Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
BOSTON 10-11 SEPT 2018
Automated DevSecOps infrastructure
deployment
recipes to secure your DevOps tool chain
ABDESSAMAD T...
BOSTON 10-11 SEPT 2018
About me
• Abdessamad TEMMAR
• Head of Offensive and R&D Activities
• OWASP Contributor
• CEH, CEI ...
BOSTON 10-11 SEPT 2018
About me
Marrakech. Morocco
BOSTON 10-11 SEPT 2018
About me
Atlas Mountains and Three Valleys. Morocco
BOSTON 10-11 SEPT 2018
About me
“I AM A NICE SECURITY PROFESSIONAL, NOT MINDELESS
VULNERABILITY SPEWING MACHINE. IF I AM T...
BOSTON 10-11 SEPT 2018
AST challenges
• Communication : provide metrics (and evidence) about the security level
of each/ev...
BOSTON 10-11 SEPT 2018
Securing your pipeline : agile approach
Identifying the
app sec
requirements
and
environment
Sprint...
BOSTON 10-11 SEPT 2018
Our initial pipeline (1/2)
DeployTestBuildCheckout
BOSTON 10-11 SEPT 2018
Our initial pipeline (2/2)
Development
Master
Production
Commit Commit Merge Commit
Merge Commit
Me...
BOSTON 10-11 SEPT 2018
Our recipe to build a secure pipeline :p
INGREDIENTS TOOLS NEEDED
DIRECTIONS
TIME TO PREPARE
• Stat...
BOSTON 10-11 SEPT 2018
Task 1 : Static code analysis tool
BOSTON 10-11 SEPT 2018
Task 2 : Web application scanner tool
BOSTON 10-11 SEPT 2018
Task 3 : Inspect Your Infrastructure
BOSTON 10-11 SEPT 2018
Task 4 : Vunerability management system
BOSTON 10-11 SEPT 2018
Task 4 : Vunerability management system
BOSTON 10-11 SEPT 2018
THANKS!
Any questions?
You can find me at :
MAIL : ATEMMAR@ABCIT.FR
TWITTER : @T333333R
Nächste SlideShare
Wird geladen in …5
×

DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes to secure your DevOps tool chain by Abdessamad Temmar

230 Aufrufe

Veröffentlicht am

DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes to secure your DevOps tool chain by Abdessamad Temmar

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes to secure your DevOps tool chain by Abdessamad Temmar

  1. 1. BOSTON 10-11 SEPT 2018 Automated DevSecOps infrastructure deployment recipes to secure your DevOps tool chain ABDESSAMAD TEMMAR
  2. 2. BOSTON 10-11 SEPT 2018 About me • Abdessamad TEMMAR • Head of Offensive and R&D Activities • OWASP Contributor • CEH, CEI & OSCP Marrakech. Morocco
  3. 3. BOSTON 10-11 SEPT 2018 About me Marrakech. Morocco
  4. 4. BOSTON 10-11 SEPT 2018 About me Atlas Mountains and Three Valleys. Morocco
  5. 5. BOSTON 10-11 SEPT 2018 About me “I AM A NICE SECURITY PROFESSIONAL, NOT MINDELESS VULNERABILITY SPEWING MACHINE. IF I AM TO CHANGE THIS IMAGE, I MUST FIRST CHNAGE MYSELF. DEVELOPERS ARE FRIENDS, NOT FOOLS.” - Bruce, Aaron and Matt
  6. 6. BOSTON 10-11 SEPT 2018 AST challenges • Communication : provide metrics (and evidence) about the security level of each/every stage/sprint of the application’s life cycle. • Integration : appropriate (and Efficient) investment for application security (Improvise, adapt, overcome !) • Ease of use : the ability to transform the current pipeline without forcing the developers to change the way they work (or the tools they used). • Accuracy : continuously work on filtering FP and writing custom scanning rules • Speed : automate everything ! be FAST (and FURIOUIS) !
  7. 7. BOSTON 10-11 SEPT 2018 Securing your pipeline : agile approach Identifying the app sec requirements and environment Sprint Working increment of the sec pipeline Assessing application security risks Define your app. sec. controls and associated sec. Gates 1 2 3 4 Convert Scanning output to training topics 5 Filter FP, re configure scanning tool 6
  8. 8. BOSTON 10-11 SEPT 2018 Our initial pipeline (1/2) DeployTestBuildCheckout
  9. 9. BOSTON 10-11 SEPT 2018 Our initial pipeline (2/2) Development Master Production Commit Commit Merge Commit Merge Commit Merge Commit
  10. 10. BOSTON 10-11 SEPT 2018 Our recipe to build a secure pipeline :p INGREDIENTS TOOLS NEEDED DIRECTIONS TIME TO PREPARE • Static code analysis tool (SAST) • Web application scanner tool (DAST) • Environment compliance check • Vulnerability management system OPTIONAL : • Continuous security monitoring • Redteaming exercices • Secret management See the following slides It depends ! Exsiting DevOps Tools SAST DAST MAST IAST
  11. 11. BOSTON 10-11 SEPT 2018 Task 1 : Static code analysis tool
  12. 12. BOSTON 10-11 SEPT 2018 Task 2 : Web application scanner tool
  13. 13. BOSTON 10-11 SEPT 2018 Task 3 : Inspect Your Infrastructure
  14. 14. BOSTON 10-11 SEPT 2018 Task 4 : Vunerability management system
  15. 15. BOSTON 10-11 SEPT 2018 Task 4 : Vunerability management system
  16. 16. BOSTON 10-11 SEPT 2018 THANKS! Any questions? You can find me at : MAIL : ATEMMAR@ABCIT.FR TWITTER : @T333333R

×