SlideShare ist ein Scribd-Unternehmen logo

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Jeff Williams

DevSecCon
DevSecCon

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Jeff Williams

Technologie
1 von 32
Downloaden Sie, um offline zu lesen
BOSTON 10-11 SEPT 2018 Building a Practical DevSecOps Pipeline for Free JEFF WILLIAMS, CTO AND CO-FOUNDER CONTRAST SECURITY
The Average application is extremely vulnerable 71% unused Libraries 26.7Vulnerabilities 2Vulnerabilities 8% USED Libraries 21% Custom Code
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 3 You are Under AttacK
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 4 Please, Don’t let anyone Blame Velocity SECURING FAST-CHANGING THINGS IS DIFFERENT
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 5 DevSecOps is very promising… https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 1.Establish work flow 2.Ensure instant feedback 3.Culture of experimentation 1.Establish security work flow 2.Ensure instant security feedback 3.Build a security culture DEVOPS DEVSECOPS
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 6 Recommended resources https://dzone.com/refcardz/introduction-to-devsecopshttps://www.manning.com/books/securing-devops
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 7 Evolution of appsec Automation DAST (Dynamic AppSec Testing) WAF (Web Application Firewall) SAST (Static AppSec Testing) IDS/IPS (Intrusion Detection/ Prevention System) Development (find vulnerabilities) Operations (Prevent Exploit) IAST (Interactive AppSec Testing) RASP (Runtime Application Self-Protection) Unified IAST, RASP, SCA 2002 2002 20152012 Today
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 8 A DevSECOPS-enhanced pipeline Development CI/CD/QA Operations IAST/RASP IAST/RASP IAST/RASP
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 9 How IAST and RASP WOrk Your Application or API Exploit Prevented Vulnerability Confirmed ✘ IAST • Detects vulnerabilities in both custom code and libraries during normal use RASP • Prevents vulnerabilities from being exploited in both custom code and libraries Runtime Application Self- Protection Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors AGENT Interactive Application Security Testing
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 10 Shift left, right, and everywhere! Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 11 • Must be extremely accurate • Must work on modern apps with APIs and OSS Test my custom code AND libraries • Must integrate with tools I’m already using – NO PDF! Realtime feedback through my tools • Must not create bottleneck – NO SCANNING! Don’t slow me down Security in Development
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 12 Automation is all about speed, accuracy, and ease-of-use OWASP Benchmark Free and open application benchmark with thousands of security test cases
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 13 DOWNLOAD an iast/RASP agent 1. Download 2. install 3. Enjoy agent
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 14 PRODDEV CI/CD APIs Containers PrivateCloud APIs ContainersPrivate Public Cloud Custom code - and - Open Source Empower developers to assess their own security!
IDE Chatops Browser 15 Security in Everyday environment OTHERS:
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 16 • Fully automated security testing with every build Don’t slow down my builds • Plugins, integrations, webhooks, and FULL REST API Integrate with my testing tools • Set criteria for when to break the build Break my build… but only for real issues Security In Integration
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 17 Fail the build
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 18 Automatic bugtracking integration
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 19 Measuring attack surface
Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 20 Measuring security testing Coverage
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 21 • I need actionable threat intelligence Tell me who is attacking and how • Must not overblock (FP) or underblock (FN) Stop vulnerabilities from being exploited • Don’t warn me about meaningless probes Don’t create alert fatigue Security in operations
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 22 PROTECT Applications and APIs WITH RASP Custom Code Open Source Libraries and Frameworks Application Server and Platform • PREVENTS Known Vulnerabilities from exploit • Prevents LATENT Vulnerabilities from exploit • Fast response to prevent NOVEL vulnerabilities from exploit
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 23 RASP deploys with your application • Ansible • Puppet • Docker • Kubernetes • Whatever…
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 24 Protect against Latent vulnerabilities March 7 CVE-2017 -5638 Disclosed, Apache releases fixed version March 8 We observe widespread attacks Mid-May Equifax breach occurs July 29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed No updates You must have infrastructure to respond within hours. DisasterNo detection
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 25 RASP supports complex protocols Application Untrusted deserialization Name: Smith, James Record ID: 123456 Owner: Finance Application expects to receive this object Bad Guy AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ Attacker sends malicious object
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 26 RASP IS FAST +50 µs 100x faster than waf Contrast Protect waf +5 ms
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 27 appsec Threat intelligence
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 28 DevSecOps Pipeline Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 29 SUMMARY: Scanners and Firewalls don’t Scale Experts Expert Tools Application Portfolio Assurance Coverage Process Fit Awful Results $$$$ Traditional AppSec Program
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 30 Summary: devops + security works at scale
DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 31 Free DevSecOps Tools OWASP Dependency check • Free SCA tool to scan for known vulnerabilities in libraries. • https://www.owasp.org/index.php/OWASP_Dependency _Check Retire.js • Free SCA tool to scan for known vulnerabilities in javascript libraries • https://retirejs.github.io/retire.js Contrast CE • Free and full-strength IAST, RASP, and SCA for Java applications and APIs. • http://contrastsecurity.com/ce
BOSTON 10-11 SEPT 2018 Thank you! Ask me anything.

