SlideShare ist ein Scribd-Unternehmen logo

Shift Left Security

BATbern
BATbern

The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.

Präsentationen & Vorträge
1 von 25
Downloaden Sie, um offline zu lesen
Shift left Security 17.06.2022, Florian Kammermann
Agenda 2 1. The Fast Feedback Loop 2. Security in the Software Development Life Cycle (SDLC) 3. Trust in the Software Development Life Cycle (SDLC) 4. Securing Code and Configuration, Artifacts 5. Prevent of Attacks in the Software Development Life Cycle (SDLC)
3 Fast Feedback Loop SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Instant The more left we hold the sensor, the faster we get the feedback, the faster we fix it, the lower the cost, the lower the security exposure sec - min < 5m < 7 min < 30min > 30min Test on Env. X Test on Env. X
4 Fast Feedback Loop – The Business View Cost per defect (functional, reliability, security) Source: NIST
5 Incident Types Impact / Probability 30x 25x 20x 15x 10x 5x 0x Functional Reliability Security 30x 25x 20x 15x 10x 5x 0x Security Reliability Functional Business Impact In case of a Major Incident Probability of Occurrence In case of Major Incident Optimizing for Security is a difficult Business Case, we have low probability with high impact.
6 Security in the Software Development Lifecycle (SDLC) Traditional Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Optimized for Production Traditional Security Measures focus on Security Exposure in Production
7 Security in the Software Development Lifecycle (SDLC) SSDLC Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Focus on the whole SDLC Digitalized Production assumes that every step has its security posture
8 The New Reality – Attack Vectors on the Software Development Lifecycle NCSC (Nationales Zentrum für Cybersecurity) OWASP Top 10 Executive Order improving the Nations Cybersecurity − 04 Insecure Design − 05 Security Misconfiguration − 06 Vulnerable and outdated Components − 08 Software and data integrity failures Shift left Security CISA Model part of Zero Trust Application Pillar (CISA = Cybersecurity & Infrastructure Security Agency) − Angesichts der zunehmenden Komplexität von Hard- und Software sowie der fortschreitenden Digitalisierung der Gesellschaft stellen nicht zuletzt Software- Abhängigkeiten eine grosse Herausforderung für die Sicherheit von Unternehmen dar. − In den letzten Jahren hat die «US National Telecommunications and Information Administration (NTIA)» mit Partnern an der Entwicklung einer «Software Bill of Materials (SBOM)» gearbeitet.
9 Security in the Software Development Lifecycle How Security is applied to the SDLC Traditional Security Measures (SAST, DAST / PEN Test) Digitalized Production Security Measures (digital Identities and Bill of Materials) SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
10 Trust How we create Trust into the Software Development Lifecycle Implicit Trust is created by ticketing systems, by verbal communication by email or chat. Implicit trust is not auditable and can not be traced back programmatically. Implicit trust is not verifiable. Implicit trust doesn’t protect from tampering. implicit explicit Explicit Trust is auditable and verifiable by digital evidence. Explicit trust also comes with digitally represented parties, which took an action in the SSDLC (Secure Software Development Lifecycle). Explicit Trust creates a chain of trust, which can be verified by external parties.
11 Accumulate explicit Trust over the Pipeline Stages digitally signed propagation Signed commit Signed SAST Signed commit Signed unit tests Signed SAST Signed commit Signed build Signed unit tests Signed SAST Signed commit Signed x Tests Signed build Signed unit tests Signed SAST Signed commit SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
12 Securing Code and Configuration A foundation of securing source code is the ability to authenticate contributor- added commits to the repository. Unsigned or unknown signatures have to be rejected. Commit Authenticity Use SAST to scan the code for vulnerabilities. SAST can find code segments which can lead to possible security exposure. https://cwe.mitre.org/ Identify malicious code early It’s still a problem, that secrets can make it into the code base. Use pre-commit hooks to avoid sensitive information in the central git repository. Avoid exposing sensitive information Review Code Changes by qualified Coworkers. Create short lived branches to bring new code to main. Avoid long lived feature branches. Flawless Change Management x x SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
13 Securing Artifacts before Deployment Artifact Repositories play a central role in the SDLC. The accumulated Trust and Immutability needs to be guaranteed by Artifact Repositories. They are also the gate for incoming artifacts from central repositories. Artifact Repositories Analyses artifacts to detect known software components and identify any associated vulnerabilities. Scanning complements SAST by finding vulnerabilities not detectable by scanning source code and can also help to build the SBOM. Identify malicious dependencies early VM images should be treated the same as any artifact. They should go through all the stages of the SSDLC. For OCI Images, distroless images are to favor, to remove all the non- essential operating system dependencies. Managed base Images (VM/OCI) Lib D Lib I Lib J SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
