SlideShare ist ein Scribd-Unternehmen logo

OWASP San Antonio Meeting 10/2/20

Denim Group
Denim Group

Title: AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program Abstract: With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies. Speaker: Dan Cornell Bio: A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

Technologie
1 von 68
Downloaden Sie, um offline zu lesen
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO AppSec Fast And Slow Your DevSecOps CI/CD Pipeline Isn’t an SSA Program October 2, 2020
© 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
© 2020 Denim Group – All Rights Reserved Agenda • Cool Kids: Moving FAST • SSA Programs • Fast and Slow • OWASP SAMM Walkthrough • Conclusions • Questions 2
© 2020 Denim Group – All Rights Reserved Cool Kids: Moving FAST
© 2020 Denim Group – All Rights Reserved Security in the DevOps Pipeline Organizations like Etsy and Netflix are doing amazing things to secure application via their DevOps pipelines
© 2020 Denim Group – All Rights Reserved All About the Pipeline • Security checks in the pipeline • Application • Infrastructure • Cloud • Automation is king 5
© 2020 Denim Group – All Rights Reserved But What Doesn’t Fit Into a Pipeline? • Dangers of DevSecOps fundamentalism • The Pipeline Isn’t the Program 6
© 2020 Denim Group – All Rights Reserved SSA Programs
© 2020 Denim Group – All Rights Reserved What is Your “Why?” • Simon Sinek TED Talk • (If you have seen this before, rolling your eyes at this point is acceptable) • Why -> How -> What https://www.youtube.com /watch?v=qp0HIF3SfI4
© 2020 Denim Group – All Rights Reserved What is an SSA Program • SSA = Software Security Assurance • Set of practices and activities used to reliably create, maintain, and deploy secure software • “We do an annual app pen test for PCI” is not an SSA program • Or at least probably not a very effective one • “Here are the security checks we figured out how to stuff into our CI/CD pipeline” is also not an SSA program • Danger: Don’t let the pipeline become your program • “Shifting left” isn’t bad – it just isn’t everything 9
© 2020 Denim Group – All Rights Reserved SSA Program References • OWASP SAMM • BSIMM 10
© 2020 Denim Group – All Rights Reserved OWASP SAMM • Originally OpenSAMM from Pravir Chandra • OWASP’s evolution/fork • Five Business Functions • Three Security Practices for each • Two Streams for each https://owaspsamm.org/ 11
© 2020 Denim Group – All Rights Reserved OWASP SAMM 12
© 2020 Denim Group – All Rights Reserved BSIMM • Originally from Cigital (now Synopsys) • Based on data collection from participating organizations • Four domains • Three Practices for each • Total of 119 Activities https://www.bsimm.com/ 13
© 2020 Denim Group – All Rights Reserved BSIMM 14
© 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough • We will use OWASP SAMM for the purposes of this webinar • More prescriptive • Less vendor-centric • If you are using BSIMM it is pretty trivial to translate 15
© 2020 Denim Group – All Rights Reserved If You Are Just Starting Out • Assessing your program using either tool is less-than-ideal • Better: • Define your scope/mandate • Do some testing • Run some vulnerabilities through resolution • Proceed from there https://www.denimgroup.com/contact-us/ 16
© 2020 Denim Group – All Rights Reserved Fast and Slow
© 2020 Denim Group – All Rights Reserved Thinking Fast and Slow 18 • Written by Daniel Kahneman • System 1 (Fast): Instinctive, emotional • System 2 (Slow): Deliberative, logical • (For AppSec purposes, use configuration/customization to minimize the “emotional”) https://www.amazon.com/Thinking-Fast-Slow-Daniel- Kahneman/dp/0141033576/ref=asc_df_0141033576/
© 2020 Denim Group – All Rights Reserved An Aside: What Horrible Names! • System 1 and System 2 ??? • Almost as bad as Type I and Type II Errors 19 https://www.simplypsychology.org/type_I_and_type_II_errors.html
© 2020 Denim Group – All Rights Reserved Another Aside: The Undoing Project • Michael Lewis book on the research of and the collaboration between Daniel Kahneman and Amos Tversky https://www.amazon.com/Undoing-Project-Friendship- Changed-Minds/dp/0393354776/ref=sr_1_2 20
© 2020 Denim Group – All Rights Reserved Fast and Slow In a culture like DevSecOps that is so focused on FAST, what is still critical, but has to go SLOW? 21
© 2020 Denim Group – All Rights Reserved What Do We Mean By FAST? Blog post: Power, Responsibility, and Security’s Role in the DevOps Pipeline https://www.denimgroup.com/resources/blog/2019/02/powe r-responsibility-and-securitys-role-in-the-devops-pipeline/ 22
© 2020 Denim Group – All Rights Reserved To Be DevSecOps FAST 1. Available quickly 2. High-value 3. Low (NO) false positives (no Type I errors) • Limited time budget • Developers have to care • Don’t waste developers’ time 23
© 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough
© 2020 Denim Group – All Rights Reserved Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance 25
