Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automation Domination Application Security with Continuous Integration (CI)

Published byMeagan Wilkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Automation Domination Application Security with Continuous Integration (CI)"— Presentation transcript:

1 Automation Domination Application Security with Continuous Integration (CI)

2 About Me Lead Application Security Engineer for Morningstar formerly with CME Group Over 8 years of leading and participating in all aspects of the Security Development Lifecycle (SDL), including developing, deploying, supporting enterprise static (SAST) and dynamic scanners (DAST). Hosted by OWASP & the NYC Chapter

3 Agenda Why bother Zero-sum game for application security Where to start? Tipping the scales in our direction Making it work for you! Demo

4 Are you a current, future, or past Dynamic and/or Static Scanner users? Are you looking to implement a Security Development Lifecycle (SDL) or Software Development Lifecycle (SDLC) ? Interested in saving time and money to deliver software? Is management bugging you about metrics? Should I pay attention? Automation Domination

5 Hosted by OWASP & the NYC Chapter Mission Develop an application security automation program to assist software development teams with iterative application security testing. Automation Domination

6 Hundreds to thousands of developers Too many applications with systemic issues Hosted by OWASP & the NYC Chapter Are we outnumbered? Automation Domination

7 Hosted by OWASP & the NYC Chapter Capability Maturity Model Automation Domination 1.Unpredictable 2.Reactive 3.Development Methodology 4.Measured & Controlled 5.Focus is on improvement

8 Hosted by OWASP & the NYC Chapter Automation Domination Development – Architecture/Design Documents – Build Process & Deployment – Bug-Tracking Architecture/Design – Data-flow diagrams (DFDs) – Charters and/or Project Plans Software development maturity

9 Automation Domination Findings – Taxonomy of Findings/Vulnerabilities (CWE) – Risk Scoring (CVSS) – Anatomy of Findings/Vulnerabilities (Issue Type) Scanning – Scope your DAST & SAST findings to Development – Define a process from finding-to-fix Normalize your scans & findings

10 Automation Domination OWASP has the technology!

11 –Authentication –Session Management –Authorization –Input Validation –Output Encoding –Client Side Security –Sensitive Data Handling –Data Protection (Data in Transit & Rest) –Supplemental Specifications for Testing Hosted by OWASP & the NYC Chapter Topics for Requirements Automation Domination

12 ThreadFix (Security Requirements)

13 Hosted by OWASP & the NYC Chapter Automation Domination Network Topology

14 Hosted by OWASP & the NYC Chapter Working the flow Automation Domination

15 ThreadFix Configuration

16 Automation Domination Automated Static Analysis

17 Automation Domination Bug Submission

18 Automation Domination Now for a change of pace!

19 Automation Domination Static & Dynamic Scanning w/ Bamboo

20 Automation Domination Static & Dynamic Scanning w/ Bamboo

21 Automation Domination Dynamic Scan in CI with Agent

22 Automation Domination http://github.com/automationdomination Thank you! brandon@automationdomination.me

Download ppt "Automation Domination Application Security with Continuous Integration (CI)"

Similar presentations

DevOps and Security: It’s Happening. Right Now.

DevOps and Security: It’s Happening. Right Now.
QuEdge Testing Process Delivering Global Solutions.

QuEdge Testing Process Delivering Global Solutions.
Service Delivery – your ticket to play

Service Delivery – your ticket to play
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
Recent Trends in Web Based Geospatial Technology for Natural Resources and Infrastructure Management Dr. Pradeep Nagaraj, Manager, Enterprise IT Solutions.

Recent Trends in Web Based Geospatial Technology for Natural Resources and Infrastructure Management Dr. Pradeep Nagaraj, Manager, Enterprise IT Solutions.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Chapter Extension 19 Alternative Development Techniques © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 19 Alternative Development Techniques © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 9 & 10 Database Planning, Design and Administration.

Chapter 9 & 10 Database Planning, Design and Administration.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Management Adrian Marshall.

COMP8130 and 4130Adrian Marshall 8130 and 4130 Test Management Adrian Marshall.
Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.

Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Integrated Process Model - v2

Integrated Process Model - v2
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
10 Steps To Agile Development Without Compromising Enterprise Security

10 Steps To Agile Development Without Compromising Enterprise Security
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google