14 The Importance of the Software Bill of Materials (SBOM) A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. Source https://www.cisa.gov/sbom artifact Lib A Lib B Lib C Lib D Lib E Lib F Lib I Lib J Lib K Lib L Lib M Lib N Lib G Lib H
15 Securing deployed Artifacts Secure the deployment through the validation of digital trust (signature). Applying policies that require the progressive series of signed attestations protects environments from accidental, or malicious, artifact deployments. Open Policy Agent can help here. Apply Policies Dynamic application security testing (DAST) tests are designed to identify functional security vulnerabilities in deployed artifacts. Use DAST to identify possible exploits following known patterns of attack, like SQL injection or cross-site scripting (XSS). Dynamic Application Security Testing Static environments are challenging. To create environments where you can test new functionality in isolation, use Declarative infrastructure. These environments are ephemeral. They only live as long as the feature test cycle is active. Isolated and replicable testing Environments SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Lib I stop
Infrastructure Infrastructure 16 The importance of declarative Infrastructure (IaC) Infrastructure – Ephemeral Environment X Artifact A key component of securing infrastructure is to use declarative infrastructure. Declarative infrastructure is commonly known as infrastructure as code (IaC). It defines infrastructure components as code, manages the components in code repositories, and helps ensure that the infrastructure components undergo the same level of checks and balances as application feature code. Declarative Infrastructure is the basis to manage ephemeral Environments. Artifact Artifact Ephemeral Environment Environments become replicable. Environments (also prod), can be created or rebuilt automated on demand.
17 Mitigation of Attacks in the SSDLC Malicious library Example
18 Mitigation in a traditional SDLC Lib Z Zero Day CVE (manually) analyze Deployments Maintain lists of Deployments to fix Update every Deployment and build/deploy Without an SBOM and trusted Libraries, it can take days to weeks to rollout Mitigations of zero-day CVE’s. And even then, it is not clear all vulnerable Deployments were discovered, APT’s (Advanced Persistent Threat) can take hold and lateral move. SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar 19 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Repair Version Control Unit Tests build Verify on environment x production Requirements for Repair • CVE tracking • SBOM and (automated) manifest update • Signed Artifacts Artifact Zero Day CVE SBOM SBOM SBOM SBOM
20 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar Version Control Unit Tests build Verify on environment x production Infrastructure Artifact Artifact Artifact Requirements for Repave • Declarative Infrastructure • Cloud Native / Stateless Architecture • Known trusted State Repave APT’s get starved and can’t take a hold
21 ISO 20’000 and SSDLC (Secure Software Development Life Cycle) the international standard for IT service management Automated and Auditable Software Supply Chain The Software Supply Chain must be auditable to ensure ISO 20’000 compliance. The Implementation of the Software supply chain has to guarantee that the Software supply chain covers integrity and confidentiality. Every step in the building, integration and testing process has to be secured that integrity and confidentiality is guaranteed from the code commit to the running workload on production. In a traditional environment this is/was mostly done trough documented human interaction (handover, signoff etc.) If we apply zero trust to the SDLC and combine it with an audit trail, this requirement is already fulfilled.
22 Shift left Security – Key Takeaways Verifiable Identities Its all about verifiable entities and trust – zero trust applied to the SDLC results in SSDLC Standardizes Processes and Tools Standardize Software Development Processes and Tools enable SSDLC Ephemeral Environments Ephemeral Environments, immutable artifacts and infrastructure is a must Change the culture Change the culture in your workforce towards a security – zero trust culture Enable the Developers Make it easy for your Engineers to deliver Software in a secure way
23 Secure Software Development Lifecycle Journey where is Swisscom Threat Modelling Threat modelling is executed on critical services / applications. Actually this is the “leftest” security measure. We have a security program, which shifts the security Know How left to the DevOps Teams. Every Team should have a certified Security Champion. App Sec Peaks Snyk integrates perfect in the Dev Workflow to Scan Code on vulnerabilities and sensitive information. SAST/SBOM with Snyk Central repositories are used to control the flow from public repositories and scan inhouse produced artifacts as also external fetched artifacts Artifact repositories Not pervasive, but is used more and more. The dominance of kubernetes helps here. isolated ephemeral Environments
References • DevSecOps Booklet Swisscom • Shifting Left on Security Google • The Three R’s of Enterprise Security: Rotate, Repave, and Repair
25 Question and Answer