© 2020 Denim Group – All Rights Reserved Strategy and Metrics • You can’t automate strategy • SLOW • You can use CI/CD to feed your metrics • Kinda FAST • Metrics in general: very automatable 26
© 2020 Denim Group – All Rights Reserved Policy and Compliance • You can’t automate the creation of your policies • SLOW • You can use CI/CD to automate some policy checks • CI/CD pass/fail • Be careful of limitations – this is a helper, not definitive • Kinda FAST 27
© 2020 Denim Group – All Rights Reserved CI/CD Policy Configuration • Testing • Synchronous • Asynchronous • Decision • Reporting 28 Blog Post: Effective Application Security Testing in DevOps Pipelines http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/ https://www.denimgroup.com/resources/effective-application-security-for-devops/
© 2020 Denim Group – All Rights Reserved Education and Guidance • Instructor-led training: SLOW • eLearning • Monolithic: SLOW • Targeted: Not FAST, but increasingly interesting • Security Champions • Common responsibility is to configure security testing in CI/CD environments and tune scanning • They make things FASTer 29
© 2020 Denim Group – All Rights Reserved Security Champions Webinar: Security Champions: Pushing Security Expertise to the Edges of Your Organization https://www.denimgroup.com/resources/webinar/security-champions- pushing-security-expertise-to-the-edges-of-your-organization/ 30
© 2020 Denim Group – All Rights Reserved Design • Threat Assessment • Security Requirements • Security Architecture 31
© 2020 Denim Group – All Rights Reserved Threat Assessment • Determining your general application threat profiles can’t be automated • SLOW • Threat Modeling also requires a lot of manual work • Some new interesting automation, but nothing in CI/CD pipelines • Some vendors providing tooling support • Can allow for manual incremental changes – not CI/CD, but fits better into Agile environments • SLOW 32
© 2020 Denim Group – All Rights Reserved Security Requirements • Determining your requirements is largely manual • Some tooling support is available • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Requirements-Driven Testing activity 33
© 2020 Denim Group – All Rights Reserved Secure Architecture • Determining your architectural security requirements is largely manual • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Architecture Assessment activity 34
© 2020 Denim Group – All Rights Reserved Implementation • Secure Build • Secure Deployment • Defect Management 35
© 2020 Denim Group – All Rights Reserved Secure Build • This is really the crux of what we are discussing today • FAST • How can you integrate security into the build process? • SAST/DAST/IAST • SCA • OWASP Dependency Check https://owasp.org/www-project-dependency-check/ • If you are even considering this you have to have a repeatable build process • Otherwise please log off this webinar and pick up a Jenkins for Dummies book. You can pick this back up later. • Software Bill of Materials (SBOM) • OWASP Dependency Track https://dependencytrack.org/ 36
© 2020 Denim Group – All Rights Reserved Architectural Bill of Materials Webinar: The As, Bs, and Four Cs of Testing Cloud- Native Applications https://www.denimgroup.com/resources/webinar/the-as-bs- and-four-cs-of-testing-cloud-native-applications/ 37
© 2020 Denim Group – All Rights Reserved Secure Deployment • An extension of Secure Build • Organizations tend to be a little less mature • FAST • Technologies like Puppet, Chef, Terraform 38
© 2020 Denim Group – All Rights Reserved Defect Management • Subsets of this can be FAST • But you have to tune scanners or you will run into problems • High-value, no false positives • Technically automated defect creation is usually possible • In practice, it takes a while to get to this level • Limited coverage: only works for vulnerabilities you can find with automation in CI/CD pipelines • We will talk more about these testing limitations in the Verification discussions 39
© 2020 Denim Group – All Rights Reserved Bundling Strategies • Turning vulnerabilities into defects • 1:1 approach? • More time spent administering defects than fixing issues • Bundling • By vulnerability type • By severity (more mature applications) • Other approaches 40
© 2020 Denim Group – All Rights Reserved Metrics and Feedback Stream • Scanner / developer provide separation of duties • Scanners find vulns, developers say they fixed them, scanners confirm they did • Obviously only applies to vulnerabilities identified by automation • Tracking mean-time-to-remediation (MTTR) • Good metric for Agile/DevOps teams – how fast can you fix? • (Better than defects per KLoC) • Benchmark against data from Veracode/WhiteHat 41
© 2020 Denim Group – All Rights Reserved Verification • Architecture Assessment • Requirements-driven Testing • Security Testing 42
© 2020 Denim Group – All Rights Reserved Architecture Assessment • This largely has to be done manually • SLOW • Some architectural policies may be checked automatically • Cloud configuration 43
