View
158
Download
0
Category
Preview:
Citation preview
© 2016 ELLUCIAN. 2
• Information Security Professional
• Software Engineer
• Enjoy Capture the Flag
• Movie and Trivia Enthusiast
Who Am I?
© 2016 ELLUCIAN. 5
RoboCop Locations
Film: Detroit City HallActual: Dallas Municipal Bldg
116 S. Harwood St.
Film: OCP BuildingActual: Dallas City Hall, 1500
Marilla St
© 2016 ELLUCIAN. 7
Serve the Public Trust
Excuse me. I have to go. Somewhere there is a crime happening.RoboCop “RoboCop”
• Business Driven Security• Open Collaboration• Leaning In• Translate Security for the Layperson
© 2016 ELLUCIAN. 8
Protect The Innocent
Come quietly or there will be… troubleRoboCop “RoboCop”
• Developers are not security experts• Security can be an afterthought• Developers are lazy
© 2016 ELLUCIAN. 9
Uphold The Law
• What are your policies?• What are your standards?• Security Gates
You are illegally parked on private property. You have twenty seconds to move your vehicle.
ED-209 “RoboCop”
© 2016 ELLUCIAN. 13
How We Define DevOps
People working together with a common set of tools & goals to achieve the best customer experience
© 2016 ELLUCIAN. 14
DevSecOps
DevSecOps: automation of security tasks by embedding security controls and processes into the DevOps workflow
© 2016 ELLUCIAN. 16
Static Application Security Testing (SAST)
Pros ConsShows vulnerabilities at their source
False Positives
No need for code compilation
May report findings that can’t be exploited
© 2016 ELLUCIAN. 17
Dynamic Application Security Testing (DAST)
Pros ConsShows vulnerabilitiesexposed in real-time
Cannot identify location for remediation
No need for source code May not cover all areasof the application
Detects vulnerabilities on client and server-side
Must rebuild the application when modifying code
© 2016 ELLUCIAN. 18
SAST vs. DAST
SAST• Poor crypto implementation• Issues in dead/unused code• Hard coded secrets
DAST• Environment configuration issues
• Authentication issues• Session management issues
• Runtime privilege issues
SAST & DAST• SQLi• Cross-site Scripting• Path Traversal• Buffer Overflows• HTTP Response Splitting
© 2016 ELLUCIAN. 19
Interactive Application Security Testing (IAST)
Pros ConsCan enhance DAST Can’t run on its ownMay identify vulnerable lines of code
Has to be integrated with the application
© 2016 ELLUCIAN. 21
Other Resources
Enterprise DevOps at Scale with AWS | AWS Public Sector SummitEllucian has been migrating its entire organization from a myriad of software delivery mechanisms, many of them manual, to a highly automated and advanced suite of DevOps tools. In this talk, we go over some of the challenges we have faced and also discuss our thoughts on the evolution of DevOps and the emerging patterns of managing AWS-based environments.https://youtu.be/MqP1lU39jcM
DevOps on the AWS CloudLearn how REAN Cloud helped AWS customer Ellucian develop a DevOps framework to transform their software delivery process for over 80 product lines.https://youtu.be/071rB05Oj9g
© 2016 ELLUCIAN. 22
Choose technologies that meet your business
needs and processes
Make security a feature
Summary
Automate as much as possible
Recommended