Empfohlen

Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 

Empfohlen

Security in serverless world
Security in serverless worldSecurity in serverless world
Security in serverless worldYan Cui
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
DevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon London 2018: Open DevSecOps
DevSecCon London 2018: Open DevSecOpsDevSecCon
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscapeDevSecCon
 
The New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsThe New Security Playbook: DevSecOps
The New Security Playbook: DevSecOpsJames Wickett
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfullyManuel Pistner
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOpsMichelangelo van Dam
 
Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s QAware GmbH
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...SecureSoftwareDevOn SecureSoftwareDevOn
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressMaurice De Beijer [MVP]
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineJames Wickett
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfullyManuel Pistner
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon
 

Was ist angesagt? (20)

DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
DevSecCon Boston 2018: Automated DevSecOps infrastructure deployment: recipes...
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Build reliable Svelte applications using Cypress
Build reliable Svelte applications using CypressBuild reliable Svelte applications using Cypress
Build reliable Svelte applications using Cypress
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery PipelineDevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfully
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 

Ähnlich wie DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Jeff Williams

Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s QAware GmbH
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxGrace Jansen
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017Amazon Web Services
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
DevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver FasterDevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver FasterAmazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Clean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software CraftsmanshipClean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software CraftsmanshipIvan Paulovich
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World42Crunch
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program DevOps.com
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 

Ähnlich wie DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Jeff Williams (20)

Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
DevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver FasterDevOps on AWS - Building Systems to Deliver Faster
DevOps on AWS - Building Systems to Deliver Faster
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelinesstackconf 2021 | Continuous Security – integrating security into your pipelines
stackconf 2021 | Continuous Security – integrating security into your pipelines
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Clean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software CraftsmanshipClean Architecture Essentials - Stockholm Software Craftsmanship
Clean Architecture Essentials - Stockholm Software Craftsmanship
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 

Mehr von DevSecCon

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon
 

Mehr von DevSecCon (20)

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
 
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
DevSecCon London 2019: How to Secure OpenShift Environments and What Happens ...
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...
 
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
DevSecCon Seattle 2019: Fully Automated production deployments with HIPAA/HIT...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
DevSecCon Singapore 2019: crypto jacking: An evolving threat for cloud contai...
 
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
DevSecCon Singapore 2019: Can "dev", "sec" and "ops" really coexist in the wi...
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we thinkDevSecCon Singapore 2019: Web Services aren’t as secure as we think
DevSecCon Singapore 2019: Web Services aren’t as secure as we think
 
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
DevSecCon Singapore 2019: An attacker's view of Serverless and GraphQL apps S...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
DevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for KubernetesDevSecCon Singapore 2019: Preventative Security for Kubernetes
DevSecCon Singapore 2019: Preventative Security for Kubernetes
 
DevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heelDevSecCon London 2018: Is your supply chain your achille's heel
DevSecCon London 2018: Is your supply chain your achille's heel
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
DevSecCon London 2018: Building effective DevSecOps teams through role-playin...
 
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
DevSecCon London 2018: Variant Analysis – A critical step in handling vulnera...
 

Kürzlich hochgeladen

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Kürzlich hochgeladen (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Jeff Williams