© 2020 Denim Group – All Rights Reserved ScoutSuite • Check configuration of cloud environments • Checks for: • Open S3 buckets • IAM configuration https://github.com/nccgroup/ScoutSuite 44
© 2020 Denim Group – All Rights Reserved Requirements-Driven Testing • Control verification: largely a manual process • SLOW • Misuse/abuse testing: • Fuzzing can be automated, but runtimes can extend beyond the time budget for FAST • Abuse case and business logic testing is manual • DoS testing does not fit in most general pipelines • Mostly SLOW • Some automation and integration possible 45
© 2020 Denim Group – All Rights Reserved Security Testing • THIS is really what the discussion comes down to • How sufficient is the security testing you can stuff into a CI/CD pipeline? • OWASP SAMM has two streams: • Scalable baseline • Deep understanding 46
© 2020 Denim Group – All Rights Reserved OWASP and Testing • OWASP has traditionally had a cultural focus on the strengths (and weaknesses) of automated testing tools • Consultants vs scanner vendors • Testing Guide • https://owasp.org/www-project-web-security-testing-guide/ • ASVS • https://owasp.org/www-project-application-security-verification-standard/ 47
© 2020 Denim Group – All Rights Reserved Scalable Baseline Stream • Three levels of maturity 1. Use an automated tool 2. Employ application-specific automation (tuning) 3. Integrate into the build process • This webinar presupposes the top level of maturity • You did remember to tune your scanner before you put it in the build process, right? 48
© 2020 Denim Group – All Rights Reserved Deep Understanding Stream • This is all manual • Manual test high-risk components • Perform penetration testing • Integrate testing into the development process • Tooling can help • Focus efforts on diffs / new or altered functionality 49
© 2020 Denim Group – All Rights Reserved Testing in CI/CD Pipelines 50
© 2020 Denim Group – All Rights Reserved SAST in CI/CD • Mostly open source linting tools • Need for speed • Commercial-grade tools are less prevalent • Run SAST on diffs? • Cross-method/class data and control flow takes time • Cut down the rules • Shorten run times • Limit false positives 51
© 2020 Denim Group – All Rights Reserved DAST in CI/CD • Concerns about run times • Approaches for targeted DAST • Focus on changes in the app 52
© 2020 Denim Group – All Rights Reserved Targeting DAST Testing Webinar: Monitoring Application Attack Surface and Integrating Security into DevOps Pipelines https://threadfix.it/resources/monitorin g-application-attack-surface-and- integrating-security-into-devops- pipelines/ 53
© 2020 Denim Group – All Rights Reserved IAST in CI/CD • Great! • Typically relies on generated traffic • Use DAST testing to generate traffic • Use integration tests to generate traffic 54
© 2020 Denim Group – All Rights Reserved SCA in CI/CD • Great! • Look at run time tradeoffs vs. velocity of new components and new vulnerabilities 55
© 2020 Denim Group – All Rights Reserved Operations • Incident Management • Environmental Management • Operational Management 56
© 2020 Denim Group – All Rights Reserved Incident Management • Not in a pipeline • Use automation for detection where possible • Some automation frameworks available for response 57
© 2020 Denim Group – All Rights Reserved Application Logging for Security Video: Top Strategies to Capture Security Intelligence for Applications https://www.denimgroup.com/resources/article/top-strategies-to-capture- security-intelligence-for-applications-includes-educational-video/ 58
© 2020 Denim Group – All Rights Reserved Environment Management • Servers should be cattle, not pets • Configuration Handling stream: • Hopefully you have this sorted given the work you have done for Secure Deployment • Chef, Puppet, Terraform • ScoutSuite • Patching and Updating stream: • Detection: FAST • Actual patching: SLOW 59
© 2020 Denim Group – All Rights Reserved Operational Management • Data Protection stream: SLOW • Oh, wait, your DLP solution will sort this out for you • Decommissioning: SLOW 60
© 2020 Denim Group – All Rights Reserved Conclusions
© 2020 Denim Group – All Rights Reserved What Goes in a Pipeline? • Linting SAST • DAST if you can target it • IAST if you can generate meaningful traffic • SCA if you want 62
© 2020 Denim Group – All Rights Reserved What Likely Has to be Done Outside? • Full, commercial-grade SAST • Full DAST • Manual code review • Penetration testing • Threat modeling 63
© 2020 Denim Group – All Rights Reserved What Has to be Done Outside? • Most everything else • Strategy • Policy • Training • Architecture • Security requirements 64
© 2020 Denim Group – All Rights Reserved Shifting Left is Awesome… • But it is only one aspect of a far more complicated landscape • For testing: think coverage • Classes of vulnerabilities • Detection approaches • Quality of approaches • For everything else: • Thing programmatically 65
© 2020 Denim Group – All Rights Reserved Questions
© 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com

