Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
AchievingSecure ContinuousDelivery(cont..)--lightningtalk--
Nikos/Jesus/Lucian
April2018
Typicaldiscussions…
X
Painpoints
Sameproblemin2018!
Difficultaccessto(uncorrelated)vulnerabilitydata
Noclearviewonthesecurityriskofaspecificbuildorrelease
Norealagreedsecuritygate(notriggerthreshold)
Shortmemory!Toolsgeteasilyforgottenorabandoned…
ProducthasaRoadmapandSecurityis(always)not(always)partofit
Securityrequirementsappear(darkmagic!)whenprojectisalmostfinished
Securitysign-offisabottleneck[choke]
Securitytestingtools!Lotsoftools!!Andreports!!!
WhenamIfinallysecureenough?Never!saysMordac.
Tools!!
LinkHERE
SASTlistHERE
DASTlistHERE
DependencyCheckingToolslistHERE
ContainerSecuritytoolsHERE
GooglelistHERE
OthersHERE
TheWant
Automation¢ralisationofapplicationsecuritytesting
Riskbasedapproachtoapplicationdelivery&deployment
SecurityChampionsprocessandresponsibilities
Existinginitiatives
Lots!!!OWASPAppSecPipelineOWASPOWTFOWASPDefectDojo
OtherstalkingaboutthisHEREHEREHEREHEREHEREHEREHEREHEREHERE
HEREHEREHEREHEREHERE
OWASPIsrael
OWASPAppSecPipeline
ChristianSchneider
STDD
SAMPLE
Wherewearenow
Zed Attack Proxy
Security
DeveloperJenkins
SecurityJenkins
3.Checkmypolicy
2.HowdoesThreadfixreceiveresults4.Howweinform
1.HowdoesJenkinsruntools
Threadfixpolicies
Fixingthestuff
Next?Whatisbestforyouandyourbusinesses‘appetite?
GetaDevSecOpsteamtobuildandmaintaintoolz&stuffforyou£££
OWASPproject(Pipelines?)tosupportallfreetoolinputsintoonecentralrepo
(Somehow)workwithcommercialtoolproviderstosupportthat
InspireandempoweryourSecurityChampions
Q/A