Automation Domination Application Security with Continuous Integration (CI)

Slides:



Advertisements
Similar presentations
DevOps and Security: It’s Happening. Right Now.
Advertisements

QuEdge Testing Process Delivering Global Solutions.
Service Delivery – your ticket to play
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
Recent Trends in Web Based Geospatial Technology for Natural Resources and Infrastructure Management Dr. Pradeep Nagaraj, Manager, Enterprise IT Solutions.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Chapter Extension 19 Alternative Development Techniques © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 9 & 10 Database Planning, Design and Administration.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Management Adrian Marshall.
Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Integrated Process Model - v2
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
SEC835 Database and Web application security Information Security Architecture.
Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.
EOSC Generic Application Security Framework
MusalaSoft Quality Process Overview Damyan Kasapov, QA Engineer Tsvetelina Kovacheva, QA Engineer March 15, 2005.
BOB Tech Demo 2003 G2E – Las Vegas. Agenda  Best of Breed – a layering of standards  Standards, messaging, protocols and why you care  From the bottom.
(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.
A Framework for Automated Web Application Security Evaluation
Windows Azure Team 9 Ben Holland Bao Nguyen Eric Petrowiak Barret Schloerke.
Testing Challenges in an Agile Environment Biraj Nakarja Sogeti UK 28 th October 2009.
Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.
Rapid Application Development. What is RAD……..?  Rapid Application Development (RAD) is a software development process.  first developed during the.
1 © 2011 Infosys Ltd. Pay Per Test Case Presented At STEP AUTO 2011 – ERP testing Conference – Dec 8, 2011 by Jitendra Atale, Project Manager – Package.
Software Project Documentation. Types of Project Documents  Project Charter  Requirements  Mockups and Prototypes  Test Cases  Architecture / Design.
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
IS Methodologies. Systems Development Life Cycle - SDLC Planning Planning define the system to be developed define the system to be developed Set the.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
KS3 Phase4 Client Server Monitoring System October 1, 2008 by Stephen, Seema, Kam, Shpetim.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Software Engineering Prof. Ing. Ivo Vondrak, CSc. Dept. of Computer Science Technical University of Ostrava
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP ESAPI SwingSet An introduction by Fabio Cerullo.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9 & 10 Database Planning, Design and Administration Database Application Lifecycle DBMS Selection Database Administration.
Securing Java Applications
Optimal Pipeline Using Perforce, Jenkins & Puppet Nitin Pathak Works on
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
Software Development Security Chapter 10 Part 3 Pages 1108 to 1125.
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
1 Punishment Through Continuous Delivery If it hurts, do it more often…
© 2013 IBM Corporation Accelerating Product and Service Innovation Service Virtualization Testing in Managed Environments Michael Elder, IBM Senior Technical.
Checkmarx choose what developers use. About us o Founded in 2006 o Enterprise Grade Static and Interactive Application Security Testing Solutions o Hundreds.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.
Serving IT up with ITIL By Thane Price. IT is the laboratory’s pit crew  Goal : Make technology transparent while accomplishing valuable internal customer.
EGrove Systems Professional Web Development Services
Continuous Delivery- Complete Guide
Canberra OWASP Chapter meeting
Encryption in SQL Server
MANAGING APPLICATION SECURITY
Building an AppSec Pipeline: Keeping your program, and your life, sane
Automation Of Software Test
Secure Coding: SDLC Integration Sixfold Path
Herding Cats and Security Tools
Baisc Of Software Testing
Test Process “V” Diagram
Joint Application Development (JAD)
Make it real: Help your customers comply with the GDPR
Presentation transcript:

Automation Domination Application Security with Continuous Integration (CI)

About Me Lead Application Security Engineer for Morningstar formerly with CME Group Over 8 years of leading and participating in all aspects of the Security Development Lifecycle (SDL), including developing, deploying, supporting enterprise static (SAST) and dynamic scanners (DAST). Hosted by OWASP & the NYC Chapter

Agenda Why bother Zero-sum game for application security Where to start? Tipping the scales in our direction Making it work for you! Demo

Are you a current, future, or past Dynamic and/or Static Scanner users? Are you looking to implement a Security Development Lifecycle (SDL) or Software Development Lifecycle (SDLC) ? Interested in saving time and money to deliver software? Is management bugging you about metrics? Should I pay attention? Automation Domination

Hosted by OWASP & the NYC Chapter Mission Develop an application security automation program to assist software development teams with iterative application security testing. Automation Domination

Hundreds to thousands of developers Too many applications with systemic issues Hosted by OWASP & the NYC Chapter Are we outnumbered? Automation Domination

Hosted by OWASP & the NYC Chapter Capability Maturity Model Automation Domination 1.Unpredictable 2.Reactive 3.Development Methodology 4.Measured & Controlled 5.Focus is on improvement

Hosted by OWASP & the NYC Chapter Automation Domination Development – Architecture/Design Documents – Build Process & Deployment – Bug-Tracking Architecture/Design – Data-flow diagrams (DFDs) – Charters and/or Project Plans Software development maturity

Automation Domination Findings – Taxonomy of Findings/Vulnerabilities (CWE) – Risk Scoring (CVSS) – Anatomy of Findings/Vulnerabilities (Issue Type) Scanning – Scope your DAST & SAST findings to Development – Define a process from finding-to-fix Normalize your scans & findings

Automation Domination OWASP has the technology!

–Authentication –Session Management –Authorization –Input Validation –Output Encoding –Client Side Security –Sensitive Data Handling –Data Protection (Data in Transit & Rest) –Supplemental Specifications for Testing Hosted by OWASP & the NYC Chapter Topics for Requirements Automation Domination

ThreadFix (Security Requirements)

Hosted by OWASP & the NYC Chapter Automation Domination Network Topology

Hosted by OWASP & the NYC Chapter Working the flow Automation Domination

ThreadFix Configuration

Automation Domination Automated Static Analysis

Automation Domination Bug Submission

Automation Domination Now for a change of pace!

Automation Domination Static & Dynamic Scanning w/ Bamboo

Automation Domination Static & Dynamic Scanning w/ Bamboo

Automation Domination Dynamic Scan in CI with Agent

Automation Domination Thank you!