Empfohlen

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 

Empfohlen

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfDenim Group
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 

Was ist angesagt? (20)

Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Mobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat YourselfMobile Application Assessment - Don't Cheat Yourself
Mobile Application Assessment - Don't Cheat Yourself
 
Mobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic ViewMobile Application Assessment By the Numbers: a Whole-istic View
Mobile Application Assessment By the Numbers: a Whole-istic View
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 

Ähnlich wie OWASP San Antonio Meeting 10/2/20

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev opsTom Stiehm
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT SystemsDenim Group
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsSolarWinds
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
Simplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your LogsSimplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your LogsSolarWinds
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 

Ähnlich wie OWASP San Antonio Meeting 10/2/20 (20)

AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
An OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless ComputingAn OWASP SAMM Perspective on Serverless Computing
An OWASP SAMM Perspective on Serverless Computing
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Threat Modeling for IoT Systems
Threat Modeling for IoT SystemsThreat Modeling for IoT Systems
Threat Modeling for IoT Systems
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Simplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your LogsSimplify Troubleshooting With Context in Your Logs
Simplify Troubleshooting With Context in Your Logs
 
Automation and Technical Debt
Automation and Technical DebtAutomation and Technical Debt
Automation and Technical Debt
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 

Mehr von Denim Group

A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Denim Group
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Denim Group
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsDenim Group
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsDenim Group
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 

Mehr von Denim Group (7)

A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...Assessing Business Operations Risk With Unified Vulnerability Management in T...
Assessing Business Operations Risk With Unified Vulnerability Management in T...
 
Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7Optimize Your Security Program with ThreadFix 2.7
Optimize Your Security Program with ThreadFix 2.7
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
Securing Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term ElectionsSecuring Voting Infrastructure before the Mid-Term Elections
Securing Voting Infrastructure before the Mid-Term Elections
 
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesUnderstanding IoT Security: How to Quantify Security Risk of IoT Technologies
Understanding IoT Security: How to Quantify Security Risk of IoT Technologies
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Kürzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

OWASP San Antonio Meeting 10/2/20

  • 1. © 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Dan Cornell | CTO AppSec Fast And Slow Your DevSecOps CI/CD Pipeline Isn’t an SSA Program October 2, 2020
  • 2. © 2020 Denim Group – All Rights Reserved 1 Advisory Services Assessment Services Remediation Services Vulnerability Resolution Platform Building a world where technology is trusted How we can help: Denim Group is solely focused on helping build resilient software that will withstand attacks. • Since 2001, helping secure software • Development background • Tools + services model
  • 3. © 2020 Denim Group – All Rights Reserved Agenda • Cool Kids: Moving FAST • SSA Programs • Fast and Slow • OWASP SAMM Walkthrough • Conclusions • Questions 2
  • 4. © 2020 Denim Group – All Rights Reserved Cool Kids: Moving FAST
  • 5. © 2020 Denim Group – All Rights Reserved Security in the DevOps Pipeline Organizations like Etsy and Netflix are doing amazing things to secure application via their DevOps pipelines
  • 6. © 2020 Denim Group – All Rights Reserved All About the Pipeline • Security checks in the pipeline • Application • Infrastructure • Cloud • Automation is king 5
  • 7. © 2020 Denim Group – All Rights Reserved But What Doesn’t Fit Into a Pipeline? • Dangers of DevSecOps fundamentalism • The Pipeline Isn’t the Program 6
  • 8. © 2020 Denim Group – All Rights Reserved SSA Programs
  • 9. © 2020 Denim Group – All Rights Reserved What is Your “Why?” • Simon Sinek TED Talk • (If you have seen this before, rolling your eyes at this point is acceptable) • Why -> How -> What https://www.youtube.com /watch?v=qp0HIF3SfI4
  • 10. © 2020 Denim Group – All Rights Reserved What is an SSA Program • SSA = Software Security Assurance • Set of practices and activities used to reliably create, maintain, and deploy secure software • “We do an annual app pen test for PCI” is not an SSA program • Or at least probably not a very effective one • “Here are the security checks we figured out how to stuff into our CI/CD pipeline” is also not an SSA program • Danger: Don’t let the pipeline become your program • “Shifting left” isn’t bad – it just isn’t everything 9
  • 11. © 2020 Denim Group – All Rights Reserved SSA Program References • OWASP SAMM • BSIMM 10
  • 12. © 2020 Denim Group – All Rights Reserved OWASP SAMM • Originally OpenSAMM from Pravir Chandra • OWASP’s evolution/fork • Five Business Functions • Three Security Practices for each • Two Streams for each https://owaspsamm.org/ 11
  • 13. © 2020 Denim Group – All Rights Reserved OWASP SAMM 12
  • 14. © 2020 Denim Group – All Rights Reserved BSIMM • Originally from Cigital (now Synopsys) • Based on data collection from participating organizations • Four domains • Three Practices for each • Total of 119 Activities https://www.bsimm.com/ 13
  • 15. © 2020 Denim Group – All Rights Reserved BSIMM 14
  • 16. © 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough • We will use OWASP SAMM for the purposes of this webinar • More prescriptive • Less vendor-centric • If you are using BSIMM it is pretty trivial to translate 15
  • 17. © 2020 Denim Group – All Rights Reserved If You Are Just Starting Out • Assessing your program using either tool is less-than-ideal • Better: • Define your scope/mandate • Do some testing • Run some vulnerabilities through resolution • Proceed from there https://www.denimgroup.com/contact-us/ 16