Empfohlen

Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 

Empfohlen

Shift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowShift Left Security - The What, Why and How
Shift Left Security - The What, Why and HowDevOps.com
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-EngineeringAraf Karsh Hamid
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDiego Gabriel Cardoso
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 

Weitere ähnliche Inhalte

Was ist angesagt?

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDiego Gabriel Cardoso
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 

Was ist angesagt? (20)

Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteira
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 

Ähnlich wie Shift Left Security

Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkAnna Royzman
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps for Enterprise Systems
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 

Ähnlich wie Shift Left Security (20)

Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Código Seguro
Código SeguroCódigo Seguro
Código Seguro
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Security engineering
Security engineeringSecurity engineering
Security engineering
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 

Mehr von BATbern

BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern
 
BATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern
 
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern
 
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern
 
Embracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceEmbracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceBATbern
 
Serverless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureServerless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureBATbern
 
Serverless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisServerless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisBATbern
 
Serverless at Lifestage
Serverless at LifestageServerless at Lifestage
Serverless at LifestageBATbern
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesBATbern
 
BATbern51 Serverless?!
BATbern51 Serverless?!BATbern51 Serverless?!
BATbern51 Serverless?!BATbern
 
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersEin Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersBATbern
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionBATbern
 
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenFrom Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenBATbern
 
The Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLThe Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLBATbern
 
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarKlassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarBATbern
 
BATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern
 
Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?BATbern
 

Mehr von BATbern (20)

BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data Mesh
 
BATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und Knacknüsse
 
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
 
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
 
Embracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceEmbracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplace
 
Serverless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureServerless und Event-Driven Architecture
Serverless und Event-Driven Architecture
 
Serverless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisServerless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der Praxis
 
Serverless at Lifestage
Serverless at LifestageServerless at Lifestage
Serverless at Lifestage
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless Architectures
 
BATbern51 Serverless?!
BATbern51 Serverless?!BATbern51 Serverless?!
BATbern51 Serverless?!
 
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersEin Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
 
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenFrom Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
 
The Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLThe Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/ML
 
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarKlassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
 
BATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdf
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
 
Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?
 

Kürzlich hochgeladen

Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Hasting Chen
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Vipesco
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxNikitaBankoti2
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfSenaatti-kiinteistöt
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Chameera Dedduwage
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Delhi Call girls
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsaqsarehman5055
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaKayode Fayemi
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxmohammadalnahdi22
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024eCommerce Institute
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMoumonDas2
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024eCommerce Institute
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubssamaasim06
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...Sheetaleventcompany
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AITatiana Gurgel
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyPooja Nehwal
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Kayode Fayemi
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxraffaeleoman
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardsticksaastr
 

Kürzlich hochgeladen (20)

Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 

Shift Left Security

  • 2. Agenda 2 1. The Fast Feedback Loop 2. Security in the Software Development Life Cycle (SDLC) 3. Trust in the Software Development Life Cycle (SDLC) 4. Securing Code and Configuration, Artifacts 5. Prevent of Attacks in the Software Development Life Cycle (SDLC)
  • 3. 3 Fast Feedback Loop SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Instant The more left we hold the sensor, the faster we get the feedback, the faster we fix it, the lower the cost, the lower the security exposure sec - min < 5m < 7 min < 30min > 30min Test on Env. X Test on Env. X
  • 4. 4 Fast Feedback Loop – The Business View Cost per defect (functional, reliability, security) Source: NIST
  • 5. 5 Incident Types Impact / Probability 30x 25x 20x 15x 10x 5x 0x Functional Reliability Security 30x 25x 20x 15x 10x 5x 0x Security Reliability Functional Business Impact In case of a Major Incident Probability of Occurrence In case of Major Incident Optimizing for Security is a difficult Business Case, we have low probability with high impact.
  • 6. 6 Security in the Software Development Lifecycle (SDLC) Traditional Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Optimized for Production Traditional Security Measures focus on Security Exposure in Production
  • 7. 7 Security in the Software Development Lifecycle (SDLC) SSDLC Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Focus on the whole SDLC Digitalized Production assumes that every step has its security posture
  • 8. 8 The New Reality – Attack Vectors on the Software Development Lifecycle NCSC (Nationales Zentrum für Cybersecurity) OWASP Top 10 Executive Order improving the Nations Cybersecurity − 04 Insecure Design − 05 Security Misconfiguration − 06 Vulnerable and outdated Components − 08 Software and data integrity failures Shift left Security CISA Model part of Zero Trust Application Pillar (CISA = Cybersecurity & Infrastructure Security Agency) − Angesichts der zunehmenden Komplexität von Hard- und Software sowie der fortschreitenden Digitalisierung der Gesellschaft stellen nicht zuletzt Software- Abhängigkeiten eine grosse Herausforderung für die Sicherheit von Unternehmen dar. − In den letzten Jahren hat die «US National Telecommunications and Information Administration (NTIA)» mit Partnern an der Entwicklung einer «Software Bill of Materials (SBOM)» gearbeitet.
  • 9. 9 Security in the Software Development Lifecycle How Security is applied to the SDLC Traditional Security Measures (SAST, DAST / PEN Test) Digitalized Production Security Measures (digital Identities and Bill of Materials) SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 10. 10 Trust How we create Trust into the Software Development Lifecycle Implicit Trust is created by ticketing systems, by verbal communication by email or chat. Implicit trust is not auditable and can not be traced back programmatically. Implicit trust is not verifiable. Implicit trust doesn’t protect from tampering. implicit explicit Explicit Trust is auditable and verifiable by digital evidence. Explicit trust also comes with digitally represented parties, which took an action in the SSDLC (Secure Software Development Lifecycle). Explicit Trust creates a chain of trust, which can be verified by external parties.
  • 11. 11 Accumulate explicit Trust over the Pipeline Stages digitally signed propagation Signed commit Signed SAST Signed commit Signed unit tests Signed SAST Signed commit Signed build Signed unit tests Signed SAST Signed commit Signed x Tests Signed build Signed unit tests Signed SAST Signed commit SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 12. 12 Securing Code and Configuration A foundation of securing source code is the ability to authenticate contributor- added commits to the repository. Unsigned or unknown signatures have to be rejected. Commit Authenticity Use SAST to scan the code for vulnerabilities. SAST can find code segments which can lead to possible security exposure. https://cwe.mitre.org/ Identify malicious code early It’s still a problem, that secrets can make it into the code base. Use pre-commit hooks to avoid sensitive information in the central git repository. Avoid exposing sensitive information Review Code Changes by qualified Coworkers. Create short lived branches to bring new code to main. Avoid long lived feature branches. Flawless Change Management x x SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 13. 13 Securing Artifacts before Deployment Artifact Repositories play a central role in the SDLC. The accumulated Trust and Immutability needs to be guaranteed by Artifact Repositories. They are also the gate for incoming artifacts from central repositories. Artifact Repositories Analyses artifacts to detect known software components and identify any associated vulnerabilities. Scanning complements SAST by finding vulnerabilities not detectable by scanning source code and can also help to build the SBOM. Identify malicious dependencies early VM images should be treated the same as any artifact. They should go through all the stages of the SSDLC. For OCI Images, distroless images are to favor, to remove all the non- essential operating system dependencies. Managed base Images (VM/OCI) Lib D Lib I Lib J SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 14. 14 The Importance of the Software Bill of Materials (SBOM) A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. Source https://www.cisa.gov/sbom artifact Lib A Lib B Lib C Lib D Lib E Lib F Lib I Lib J Lib K Lib L Lib M Lib N Lib G Lib H
