Upload
devseccon-limited
View
109
Download
2
Embed Size (px)
Citation preview
Join the conversation #devseccon
AppSec DevOps Automation
Real World Cases
Ofer MaorDirector of Security Strategy
@OferMaor
linkedin.com/in/ofermaor
ofer.maor @gmail.com
Speaker
• Security Strategy at Synopsys• Over 20 Years in Cybersecurity• Hacker at Heart• Longtime OWASPer• Pioneer of IAST• Avid Photographer
Sunset over Hamnøy, Lofoten Islands, Norway
Too MuchData Security by
Developers
Short Cycles Rapid Delivery
PrioritizingRisk
Understandingthe Pain
The Agile Security Challenge
AutomationAutomated, Continuous, Practical Testing
People Getting People Involved (DevOps, Sec, R&D)
Process
Technology
Adapting to Existing Process (CI, Issue, etc.)
The Right Technology (IAST)
Case I
Insurance Company Starting Out DevOps
Case IThe Challenge
Insurance CompanyAgile Maturity: In TransitionDevOps Maturity: StartingAppSec Maturity: Medium
• Insurance Company. Home grown apps• ~15 different systems (Customer/Agent/Internal)• Varying level of DevOps maturity & Agile transformation• Focus on “Agile Transformation” – new systems• Limited security background for developers• Limited security resources • Insufficient test automation (coverage)
Case IThe Solution
Insurance CompanyAgile Maturity: In TransitionDevOps Maturity: StartingAppSec Maturity: Medium
• R&D/DevOps/Sec cooperation & committee • Security visibility into R&D bugs • R&D Training (Basic!)• Fully integrated into CI (Jenkins) • Fully integrated with manual/automated testing• Risk Policy (adapting risks, only “High” blocks) • Multiple output channels (tickets, reports, etc.)
Case II
Retailer, Established Agile Shop
Case IIThe Challenge
RetailerAgile Maturity: HighDevOps Maturity: HighAppSec Maturity: Low
• eCommerce Platform (with “flavors”) • Response to an incident (minimal existing security) • Very small security team • No security background for developers • No existing process between security and R&D • “Run of the mill” Agile/DevOps shop (with very strict enforcement) • Dynamic environments orchestration
Case IIThe Solution
RetailerAgile Maturity: HighDevOps Maturity: HighAppSec Maturity: Low
• Process driven by R&D & DevOps, with security supervision• Automatic orchestration of dedicated security testing environment• Integration with Jenkins, Selenium & JIRA• Security “workflow” created, testing once a week over 3 weeks sprint• Tests on weeks 1 & 2 for fixing, week 3 for verification• Breaking (medium or higher) on verification - Feature Removed• HTML & PDF reports for auditing and integration
Join the conversation #devseccon
Thank You!
Questions?
@OferMaor
linkedin.com/in/ofermaor
ofer.maor @gmail.com