  • 18. © 2020 Denim Group – All Rights Reserved Fast and Slow
  • 19. © 2020 Denim Group – All Rights Reserved Thinking Fast and Slow 18 • Written by Daniel Kahneman • System 1 (Fast): Instinctive, emotional • System 2 (Slow): Deliberative, logical • (For AppSec purposes, use configuration/customization to minimize the “emotional”) https://www.amazon.com/Thinking-Fast-Slow-Daniel- Kahneman/dp/0141033576/ref=asc_df_0141033576/
  • 20. © 2020 Denim Group – All Rights Reserved An Aside: What Horrible Names! • System 1 and System 2 ??? • Almost as bad as Type I and Type II Errors 19 https://www.simplypsychology.org/type_I_and_type_II_errors.html
  • 21. © 2020 Denim Group – All Rights Reserved Another Aside: The Undoing Project • Michael Lewis book on the research of and the collaboration between Daniel Kahneman and Amos Tversky https://www.amazon.com/Undoing-Project-Friendship- Changed-Minds/dp/0393354776/ref=sr_1_2 20
  • 22. © 2020 Denim Group – All Rights Reserved Fast and Slow In a culture like DevSecOps that is so focused on FAST, what is still critical, but has to go SLOW? 21
  • 23. © 2020 Denim Group – All Rights Reserved What Do We Mean By FAST? Blog post: Power, Responsibility, and Security’s Role in the DevOps Pipeline https://www.denimgroup.com/resources/blog/2019/02/powe r-responsibility-and-securitys-role-in-the-devops-pipeline/ 22
  • 24. © 2020 Denim Group – All Rights Reserved To Be DevSecOps FAST 1. Available quickly 2. High-value 3. Low (NO) false positives (no Type I errors) • Limited time budget • Developers have to care • Don’t waste developers’ time 23
  • 25. © 2020 Denim Group – All Rights Reserved OWASP SAMM Walkthrough
  • 26. © 2020 Denim Group – All Rights Reserved Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance 25
  • 27. © 2020 Denim Group – All Rights Reserved Strategy and Metrics • You can’t automate strategy • SLOW • You can use CI/CD to feed your metrics • Kinda FAST • Metrics in general: very automatable 26
  • 28. © 2020 Denim Group – All Rights Reserved Policy and Compliance • You can’t automate the creation of your policies • SLOW • You can use CI/CD to automate some policy checks • CI/CD pass/fail • Be careful of limitations – this is a helper, not definitive • Kinda FAST 27
  • 29. © 2020 Denim Group – All Rights Reserved CI/CD Policy Configuration • Testing • Synchronous • Asynchronous • Decision • Reporting 28 Blog Post: Effective Application Security Testing in DevOps Pipelines http://www.denimgroup.com/blog/2016/12/effective-application-security-testing-in-devops-pipelines/ https://www.denimgroup.com/resources/effective-application-security-for-devops/
  • 30. © 2020 Denim Group – All Rights Reserved Education and Guidance • Instructor-led training: SLOW • eLearning • Monolithic: SLOW • Targeted: Not FAST, but increasingly interesting • Security Champions • Common responsibility is to configure security testing in CI/CD environments and tune scanning • They make things FASTer 29
  • 31. © 2020 Denim Group – All Rights Reserved Security Champions Webinar: Security Champions: Pushing Security Expertise to the Edges of Your Organization https://www.denimgroup.com/resources/webinar/security-champions- pushing-security-expertise-to-the-edges-of-your-organization/ 30
  • 32. © 2020 Denim Group – All Rights Reserved Design • Threat Assessment • Security Requirements • Security Architecture 31
  • 33. © 2020 Denim Group – All Rights Reserved Threat Assessment • Determining your general application threat profiles can’t be automated • SLOW • Threat Modeling also requires a lot of manual work • Some new interesting automation, but nothing in CI/CD pipelines • Some vendors providing tooling support • Can allow for manual incremental changes – not CI/CD, but fits better into Agile environments • SLOW 32
  • 34. © 2020 Denim Group – All Rights Reserved Security Requirements • Determining your requirements is largely manual • Some tooling support is available • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Requirements-Driven Testing activity 33
