FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security &...

Preview:

Click to see full reader

DESCRIPTION

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including: - How do we ensure that the code we deploy is secure when it was only written just this morning? - How can we provide the security our customers expect without impacting our speed and agility? - How can we insert security into an SDLC when there is no formal SDLC? - How do you deal with auditors that don't understand DevOps and Continuous Deployment? At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Citation preview

AppSec in a DevOps WorldSHAUN GORDONNEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE

OCTOBER 23, 2013

Wednesday, November 6, 13

Wednesday, November 6, 13

Speed

Wednesday, November 6, 13

Speed

SecurityWednesday, November 6, 13

Speedvs.

SecurityWednesday, November 6, 13

Wednesday, November 6, 13

Accelerating Development Cycles

Wednesday, November 6, 13

Accelerating Development CyclesBoxed Software

Waterfall1 Year

Wednesday, November 6, 13

Accelerating Development CyclesWeb 1.0Waterfall3 months

Wednesday, November 6, 13

Accelerating Development Cycles

Agile Web 2.04 week

Wednesday, November 6, 13

Accelerating Development Cycles

DevOps2x week

Wednesday, November 6, 13

Accelerating Development Cyclesdaily Continuous

DeploymentDevOps

Wednesday, November 6, 13

Accelerating Development CyclesContinuous Deployment

DevOpshourly

Wednesday, November 6, 13

Accelerating Development Cycles

hourlyContinuous Deployment

DevOps

Wednesday, November 6, 13

Accelerating Development Cycles

3 monthsAgile4 week

Waterfall

Wednesday, November 6, 13

Accelerating Development Cycles

3 monthsAgile4 week

Waterfall

Wednesday, November 6, 13

Accelerating Development Cycles

hourlyContinuous Deployment

DevOps

daily

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Define functional (features) and non-functional requirements (capabilities)

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Translate requirements into architecture and detailed design

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Build it!

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Ensure functional and non-functional requirements

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Ship or push live

Wednesday, November 6, 13

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Maintain and patch as needed

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityWednesday, November 6, 13

Traditional (Waterfall) SDLC Security

CheckpointsControls

Formal Processes

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Continuous Deployment Security

Wednesday, November 6, 13

Continuous Deployment Security

Low to No friction (can’t slow us down)Transparent No significant changes to development processesMake us More Secure

Requirements

Wednesday, November 6, 13

Continuous Deployment Security

Low to No friction (can’t slow us down)Transparent No significant changes to development processesMake us More Secure

AutomationTraining & EmpowermentLightweight ProcessesTriageQuickly Detect & Respond

Requirements Strategies & Tactics

Wednesday, November 6, 13

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Wednesday, November 6, 13

Continuous Deployment SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Wednesday, November 6, 13

Continuous Deployment SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Wednesday, November 6, 13

Continuous Deployment SecurityProduction

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Development, Testing, & ReleaseRequirements & DesignRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Continuous Deployment SecurityProduction

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Development, Testing, & ReleaseRequirements & Design

Wednesday, November 6, 13

Continuous Deployment Security

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

Wednesday, November 6, 13

Continuous Deployment Security

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Threat Modeling

• Required Security Evaluation

Wednesday, November 6, 13

Required Security Evaluation

1.Technical Overview2.Business Context3.Developer Concerns

< 25 Minute Meeting

Wednesday, November 6, 13

Security Evaluation Outcomes

Wednesday, November 6, 13

Security Evaluation Outcomes

• Low Risk• Simple Guidance

Wednesday, November 6, 13

Security Evaluation Outcomes

• Higher Risk• Deep Dive• Whiteboarding• Threat Model

Wednesday, November 6, 13

Security Evaluation Follow-Up

Wednesday, November 6, 13

Security Evaluation Follow-Up

• Document• Follow Up

Wednesday, November 6, 13

• Required Security Evaluation

Continuous Deployment Security

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

Wednesday, November 6, 13

• Required Security Evaluation

Continuous Deployment Security

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Lightweight Targeted Threat Modeling

Wednesday, November 6, 13

Threat Modeling

Wednesday, November 6, 13

Threat Modeling

Identify your assets and the threats against them

Wednesday, November 6, 13

Threat Modeling

Identify your assets and the threats against them

Focus your resources on the greatest risks

Wednesday, November 6, 13

Threat Modeling @ New Relic

Wednesday, November 6, 13

Threat Modeling @ New Relic

Decompose your Application

Wednesday, November 6, 13

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Wednesday, November 6, 13

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Enumerate your Threats

Wednesday, November 6, 13

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Enumerate your ThreatsRate & Rank your Threats