  • 1. BOSTON 10-11 SEPT 2018 Building a Practical DevSecOps Pipeline for Free JEFF WILLIAMS, CTO AND CO-FOUNDER CONTRAST SECURITY
  • 2. The Average application is extremely vulnerable 71% unused Libraries 26.7Vulnerabilities 2Vulnerabilities 8% USED Libraries 21% Custom Code
  • 3. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 3 You are Under AttacK
  • 4. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 4 Please, Don’t let anyone Blame Velocity SECURING FAST-CHANGING THINGS IS DIFFERENT
  • 5. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 5 DevSecOps is very promising… https://itrevolution.com/the-three-ways-principles-underpinning-devops/ 1.Establish work flow 2.Ensure instant feedback 3.Culture of experimentation 1.Establish security work flow 2.Ensure instant security feedback 3.Build a security culture DEVOPS DEVSECOPS
  • 6. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 6 Recommended resources https://dzone.com/refcardz/introduction-to-devsecopshttps://www.manning.com/books/securing-devops
  • 7. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 7 Evolution of appsec Automation DAST (Dynamic AppSec Testing) WAF (Web Application Firewall) SAST (Static AppSec Testing) IDS/IPS (Intrusion Detection/ Prevention System) Development (find vulnerabilities) Operations (Prevent Exploit) IAST (Interactive AppSec Testing) RASP (Runtime Application Self-Protection) Unified IAST, RASP, SCA 2002 2002 20152012 Today
  • 8. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 8 A DevSECOPS-enhanced pipeline Development CI/CD/QA Operations IAST/RASP IAST/RASP IAST/RASP
  • 9. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 9 How IAST and RASP WOrk Your Application or API Exploit Prevented Vulnerability Confirmed ✘ IAST • Detects vulnerabilities in both custom code and libraries during normal use RASP • Prevents vulnerabilities from being exploited in both custom code and libraries Runtime Application Self- Protection Config Sensors Code Sensors Control Flow Sensors HTTP Sensors Backend Sensors Data Flow Sensors Library Sensors AGENT Interactive Application Security Testing
  • 10. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 10 Shift left, right, and everywhere! Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
  • 11. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 11 • Must be extremely accurate • Must work on modern apps with APIs and OSS Test my custom code AND libraries • Must integrate with tools I’m already using – NO PDF! Realtime feedback through my tools • Must not create bottleneck – NO SCANNING! Don’t slow me down Security in Development
  • 12. Jumpstarting Your DevSecOps Pipeline with IAST and RASP | contrastsecurity.com 12 Automation is all about speed, accuracy, and ease-of-use OWASP Benchmark Free and open application benchmark with thousands of security test cases
  • 13. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 13 DOWNLOAD an iast/RASP agent 1. Download 2. install 3. Enjoy agent
  • 14. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 14 PRODDEV CI/CD APIs Containers PrivateCloud APIs ContainersPrivate Public Cloud Custom code - and - Open Source Empower developers to assess their own security!
  • 15. IDE Chatops Browser 15 Security in Everyday environment OTHERS:
  • 16. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 16 • Fully automated security testing with every build Don’t slow down my builds • Plugins, integrations, webhooks, and FULL REST API Integrate with my testing tools • Set criteria for when to break the build Break my build… but only for real issues Security In Integration
  • 17. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 17 Fail the build
  • 18. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 18 Automatic bugtracking integration
  • 19. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 19 Measuring attack surface
  • 20. Jumpstarting Your DevSecOps Pipeline with IAST and RASP | @planetlevel 20 Measuring security testing Coverage
  • 21. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 21 • I need actionable threat intelligence Tell me who is attacking and how • Must not overblock (FP) or underblock (FN) Stop vulnerabilities from being exploited • Don’t warn me about meaningless probes Don’t create alert fatigue Security in operations
  • 22. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 22 PROTECT Applications and APIs WITH RASP Custom Code Open Source Libraries and Frameworks Application Server and Platform • PREVENTS Known Vulnerabilities from exploit • Prevents LATENT Vulnerabilities from exploit • Fast response to prevent NOVEL vulnerabilities from exploit
  • 23. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 23 RASP deploys with your application • Ansible • Puppet • Docker • Kubernetes • Whatever…
  • 24. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 24 Protect against Latent vulnerabilities March 7 CVE-2017 -5638 Disclosed, Apache releases fixed version March 8 We observe widespread attacks Mid-May Equifax breach occurs July 29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed No updates You must have infrastructure to respond within hours. DisasterNo detection
  • 25. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 25 RASP supports complex protocols Application Untrusted deserialization Name: Smith, James Record ID: 123456 Owner: Finance Application expects to receive this object Bad Guy AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ AcmeInternalType#cmd: java.lang.Runtime AcmeInternalType#mtd: getRuntime().exec AcmeInternalType#args: ‘cmd.exe’,’/C’,’calc’ Attacker sends malicious object
  • 26. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 26 RASP IS FAST +50 µs 100x faster than waf Contrast Protect waf +5 ms
  • 27. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 27 appsec Threat intelligence
  • 28. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 28 DevSecOps Pipeline Security in development Security in integration Security in operations PROTECT • Tell me who is attacking and how • Stop vulns from being exploited • Don’t create alert fatigue ASSURE • Don’t slow down my builds • Integrate with my testing tools • Real vulns break my build EMPOWER •Test my custom code and libraries •Realtime feedback through my tools •Don’t slow me down
  • 29. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 29 SUMMARY: Scanners and Firewalls don’t Scale Experts Expert Tools Application Portfolio Assurance Coverage Process Fit Awful Results $$$$ Traditional AppSec Program
  • 30. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 30 Summary: devops + security works at scale
  • 31. DevSecCon Boston 2018: Building a Practical DevSecOps Pipeline for Free 31 Free DevSecOps Tools OWASP Dependency check • Free SCA tool to scan for known vulnerabilities in libraries. • https://www.owasp.org/index.php/OWASP_Dependency _Check Retire.js • Free SCA tool to scan for known vulnerabilities in javascript libraries • https://retirejs.github.io/retire.js Contrast CE • Free and full-strength IAST, RASP, and SCA for Java applications and APIs. • http://contrastsecurity.com/ce
  • 32. BOSTON 10-11 SEPT 2018 Thank you! Ask me anything.