• Home

  • Technology

  • FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security &...
111
AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Embed Size (px)

DESCRIPTION

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including: - How do we ensure that the code we deploy is secure when it was only written just this morning? - How can we provide the security our customers expect without impacting our speed and agility? - How can we insert security into an SDLC when there is no formal SDLC? - How do you deal with auditors that don't understand DevOps and Continuous Deployment? At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Citation preview

Page 1: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

AppSec in a DevOps WorldSHAUN GORDONNEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE

OCTOBER 23, 2013

Wednesday, November 6, 13

Page 2: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Wednesday, November 6, 13

Page 3: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Speed

Wednesday, November 6, 13

Page 4: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Speed

SecurityWednesday, November 6, 13

Page 5: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Speedvs.

SecurityWednesday, November 6, 13

Page 6: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Wednesday, November 6, 13

Page 7: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

Wednesday, November 6, 13

Page 8: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development CyclesBoxed Software

Waterfall1 Year

Wednesday, November 6, 13

Page 9: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development CyclesWeb 1.0Waterfall3 months

Wednesday, November 6, 13

Page 10: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

Agile Web 2.04 week

Wednesday, November 6, 13

Page 11: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

DevOps2x week

Wednesday, November 6, 13

Page 12: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cyclesdaily Continuous

DeploymentDevOps

Wednesday, November 6, 13

Page 13: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development CyclesContinuous Deployment

DevOpshourly

Wednesday, November 6, 13

Page 14: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

hourlyContinuous Deployment

DevOps

Wednesday, November 6, 13

Page 15: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

3 monthsAgile4 week

Waterfall

Wednesday, November 6, 13

Page 16: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

3 monthsAgile4 week

Waterfall

Wednesday, November 6, 13

Page 17: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Accelerating Development Cycles

hourlyContinuous Deployment

DevOps

daily

Wednesday, November 6, 13

Page 18: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Wednesday, November 6, 13

Page 19: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Define functional (features) and non-functional requirements (capabilities)

Wednesday, November 6, 13

Page 20: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Translate requirements into architecture and detailed design

Wednesday, November 6, 13

Page 21: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Build it!

Wednesday, November 6, 13

Page 22: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Ensure functional and non-functional requirements

Wednesday, November 6, 13

Page 23: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Ship or push live

Wednesday, November 6, 13

Page 24: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLCRequirements Design Development Tes2ng Release Produc2on

Maintain and patch as needed

Wednesday, November 6, 13

Page 25: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityWednesday, November 6, 13

Page 26: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC Security

CheckpointsControls

Formal Processes

Wednesday, November 6, 13

Page 27: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 28: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 29: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 30: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 31: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 32: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 33: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 34: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 35: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 36: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 37: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 38: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 39: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 40: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 41: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 42: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 43: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 44: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 45: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment Security

Wednesday, November 6, 13

Page 46: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment Security

Low to No friction (can’t slow us down)Transparent No significant changes to development processesMake us More Secure

Requirements

Wednesday, November 6, 13

Page 47: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment Security

Low to No friction (can’t slow us down)Transparent No significant changes to development processesMake us More Secure

AutomationTraining & EmpowermentLightweight ProcessesTriageQuickly Detect & Respond

Requirements Strategies & Tactics

Wednesday, November 6, 13

Page 48: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Traditional (Waterfall) SDLC SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Wednesday, November 6, 13

Page 49: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Wednesday, November 6, 13

Page 50: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment SecurityRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Wednesday, November 6, 13

Page 51: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment SecurityProduction

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Development, Testing, & ReleaseRequirements & DesignRequirements Design Development Testing Release Production

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

Wednesday, November 6, 13

Page 52: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment SecurityProduction

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

Development, Testing, & ReleaseRequirements & Design

Wednesday, November 6, 13

Page 53: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment Security

• Functional & Non-Functional security requirement

• Architectural Review

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

Wednesday, November 6, 13

Page 54: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Continuous Deployment Security

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Threat Modeling

• Required Security Evaluation

Wednesday, November 6, 13

Page 55: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Required Security Evaluation

1.Technical Overview2.Business Context3.Developer Concerns

< 25 Minute Meeting

Wednesday, November 6, 13

Page 56: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Security Evaluation Outcomes

Wednesday, November 6, 13

Page 57: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Security Evaluation Outcomes

• Low Risk• Simple Guidance

Wednesday, November 6, 13

Page 58: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Security Evaluation Outcomes

• Higher Risk• Deep Dive• Whiteboarding• Threat Model

Wednesday, November 6, 13

Page 59: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Security Evaluation Follow-Up

Wednesday, November 6, 13

Page 60: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Security Evaluation Follow-Up