  • 15. 15 Securing deployed Artifacts Secure the deployment through the validation of digital trust (signature). Applying policies that require the progressive series of signed attestations protects environments from accidental, or malicious, artifact deployments. Open Policy Agent can help here. Apply Policies Dynamic application security testing (DAST) tests are designed to identify functional security vulnerabilities in deployed artifacts. Use DAST to identify possible exploits following known patterns of attack, like SQL injection or cross-site scripting (XSS). Dynamic Application Security Testing Static environments are challenging. To create environments where you can test new functionality in isolation, use Declarative infrastructure. These environments are ephemeral. They only live as long as the feature test cycle is active. Isolated and replicable testing Environments SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Lib I stop
  • 16. Infrastructure Infrastructure 16 The importance of declarative Infrastructure (IaC) Infrastructure – Ephemeral Environment X Artifact A key component of securing infrastructure is to use declarative infrastructure. Declarative infrastructure is commonly known as infrastructure as code (IaC). It defines infrastructure components as code, manages the components in code repositories, and helps ensure that the infrastructure components undergo the same level of checks and balances as application feature code. Declarative Infrastructure is the basis to manage ephemeral Environments. Artifact Artifact Ephemeral Environment Environments become replicable. Environments (also prod), can be created or rebuilt automated on demand.
  • 17. 17 Mitigation of Attacks in the SSDLC Malicious library Example
  • 18. 18 Mitigation in a traditional SDLC Lib Z Zero Day CVE (manually) analyze Deployments Maintain lists of Deployments to fix Update every Deployment and build/deploy Without an SBOM and trusted Libraries, it can take days to weeks to rollout Mitigations of zero-day CVE’s. And even then, it is not clear all vulnerable Deployments were discovered, APT’s (Advanced Persistent Threat) can take hold and lateral move. SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 19. Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar 19 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Repair Version Control Unit Tests build Verify on environment x production Requirements for Repair • CVE tracking • SBOM and (automated) manifest update • Signed Artifacts Artifact Zero Day CVE SBOM SBOM SBOM SBOM
  • 20. 20 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar Version Control Unit Tests build Verify on environment x production Infrastructure Artifact Artifact Artifact Requirements for Repave • Declarative Infrastructure • Cloud Native / Stateless Architecture • Known trusted State Repave APT’s get starved and can’t take a hold
  • 21. 21 ISO 20’000 and SSDLC (Secure Software Development Life Cycle) the international standard for IT service management Automated and Auditable Software Supply Chain The Software Supply Chain must be auditable to ensure ISO 20’000 compliance. The Implementation of the Software supply chain has to guarantee that the Software supply chain covers integrity and confidentiality. Every step in the building, integration and testing process has to be secured that integrity and confidentiality is guaranteed from the code commit to the running workload on production. In a traditional environment this is/was mostly done trough documented human interaction (handover, signoff etc.) If we apply zero trust to the SDLC and combine it with an audit trail, this requirement is already fulfilled.
  • 22. 22 Shift left Security – Key Takeaways Verifiable Identities Its all about verifiable entities and trust – zero trust applied to the SDLC results in SSDLC Standardizes Processes and Tools Standardize Software Development Processes and Tools enable SSDLC Ephemeral Environments Ephemeral Environments, immutable artifacts and infrastructure is a must Change the culture Change the culture in your workforce towards a security – zero trust culture Enable the Developers Make it easy for your Engineers to deliver Software in a secure way
  • 23. 23 Secure Software Development Lifecycle Journey where is Swisscom Threat Modelling Threat modelling is executed on critical services / applications. Actually this is the “leftest” security measure. We have a security program, which shifts the security Know How left to the DevOps Teams. Every Team should have a certified Security Champion. App Sec Peaks Snyk integrates perfect in the Dev Workflow to Scan Code on vulnerabilities and sensitive information. SAST/SBOM with Snyk Central repositories are used to control the flow from public repositories and scan inhouse produced artifacts as also external fetched artifacts Artifact repositories Not pervasive, but is used more and more. The dominance of kubernetes helps here. isolated ephemeral Environments
  • 24. References • DevSecOps Booklet Swisscom • Shifting Left on Security Google • The Three R’s of Enterprise Security: Rotate, Repave, and Repair