Presentation is loading. Please wait.

Presentation is loading. Please wait.

Don’t Forget Security When Delivering Software

Published byNicholas Wiggins Modified over 6 years ago

Similar presentations

Presentation on theme: "Don’t Forget Security When Delivering Software"— Presentation transcript:

1 Don’t Forget Security When Delivering Software
Kiriakos Kontostathis

2 Security is hard! Lots of testing Lots of documentation Lots of time
Few releases Everlasting battle between security team incentives and dev team incentives Security is rewarded when software is secure, but it’s hard to keep an ever changing project secure Dev is rewarded when software includes more features and improvements, but hard to code to necessary secure coding principles

3 Automation is key

4 Software Development Life Cycle (SDLC)
This is full SDLC - discuss very briefly each step (1-1.5 mins for all sections) What parts are Delivery Optimization? (Possible question to audience)

5 Delivery Optimization Pipeline
Why all of this? Code is being delivered, so it should be part of delivery optimization Code review and commit generate documentation CI/CD - automate delivery process More automated testing Transition - Delivery complete, ready for next cycle

6 Security is Everywhere!
Security everywhere (go through each step and give brief explanation of what is being done) Mention Demos where appropriate code/commit/code review section CI/CD automated security testing Where do we start to include security team? (question to audience)

7 “Pushing Security Left”
Incorporate security as soon as possible Smaller, more manageable security focused tasks are easier than performing a broad security review when application is ready to be released Additional Benefits Shorter feedback loops Team efficiency Quick Incident Response Traceability Ben Tomhave and Sean Kenefick in Gartner research “Security in a DevOps World”

8 Automate! The ability to run suite of security tests at any time
Tests need to be written in a repeatable way (use of tools can help with this) Short Feedback loops allow tests to be continually added to the test suite Demos Using static analysis tools to check for secure coding principles Automated security tests written specifically for a piece of software or environment

9 Automated Static Analysis
What is static analysis? Why do static analysis? Static Analysis Tools Brakeman (Ruby on Rails) DevBug (PHP) VisualCodeGrepper (C++, C#, VB, PHP and Java) Tools listed are all open source, but there are several other open source and commercial static anaylsis tools

10 Automated Static Analysis Demo
Brakeman Ruby on Rails Easy to configure Customizable Its Suspicious High rate of false positives

11 Automated Security Tests
What are security tests? Penetration Tests Vulnerability Scanning Security Scanning Why do security tests? Security testing tools Gauntlt OWASP Zed Attack Proxy (ZAP) Project

12 Automated Security Tests Demo
Gauntlt Integration with existing security tools Plain english language syntax Integrates easily in build server Travis CI Open source continuous integration server Allows for programmable build steps through travis.yml file

13 Conclusion Keys to Success Many Benefits Automation “Pushing left”
Automated testing Documentation is completed throughout the process Time spent on security is reduced Development team can release more frequently Security team is comfortable with those releases

14 Thanks! Demos and slides: https://github.com/kontostathisk
Blog:

Download ppt "Don’t Forget Security When Delivering Software"

Similar presentations

Michael Lepine Agile2013 Recap. What is DevOps?

Michael Lepine Agile2013 Recap. What is DevOps?
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
Living Requirements using Behavior Driven Development

Living Requirements using Behavior Driven Development
CONTINUOUS DELIVERY / CONTINUOUS INTEGRATION. IDEAS -> SOLUTIONS Time.

CONTINUOUS DELIVERY / CONTINUOUS INTEGRATION. IDEAS -> SOLUTIONS Time.
CONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT ONE CLICK DELIVERY.

CONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT ONE CLICK DELIVERY.
Object Oriented Analysis and Design Introduction.

Object Oriented Analysis and Design Introduction.
Prestashop is an open source e-commerce application. It is written in PHP and is based on Smarty template engine. It can incorporate the advantages of.

Prestashop is an open source e-commerce application. It is written in PHP and is based on Smarty template engine. It can incorporate the advantages of.
Continuous Deployment JEFFREY KNAPP 8/6/14. Introduction Why is it valuable How to achieve What to consider.

Continuous Deployment JEFFREY KNAPP 8/6/14. Introduction Why is it valuable How to achieve What to consider.
What Is DevOps? DevOps is a portmanteau of 'development' and 'operations' and is a software development method that stresses communications, collaboration,

What Is DevOps? DevOps is "a portmanteau of 'development' and 'operations'" and is "a software development method that stresses communications, collaboration,
Optimal Pipeline Using Perforce, Jenkins & Puppet Nitin Pathak Works on

Optimal Pipeline Using Perforce, Jenkins & Puppet Nitin Pathak Works on
UHCS 2005, slide 1 About Continuous Integration. UHCS 2005, slide 2 Why do you write Unit Test ? Improve quality/robustness of your code Quick feedback.

UHCS 2005, slide 1 About Continuous Integration. UHCS 2005, slide 2 Why do you write Unit Test ? Improve quality/robustness of your code Quick feedback.
Build and Deployment Process Understand NCI’s DevOps and continuous integration requirements Understand NCI’s build and distribution requirements.

Build and Deployment Process Understand NCI’s DevOps and continuous integration requirements Understand NCI’s build and distribution requirements.
Ahmed Idris Tahir Waseel Application Service Provider.

Ahmed Idris Tahir Waseel Application Service Provider.
TSSG Case Study: Using Free & Open Source Tools to Manage Software Quality EECS811: Software/IT Project Management Agile Integration Management Case Study.

TSSG Case Study: Using Free & Open Source Tools to Manage Software Quality EECS811: Software/IT Project Management Agile Integration Management Case Study.
A way to develop software that emphasizes communication, collaboration, and integration between development and IT operations teams.

A way to develop software that emphasizes communication, collaboration, and integration between development and IT operations teams.
Cruise Training Introduction of Continuous Integration.

Cruise Training Introduction of Continuous Integration.
Release Management for Visual Studio 2013 Ana Roje Ivančić Ognjen Bajić Ekobit.

Release Management for Visual Studio 2013 Ana Roje Ivančić Ognjen Bajić Ekobit.
1 Punishment Through Continuous Delivery If it hurts, do it more often…

1 Punishment Through Continuous Delivery If it hurts, do it more often…
© 2013 IBM Corporation Accelerating Product and Service Innovation Service Virtualization Testing in Managed Environments Michael Elder, IBM Senior Technical.

© 2013 IBM Corporation Accelerating Product and Service Innovation Service Virtualization Testing in Managed Environments Michael Elder, IBM Senior Technical.
Benjamin Day Get Good at DevOps: Feature Flag Deployments with ASP.NET, WebAPI, & JavaScript.

Benjamin Day Get Good at DevOps: Feature Flag Deployments with ASP.NET, WebAPI, & JavaScript.

Similar presentations

Ads by Google