• Document• Follow Up

Wednesday, November 6, 13

Page 61: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Required Security Evaluation

Continuous Deployment Security

• Threat Modeling

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

Wednesday, November 6, 13

Page 62: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Required Security Evaluation

Continuous Deployment Security

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Lightweight Targeted Threat Modeling

Wednesday, November 6, 13

Page 63: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling

Wednesday, November 6, 13

Page 64: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling

Identify your assets and the threats against them

Wednesday, November 6, 13

Page 65: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling

Identify your assets and the threats against them

Focus your resources on the greatest risks

Wednesday, November 6, 13

Page 66: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling @ New Relic

Wednesday, November 6, 13

Page 67: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling @ New Relic

Decompose your Application

Wednesday, November 6, 13

Page 68: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Wednesday, November 6, 13

Page 69: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Enumerate your Threats

Wednesday, November 6, 13

Page 70: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Enumerate your ThreatsRate & Rank your Threats

Wednesday, November 6, 13

Page 71: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Threat Modeling @ New Relic

Decompose your ApplicationIdentify your Assets

Enumerate your ThreatsRate & Rank your Threats

Address or AcceptWednesday, November 6, 13

Page 72: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Secure Coding Practices

• Static Analysis• White Box

Testing

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Required Security Evaluation

Wednesday, November 6, 13

Page 73: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Secure Coding Practices

• Security Libraries & Services

• Static Analysis• White Box

Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 74: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Secure Libraries & Services

Authentication ServiceSecurity Event Logging ServiceInput Validation Regex Patterns

Encryption Libraries

Wednesday, November 6, 13

Page 75: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Static Analysis• White Box

Testing

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Required Security Evaluation

Wednesday, November 6, 13

Page 76: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• White Box Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 77: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Brakeman+

Jenkins

brakemanscanner.orgWednesday, November 6, 13

Page 78: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• White Box Testing

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Required Security Evaluation

Wednesday, November 6, 13

Page 79: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Required Security Evaluation

Wednesday, November 6, 13

Page 80: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 81: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Dynamic Analysis

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Vulnerability Scanning

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 82: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Requirements Testing

• Penetration Testing

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 83: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Requirements Testing

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 84: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 85: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Required Security Evaluation

Wednesday, November 6, 13

Page 86: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Continuous Scanning in Test, Staging, & Production

• Penetration Testing

• Security Assessment

• Security Sign-Off

• Required Security Evaluation

Wednesday, November 6, 13

Page 87: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Security Assessment

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 88: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Continuous Scanning in Test, Staging, & Production

• Automated Commit Triage

• Security Sign-Off

• Required Security Evaluation

Wednesday, November 6, 13

Page 89: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Triage Process

Dangerous MethodsSensitive ModulesSecurity Keywords

Wednesday, November 6, 13

Page 90: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Security Sign-Off

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 91: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Continuous Scanning in Test, Staging, & Production

• Automated Commit Triage

• Quick Detection & Recovery

• Required Security Evaluation

Wednesday, November 6, 13

Page 92: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment Security

• Separation of Duties• Management Release Sign-Off• Limits on Production Access

ProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 93: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Accountability• Management Release Sign-Off• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 94: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Accountability• Management Release Sign-Off• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 95: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Accountability• Sidekick Process• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 96: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Wednesday, November 6, 13

Page 97: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Wednesday, November 6, 13

Page 98: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Wednesday, November 6, 13

Page 99: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Two Sets of (masked) eyes on every changeWednesday, November 6, 13

Page 100: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Accountability• Sidekick Process• Limits on Production Access

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 101: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production

• Accountability• Sidekick Process• Enabling Tools

• Required Security Evaluation

Wednesday, November 6, 13

Page 102: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Accountability• Sidekick Process• Enabling Tools

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

• Lightweight Targeted Threat Modeling

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 103: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

• Lightweight Targeted Threat Modeling

• Accountability• Sidekick Process• Enabling Tools

• Penetration Testing

• Secure Coding Practices

• Security Libraries & Services

• Automated Static Analysis

• Testing Tools & Training

Continuous Deployment SecurityProductionDevelopment, Testing, & ReleaseRequirements & Design

• Automated Commit Triage

• Quick Detection & Recovery

• Continuous Scanning in Test, Staging, & Production• Required Security Evaluation

Wednesday, November 6, 13

Page 104: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Powered By...

Wednesday, November 6, 13

Page 105: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Powered By...

AutomationTraining & Empowerment

Lightweight ProcessesTriage

Quick Detection & Response

Wednesday, November 6, 13

Page 106: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Auditors

Wednesday, November 6, 13

Page 107: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Auditors

Compensating Controls

Wednesday, November 6, 13

Page 108: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Auditors

Compensating Controls

Tell the Story

Wednesday, November 6, 13

Page 109: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Thank You!

