Weitere ähnliche Inhalte Ähnlich wie RoboCop: Bringing Law and Order to CI/CD (20) Kürzlich hochgeladen (20) RoboCop: Bringing Law and Order to CI/CD2. © 2016 ELLUCIAN. 2
• Information Security Professional
• Software Engineer
• Enjoy Capture the Flag
• Movie and Trivia Enthusiast
Who Am I?
3. © 2016 ELLUCIAN. 3
Agenda
1 RoboCop
2 DevSecOps
3 Security Tools
4 Case Study
5. © 2016 ELLUCIAN. 5
RoboCop Locations
Film: Detroit City Hall
Actual: Dallas Municipal Bldg
116 S. Harwood St.
Film: OCP Building
Actual: Dallas City Hall, 1500
Marilla St
7. © 2016 ELLUCIAN. 7
Serve the Public Trust
Excuse me. I have to go. Somewhere there is a crime happening.
RoboCop “RoboCop”
• Business Driven Security
• Open Collaboration
• Leaning In
• Translate Security for the Layperson
8. © 2016 ELLUCIAN. 8
Protect The Innocent
Come quietly or there will be… trouble
RoboCop “RoboCop”
• Developers are not security experts
• Security can be an afterthought
• Developers are lazy
9. © 2016 ELLUCIAN. 9
Uphold The Law
• What are your policies?
• What are your standards?
• Security Gates
You are illegally parked on private property. You have twenty seconds to move
your vehicle.
ED-209 “RoboCop”
12. © 2016 ELLUCIAN. 12
40years
2,400
institutions
18,000,000
students
40
countries
13. © 2016 ELLUCIAN. 13
How We Define DevOps
People working together with a common set of tools & goals to
achieve the best customer experience
14. © 2016 ELLUCIAN. 14
DevSecOps
DevSecOps: automation of security tasks by embedding security controls
and processes into the DevOps workflow
15. © 2016 ELLUCIAN. 15
Application Security Testing Technologies
Dynamic InteractiveStatic
16. © 2016 ELLUCIAN. 16
Static Application Security Testing (SAST)
Pros Cons
Shows vulnerabilities at
their source
False Positives
No need for code
compilation
May report findings that
can’t be exploited
17. © 2016 ELLUCIAN. 17
Dynamic Application Security Testing (DAST)
Pros Cons
Shows vulnerabilities
exposed in real-time
Cannot identify location
for remediation
No need for source code May not cover all areas
of the application
Detects vulnerabilities on
client and server-side
Must rebuild the
application when
modifying code
18. © 2016 ELLUCIAN. 18
SAST vs. DAST
SAST
• Poor crypto implementation
• Issues in dead/unused code
• Hard coded secrets
DAST
• Environment configuration
issues
• Authentication issues
• Session management
issues
• Runtime privilege issues
SAST & DAST
• SQLi
• Cross-site Scripting
• Path Traversal
• Buffer Overflows
• HTTP Response Splitting
19. © 2016 ELLUCIAN. 19
Interactive Application Security Testing (IAST)
Pros Cons
Can enhance DAST Can’t run on its own
May identify vulnerable
lines of code
Has to be integrated with
the application
21. © 2016 ELLUCIAN. 21
Other Resources
Enterprise DevOps at Scale with AWS | AWS Public Sector Summit
Ellucian has been migrating its entire organization from a myriad of software delivery
mechanisms, many of them manual, to a highly automated and advanced suite of
DevOps tools. In this talk, we go over some of the challenges we have faced and also
discuss our thoughts on the evolution of DevOps and the emerging patterns of
managing AWS-based environments.
https://youtu.be/MqP1lU39jcM
DevOps on the AWS Cloud
Learn how REAN Cloud helped AWS customer Ellucian develop a DevOps framework
to transform their software delivery process for over 80 product lines.
https://youtu.be/071rB05Oj9g
22. © 2016 ELLUCIAN. 22
Choose
technologies that
meet your business
needs and
processes
Make security a
feature
Summary
Automate as much
as possible
23. © 2016 ELLUCIAN. 23
Thank you.
Franklin Mosley
franklin.mosley@ellucian.com
https://www.linkedin.com/in/franklinmosley