  • 35. © 2020 Denim Group – All Rights Reserved Secure Architecture • Determining your architectural security requirements is largely manual • SLOW • Validating if they are met is largely manual, but we will look at this later during the Verification/Architecture Assessment activity 34
  • 36. © 2020 Denim Group – All Rights Reserved Implementation • Secure Build • Secure Deployment • Defect Management 35
  • 37. © 2020 Denim Group – All Rights Reserved Secure Build • This is really the crux of what we are discussing today • FAST • How can you integrate security into the build process? • SAST/DAST/IAST • SCA • OWASP Dependency Check https://owasp.org/www-project-dependency-check/ • If you are even considering this you have to have a repeatable build process • Otherwise please log off this webinar and pick up a Jenkins for Dummies book. You can pick this back up later. • Software Bill of Materials (SBOM) • OWASP Dependency Track https://dependencytrack.org/ 36
  • 38. © 2020 Denim Group – All Rights Reserved Architectural Bill of Materials Webinar: The As, Bs, and Four Cs of Testing Cloud- Native Applications https://www.denimgroup.com/resources/webinar/the-as-bs- and-four-cs-of-testing-cloud-native-applications/ 37
  • 39. © 2020 Denim Group – All Rights Reserved Secure Deployment • An extension of Secure Build • Organizations tend to be a little less mature • FAST • Technologies like Puppet, Chef, Terraform 38
  • 40. © 2020 Denim Group – All Rights Reserved Defect Management • Subsets of this can be FAST • But you have to tune scanners or you will run into problems • High-value, no false positives • Technically automated defect creation is usually possible • In practice, it takes a while to get to this level • Limited coverage: only works for vulnerabilities you can find with automation in CI/CD pipelines • We will talk more about these testing limitations in the Verification discussions 39
  • 41. © 2020 Denim Group – All Rights Reserved Bundling Strategies • Turning vulnerabilities into defects • 1:1 approach? • More time spent administering defects than fixing issues • Bundling • By vulnerability type • By severity (more mature applications) • Other approaches 40
  • 42. © 2020 Denim Group – All Rights Reserved Metrics and Feedback Stream • Scanner / developer provide separation of duties • Scanners find vulns, developers say they fixed them, scanners confirm they did • Obviously only applies to vulnerabilities identified by automation • Tracking mean-time-to-remediation (MTTR) • Good metric for Agile/DevOps teams – how fast can you fix? • (Better than defects per KLoC) • Benchmark against data from Veracode/WhiteHat 41
  • 43. © 2020 Denim Group – All Rights Reserved Verification • Architecture Assessment • Requirements-driven Testing • Security Testing 42
  • 44. © 2020 Denim Group – All Rights Reserved Architecture Assessment • This largely has to be done manually • SLOW • Some architectural policies may be checked automatically • Cloud configuration 43
  • 45. © 2020 Denim Group – All Rights Reserved ScoutSuite • Check configuration of cloud environments • Checks for: • Open S3 buckets • IAM configuration https://github.com/nccgroup/ScoutSuite 44
  • 46. © 2020 Denim Group – All Rights Reserved Requirements-Driven Testing • Control verification: largely a manual process • SLOW • Misuse/abuse testing: • Fuzzing can be automated, but runtimes can extend beyond the time budget for FAST • Abuse case and business logic testing is manual • DoS testing does not fit in most general pipelines • Mostly SLOW • Some automation and integration possible 45
  • 47. © 2020 Denim Group – All Rights Reserved Security Testing • THIS is really what the discussion comes down to • How sufficient is the security testing you can stuff into a CI/CD pipeline? • OWASP SAMM has two streams: • Scalable baseline • Deep understanding 46
  • 48. © 2020 Denim Group – All Rights Reserved OWASP and Testing • OWASP has traditionally had a cultural focus on the strengths (and weaknesses) of automated testing tools • Consultants vs scanner vendors • Testing Guide • https://owasp.org/www-project-web-security-testing-guide/ • ASVS • https://owasp.org/www-project-application-security-verification-standard/ 47