Wednesday, November 6, 13

Page 110: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Thank You!

[email protected]

[email protected]

Wednesday, November 6, 13

mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
Page 111: FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

Image AttributionSlide  14Checkpoint  Rheinpark  by  h1p://www.flickr.com/photos/kecko/3179561892/

Wednesday, November 6, 13

http://www.flickr.com/photos/kecko/3179561892/
http://www.flickr.com/photos/kecko/3179561892/

The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013

The OWASP Foundation AppSec Research 2013 Amsterdam OWASP BeNeLux Candidacy AppSec Europe 2013

Documents
FUTURESTACK13: Wake Up! A New Day Dawns for Alerts in New Relic from Bill Kayser, Distinguished Engineer at New Relic

FUTURESTACK13: Wake Up! A New Day Dawns for Alerts in New Relic from Bill Kayser, Distinguished Engineer at New Relic

Technology
AppSec & Microservices - Velocity 2016

AppSec & Microservices - Velocity 2016

Software
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

Technology
20141104 appsec surveillance

20141104 appsec surveillance

Technology
Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com Israel Chorzevski CTO, AppSec

Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs [email protected] Israel Chorzevski CTO, AppSec

Documents
AppSec Consulting Inc

AppSec Consulting Inc

Documents
Relic Hunter

Relic Hunter

Documents
2018 HENRI FINISHES2018 HENRI FINISHES Relic Barro (RB) Elban Olivestone (EB) Trevia Greystone (TR) Relic Ebony (RE) Relic Terra (RT) Relic Roho (RR) Relic Sargasso (RS) Relic Fumato

2018 HENRI FINISHES2018 HENRI FINISHES Relic Barro (RB) Elban Olivestone (EB) Trevia Greystone (TR) Relic Ebony (RE) Relic Terra (RT) Relic Roho (RR) Relic Sargasso (RS) Relic Fumato

Documents
Operation emmental appsec

Operation emmental appsec

Technology
Appsec rump reverse-i_os_machook

Appsec rump reverse-i_os_machook

Technology
Pass 2010 Appsec

Pass 2010 Appsec

Documents
AppSec is Eating Security

AppSec is Eating Security

Internet
Streamlining AppSec Policy Definition.pptx

Streamlining AppSec Policy Definition.pptx

Technology
AppSec 101 - Eivind Arvesen

AppSec 101 - Eivind Arvesen

Documents
FUTURESTACK13: Nerd Life Balance from Nick Floyd, Senior Software Engineer at New Relic

FUTURESTACK13: Nerd Life Balance from Nick Floyd, Senior Software Engineer at New Relic

Technology
Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016

Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016

Documents
Appsec obfuscator reloaded

Appsec obfuscator reloaded

Technology
Appsec usa roberthansen

Appsec usa roberthansen

Technology
Flyer AppSec Forum 2011

Flyer AppSec Forum 2011

Technology
APPSEC VULNERABILITY MANAGEMENT PIPELINES

APPSEC VULNERABILITY MANAGEMENT PIPELINES

Documents
Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. aaron.weaver@owasp.org / @weavera Principal AppSec Engineer at 10Security Aaron Weaver

Making Continuous Security a Reality - Global AppSec · Making AppSec a little better each day. [email protected] / @weavera Principal AppSec Engineer at 10Security Aaron Weaver

Documents
More Than Just DeinDeal Strives to Deliver the ... - New Relic...New Relic APM, New Relic Browser, New Relic Insights, New Relic Mobile WHY NEW RELIC ... currently runs more than 20

More Than Just DeinDeal Strives to Deliver the ... - New Relic...New Relic APM, New Relic Browser, New Relic Insights, New Relic Mobile WHY NEW RELIC ... currently runs more than 20

Documents
Appsec usa2013 js_libinsecurity_stefanodipaola

Appsec usa2013 js_libinsecurity_stefanodipaola

Technology
Appsec Introduction

Appsec Introduction

Documents
FUTURESTACK13: What’s New and Upcoming with New Relic from Patrick Lightbody, Director of Product Management at New Relic

FUTURESTACK13: What’s New and Upcoming with New Relic from Patrick Lightbody, Director of Product Management at New Relic

Technology
Relic Knights

Relic Knights

Documents
AppSec And Microservices

AppSec And Microservices

Technology
FUTURESTACK13: Software analytics with Project Rubicon from Alex Kroman Engineering Manager at New Relic

FUTURESTACK13: Software analytics with Project Rubicon from Alex Kroman Engineering Manager at New Relic

Technology
Agile Appsec

Agile Appsec

Documents