Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

DevSecCon London 2018: Open DevSecOps

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
DevSecOps : an Introduction
DevSecOps : an Introduction
Wird geladen in …3
×

Hier ansehen

1 von 57 Anzeige

DevSecCon London 2018: Open DevSecOps

Herunterladen, um offline zu lesen

PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

PETKO D. PETKOV
Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie DevSecCon London 2018: Open DevSecOps (20)

Anzeige

Weitere von DevSecCon (20)

Aktuellste (20)

Anzeige

DevSecCon London 2018: Open DevSecOps

  1. 1. LONDON 18-19 OCT 2018 Open DevSecOps PETKO D. PETKOV
  2. 2. 3
  3. 3. 2
  4. 4. 1
  5. 5. You have to know the past to understand the present. Carl Sagan
  6. 6. 1995
  7. 7. Hacking The Gibson
  8. 8. Knowledge Prestige Community
  9. 9. Knowledge Prestige Community
  10. 10. Knowledge Prestige Community
  11. 11. Milestones
  12. 12. Pentesting Vuln Programs Bug Bounties DevSecOps
  13. 13. Pentesting Vuln Programs Bug Bounties DevSecOps 2002 2007 2012 2018 5
  14. 14. REDTEAMPENTESTER
  15. 15. $10,000
 (2005) $500,000
 (2018)
  16. 16. $10,000 $100,000
  17. 17. DevSecOps Continuous Integration / Delivery
  18. 18. Code Build Test Deploy Monitor
  19. 19. Code Build Test Deploy Monitor
  20. 20. What’s the point?
  21. 21. US THEM THEM US VS
  22. 22. We are here
  23. 23. Open DevSecOps Putting “Open” back into the DevSecOps Model
  24. 24. Code Build Test Deploy Monitor
  25. 25. Code Build Test Deploy Monitor ? ? ? ?
  26. 26. DEV Tools Static Source Code Scanner Dynamic Application Scanner
  27. 27. Infrastructure It is also expressed in code these days
  28. 28. DevSecOps SecOps
  29. 29. Open DevSecOps Putting “Open” back into the DevSecOps Model
  30. 30. Knowledge Tools Community
  31. 31. Knowledge
  32. 32. Community
  33. 33. Tools / Solutions
  34. 34. Honey Tokens
  35. 35. resource "aws_s3_bucket" "app" { count = "${var.create_app ? 1 : 0}" bucket = "${var.name}.${var.domain}" acl = "private" website { index_document = "index.html" error_document = "index.html" } policy = <<EOF { "Version": "2008-10-17", "Statement": [ { "Sid": "PublicReadForGetBucketObjects", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::${var.name}.${var.domain}/*" } ] } EOF lifecycle { prevent_destroy = true } tags { solution = "apps" } } resource "aws_s3_bucket" "next_app" { count = "${var.create_next_app ? 1 : 0}" bucket = "next-${var.name}.${var.domain}" acl = "private" website { index_document = "index.html" error_document = "index.html" } Honey Tokens
  36. 36. Dark Nets
  37. 37. resource "aws_s3_bucket" "app" { count = "${var.create_app ? 1 : 0}" bucket = "${var.name}.${var.domain}" acl = "private" website { index_document = "index.html" error_document = "index.html" } policy = <<EOF { "Version": "2008-10-17", "Statement": [ { "Sid": "PublicReadForGetBucketObjects", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::${var.name}.${var.domain}/*" } ] } EOF lifecycle { prevent_destroy = true } tags { solution = "apps" } } resource "aws_s3_bucket" "next_app" { count = "${var.create_next_app ? 1 : 0}" bucket = "next-${var.name}.${var.domain}" acl = "private" website { index_document = "index.html" error_document = "index.html" } Dark Nets
  38. 38. Recon
  39. 39. resource "aws_s3_bucket" "app" { count = "${var.create_app ? 1 : 0}" bucket = "${var.name}.${var.domain}" acl = "private" website { index_document = "index.html" error_document = "index.html" } policy = <<EOF { "Version": "2008-10-17", "Statement": [ { "Sid": "PublicReadForGetBucketObjects", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::${var.name}.${var.domain}/*" } ] } EOF lifecycle { prevent_destroy = true } tags { solution = "apps" } } resource "aws_s3_bucket" "next_app" { count = "${var.create_next_app ? 1 : 0}" bucket = "next-${var.name}.${var.domain}" acl = "private" website { index_document = "index.html" error_document = "index.html" } Recon
  40. 40. Top10 Dynamic Security Scanner Static Code Analysers Auxiliary Tools Terraform Modules CloudFormation Stacks Research Papers Scripts Log Aggregation SIEM FW
  41. 41. The goal is the goal
  42. 42. Shift to the left Pentesting / Red Team Vuln Research Bug Hunting
  43. 43. 1. Self-governing 2. Self-healing 3. Self-defending
  44. 44. 1. Self-governing 2. Self-healing 3. Self-defending
  45. 45. 1. Self-governing 2. Self-healing 3. Self-defending
  46. 46. 1. Self-governing 2. Self-healing 3. Self-defending
  47. 47. @pdp GNUCITIZEN / WEBSECURIFY / SECAPPS
  48. 48. LONDON 18-19 OCT 2018 ¯_(ツ)_/¯

×