Wednesday, November 6, 13

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Enumerate your ThreatsRate & Rank your Threats

Address or AcceptWednesday, November 6, 13

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Required Security Evaluation

Wednesday, November 6, 13

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Secure Coding Practices

• Security Libraries & Services

• Static Analysis• White Box

Testing

• Required Security Evaluation

Wednesday, November 6, 13

Secure Libraries & Services

Authentication ServiceSecurity Event Logging ServiceInput Validation Regex Patterns

Encryption Libraries

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Static Analysis• White Box

Testing

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Required Security Evaluation

Wednesday, November 6, 13

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• White Box Testing

• Required Security Evaluation

Wednesday, November 6, 13

Brakeman+

Jenkins

brakemanscanner.orgWednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• White Box Testing

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Required Security Evaluation

Wednesday, November 6, 13

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Requirements Testing

• Penetration Testing

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Required Security Evaluation

Wednesday, November 6, 13

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Continuous Scanning in Test, Staging, & Production

• Automated Commit Triage

• Security Sign-Off

• Required Security Evaluation

Wednesday, November 6, 13

Triage Process

Dangerous MethodsSensitive ModulesSecurity Keywords

Wednesday, November 6, 13

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Continuous Scanning in Test, Staging, & Production

• Automated Commit Triage

• Quick Detection & Recovery

• Required Security Evaluation

Wednesday, November 6, 13

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Accountability• Management Release Sign-Off• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Accountability• Management Release Sign-Off• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Accountability• Sidekick Process• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Wednesday, November 6, 13

Wednesday, November 6, 13

Wednesday, November 6, 13

Two Sets of (masked) eyes on every changeWednesday, November 6, 13

• Accountability• Sidekick Process• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production

• Accountability• Sidekick Process• Enabling Tools

• Required Security Evaluation

Wednesday, November 6, 13

• Accountability• Sidekick Process• Enabling Tools

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

• Lightweight Targeted Threat Modeling

• Accountability• Sidekick Process• Enabling Tools

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Powered By...

Wednesday, November 6, 13

Powered By...

AutomationTraining & Empowerment

Lightweight ProcessesTriage

Quick Detection & Response

Wednesday, November 6, 13

Auditors

Wednesday, November 6, 13

Auditors

Compensating Controls

Wednesday, November 6, 13

Auditors

Compensating Controls

Tell the Story

Wednesday, November 6, 13

Thank You!

Wednesday, November 6, 13

Thank You!

shaun@newrelic.com

security@newrelic.com

Wednesday, November 6, 13

mailto:security@newrelic.com
mailto:security@newrelic.com
mailto:security@newrelic.com
mailto:security@newrelic.com
mailto:security@newrelic.com
mailto:security@newrelic.com

Image AttributionSlide  14Checkpoint  Rheinpark  by  h1p://www.flickr.com/photos/kecko/3179561892/

Wednesday, November 6, 13

http://www.flickr.com/photos/kecko/3179561892/
http://www.flickr.com/photos/kecko/3179561892/

Recommended

FUTURESTACK13: Monitor All the Things from Kevin McGuire, Director of Engineering at New Relic
Technology
2018 HENRI FINISHES2018 HENRI FINISHES Relic Barro (RB) Elban Olivestone (EB) Trevia Greystone (TR) Relic Ebony (RE) Relic Terra (RT) Relic Roho (RR) Relic Sargasso (RS) Relic Fumato
Documents
Web appsec 101
Education
AppSec 101 - Eivind Arvesen
Documents
AppSec Consulting Inc
Documents
AppSec & Microservices - Velocity 2016
Software
Relic Knights
Documents
Fyler AppSec 2011
Technology
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Technology
20141104 appsec surveillance
Technology
MULTISERVICES RELIC
Documents
5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS
Documents
Practice of AppSec .NET
Software
Relic Hunter
Documents
FUTURESTACK13: Wake Up! A New Day Dawns for Alerts in New Relic from Bill Kayser, Distinguished Engineer at New Relic
Technology
More Than Just DeinDeal Strives to Deliver the ... - New Relic...New Relic APM, New Relic Browser, New Relic Insights, New Relic Mobile WHY NEW RELIC ... currently runs more than 20
Documents
Pass 2010 Appsec
Documents
AppSec And Microservices
Technology
Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016
Documents
Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com Israel Chorzevski CTO, AppSec
Documents