental-threat-modelling What are we building? What could go wrong? What should we do about it? Is it correct? ● Collaborative activity including delivery team and security ● Don’t get bogged down choosing the perfect method ● Detailed technical discussion ○ Varied security expertise is valuable here (SecOps, Red Teams, Pen Testers, Security Architects, etc.) ○ Enough detail to build the right thing, right ○ Generate testable requirements ● Shift security from rubber-stampers to SMEs ● Continued practice improves speed and proficiency
  6. 6. Automated security assurance https://secure-delivery.playbook.ee/practices/build/security-in-the-pipeline#security-analysis-on-every-build Security Tools Security Tests ● Do not add any tools until you understand what you’re trying to achieve and how the tool works ● Validate security alongside feature delivery ● Threat modelling output should help drive security testing ● Combine security tools with custom tests ● Include app and infra security tests ● If a security control is critical enough to prevent you going live, prove that it works with every release ● Invest in policy-as-code
  7. 7. Learning from production Unexpected configuration change (malicious or accidental) Newly-discovered vulnerability Temporal change (e.g. certificate expiry) Technological progress (e.g. advances in browser security features) Missing test Invalid assumption
  8. 8. Learning from production ● Design a security feedback loop for production ● Combine techniques to maximise learning ○ Penetration testing ○ Vulnerability disclosure policy ○ Bug bounties ○ Chaos engineering ● The goal is to prevent security issues from reaching production, so use these exercises to improve earlier stages in the pipeline https://secure-delivery.playbook.ee/practices/operate/security-testing-in-production
  9. 9. Continuous Delivery is a journey
  10. 10. Secure Delivery Playbook https://secure-delivery.playbook.ee/