  • 49. © 2020 Denim Group – All Rights Reserved Scalable Baseline Stream • Three levels of maturity 1. Use an automated tool 2. Employ application-specific automation (tuning) 3. Integrate into the build process • This webinar presupposes the top level of maturity • You did remember to tune your scanner before you put it in the build process, right? 48
  • 50. © 2020 Denim Group – All Rights Reserved Deep Understanding Stream • This is all manual • Manual test high-risk components • Perform penetration testing • Integrate testing into the development process • Tooling can help • Focus efforts on diffs / new or altered functionality 49
  • 51. © 2020 Denim Group – All Rights Reserved Testing in CI/CD Pipelines 50
  • 52. © 2020 Denim Group – All Rights Reserved SAST in CI/CD • Mostly open source linting tools • Need for speed • Commercial-grade tools are less prevalent • Run SAST on diffs? • Cross-method/class data and control flow takes time • Cut down the rules • Shorten run times • Limit false positives 51
  • 53. © 2020 Denim Group – All Rights Reserved DAST in CI/CD • Concerns about run times • Approaches for targeted DAST • Focus on changes in the app 52
  • 54. © 2020 Denim Group – All Rights Reserved Targeting DAST Testing Webinar: Monitoring Application Attack Surface and Integrating Security into DevOps Pipelines https://threadfix.it/resources/monitorin g-application-attack-surface-and- integrating-security-into-devops- pipelines/ 53
  • 55. © 2020 Denim Group – All Rights Reserved IAST in CI/CD • Great! • Typically relies on generated traffic • Use DAST testing to generate traffic • Use integration tests to generate traffic 54
  • 56. © 2020 Denim Group – All Rights Reserved SCA in CI/CD • Great! • Look at run time tradeoffs vs. velocity of new components and new vulnerabilities 55
  • 57. © 2020 Denim Group – All Rights Reserved Operations • Incident Management • Environmental Management • Operational Management 56
  • 58. © 2020 Denim Group – All Rights Reserved Incident Management • Not in a pipeline • Use automation for detection where possible • Some automation frameworks available for response 57
  • 59. © 2020 Denim Group – All Rights Reserved Application Logging for Security Video: Top Strategies to Capture Security Intelligence for Applications https://www.denimgroup.com/resources/article/top-strategies-to-capture- security-intelligence-for-applications-includes-educational-video/ 58
  • 60. © 2020 Denim Group – All Rights Reserved Environment Management • Servers should be cattle, not pets • Configuration Handling stream: • Hopefully you have this sorted given the work you have done for Secure Deployment • Chef, Puppet, Terraform • ScoutSuite • Patching and Updating stream: • Detection: FAST • Actual patching: SLOW 59
  • 61. © 2020 Denim Group – All Rights Reserved Operational Management • Data Protection stream: SLOW • Oh, wait, your DLP solution will sort this out for you • Decommissioning: SLOW 60
  • 62. © 2020 Denim Group – All Rights Reserved Conclusions
  • 63. © 2020 Denim Group – All Rights Reserved What Goes in a Pipeline? • Linting SAST • DAST if you can target it • IAST if you can generate meaningful traffic • SCA if you want 62
  • 64. © 2020 Denim Group – All Rights Reserved What Likely Has to be Done Outside? • Full, commercial-grade SAST • Full DAST • Manual code review • Penetration testing • Threat modeling 63
  • 65. © 2020 Denim Group – All Rights Reserved What Has to be Done Outside? • Most everything else • Strategy • Policy • Training • Architecture • Security requirements 64
  • 66. © 2020 Denim Group – All Rights Reserved Shifting Left is Awesome… • But it is only one aspect of a far more complicated landscape • For testing: think coverage • Classes of vulnerabilities • Detection approaches • Quality of approaches • For everything else: • Thing programmatically 65
  • 67. © 2020 Denim Group – All Rights Reserved Questions
  • 68. © 2020 Denim Group – All Rights Reserved Building a world where technology is trusted. Building a world where technology is trusted. @denimgroup www.denimgroup.com