SlideShare a Scribd company logo

AppSec How-To: Achieving Security in DevOps

Checkmarx
Checkmarx

How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.

1 of 5
Downloaded 22 times
1
Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
2
Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
3
Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
4
Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
5
Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com
Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com
Ad

Recommended

A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
Nickleus Jimenez
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
DevSecCon
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 

More Related Content

What's hot (20)

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
Nickleus Jimenez
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
DevSecCon
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
Nickleus Jimenez
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
DevSecCon
 

Similar to AppSec How-To: Achieving Security in DevOps (20)

Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
piggsadamiso
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
Including security in devops
Including security in devopsIncluding security in devops
Including security in devops
Jérémy Matos
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
The DevSecOps Advantage: A Comprehensive Guide
The DevSecOps Advantage: A Comprehensive Guide The DevSecOps Advantage: A Comprehensive Guide
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
Agile Application Security Enabling Security in a Continuous Delivery Pipelin...
piggsadamiso
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot ApplicationBuilding a DevSecOps Pipeline Around Your Spring Boot Application
Building a DevSecOps Pipeline Around Your Spring Boot Application
VMware Tanzu
 
Including security in devops
Including security in devopsIncluding security in devops
Including security in devops
Jérémy Matos
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus WalshDevops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
The DevSecOps Advantage: A Comprehensive Guide
The DevSecOps Advantage: A Comprehensive Guide The DevSecOps Advantage: A Comprehensive Guide
The DevSecOps Advantage: A Comprehensive Guide
Dev Software
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
Jeremy Brown
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
Rich Mills
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
Mark Curphey
 
5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk5 Ways to Reduce 3rd Party Developer Risk
5 Ways to Reduce 3rd Party Developer Risk
Security Innovation
 
Ad

More from Checkmarx (12)

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
Checkmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
Checkmarx
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
Checkmarx
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
Checkmarx
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
Checkmarx
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
Checkmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 
Ad

Recently uploaded (20)

Floods in Valencia: Two FME-Powered Stories of Data Resilience
Floods in Valencia: Two FME-Powered Stories of Data ResilienceFloods in Valencia: Two FME-Powered Stories of Data Resilience
Floods in Valencia: Two FME-Powered Stories of Data Resilience
Safe Software
 
Domino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use CasesDomino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use Cases
panagenda
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfEdge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdf
AmirStern2
 
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...
BookNet Canada
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
If You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FMEIf You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FME
Safe Software
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Oracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI ProfessionalOracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI Professional
VICTOR MAESTRE RAMIREZ
 
TrustArc Webinar - 2025 Global Privacy Survey
TrustArc Webinar - 2025 Global Privacy SurveyTrustArc Webinar - 2025 Global Privacy Survey
TrustArc Webinar - 2025 Global Privacy Survey
TrustArc
 
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
Safe Software
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Cisco ISE Performance, Scalability and Best Practices.pdf
Cisco ISE Performance, Scalability and Best Practices.pdfCisco ISE Performance, Scalability and Best Practices.pdf
Cisco ISE Performance, Scalability and Best Practices.pdf
superdpz
 
Artificial Intelligence in the Nonprofit Boardroom.pdf
Artificial Intelligence in the Nonprofit Boardroom.pdfArtificial Intelligence in the Nonprofit Boardroom.pdf
Artificial Intelligence in the Nonprofit Boardroom.pdf
OnBoard
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
Crypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdfCrypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdf
Stephen Perrenod
 
Floods in Valencia: Two FME-Powered Stories of Data Resilience
Floods in Valencia: Two FME-Powered Stories of Data ResilienceFloods in Valencia: Two FME-Powered Stories of Data Resilience
Floods in Valencia: Two FME-Powered Stories of Data Resilience
Safe Software
 
Domino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use CasesDomino IQ – What to Expect, First Steps and Use Cases
Domino IQ – What to Expect, First Steps and Use Cases
panagenda
 
Your startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean accountYour startup on AWS - How to architect and maintain a Lean and Mean account
Your startup on AWS - How to architect and maintain a Lean and Mean account
angelo60207
 
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfEdge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdf
AmirStern2
 
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...
BookNet Canada
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
If You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FMEIf You Use Databricks, You Definitely Need FME
If You Use Databricks, You Definitely Need FME
Safe Software
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025TimeSeries Machine Learning - PyData London 2025
TimeSeries Machine Learning - PyData London 2025
Suyash Joshi
 
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...Your startup on AWS - How to architect and maintain a Lean and Mean account J...
Your startup on AWS - How to architect and maintain a Lean and Mean account J...
angelo60207
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Oracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI ProfessionalOracle Cloud Infrastructure Generative AI Professional
Oracle Cloud Infrastructure Generative AI Professional
VICTOR MAESTRE RAMIREZ
 
TrustArc Webinar - 2025 Global Privacy Survey
TrustArc Webinar - 2025 Global Privacy SurveyTrustArc Webinar - 2025 Global Privacy Survey
TrustArc Webinar - 2025 Global Privacy Survey
TrustArc
 
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
Safe Software
 
How to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptxHow to Detect Outliers in IBM SPSS Statistics.pptx
How to Detect Outliers in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Cisco ISE Performance, Scalability and Best Practices.pdf
Cisco ISE Performance, Scalability and Best Practices.pdfCisco ISE Performance, Scalability and Best Practices.pdf
Cisco ISE Performance, Scalability and Best Practices.pdf
superdpz
 
Artificial Intelligence in the Nonprofit Boardroom.pdf
Artificial Intelligence in the Nonprofit Boardroom.pdfArtificial Intelligence in the Nonprofit Boardroom.pdf
Artificial Intelligence in the Nonprofit Boardroom.pdf
OnBoard
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
Crypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdfCrypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdf
Stephen Perrenod
 

AppSec How-To: Achieving Security in DevOps

  • 1. Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
  • 2. Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
  • 3. Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
  • 4. Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
  • 5. Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com