SlideShare a Scribd company logo

Weaponizing Your DevOps Pipeline

Puma Security, LLC
Puma Security, LLC

Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change. Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.

1 of 50

Download presentation

Your download has started
Downloaded 121 times
Weaponizing Your DevOps Pipeline OWASP MSP Thursday, July 19th 2018 Eric Johnson (@emjohn20)
Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC
Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
State of DevOps ©2018 – Puma Security, LLC State of DevOps report (2017) indicates high performing organizations: • Deploy 46x more frequently • Have 440x shorter lead times • Recover from failures 96x faster • Spend 50% less time remediating security issues
The DevOps toolchain enabling the rapid delivery cycles (not inclusive): The DevOps Toolchain ©2018 – Puma Security, LLC Git Jenkins Docker Artifactory Puppet / Chef Terraform Kubernetes Packer
• External vendor performing annual assessments • Internal security team receives 1,000 page PDF reports • Internal security team manually running scanners, fuzzers, etc. State of Traditional Security ©2018 – Puma Security, LLC img:https://paperlesschase.com/wp-content/uploads/2013/08/Tired-clerk-with-paper-on-desk.jpg
• Published October 2016 • Release frequency up 30x • 42% indicate silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2018 – Puma Security, LLC
• Security is not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for security in the pipeline The Problem ©2018 – Puma Security, LLC
Why The Cold Shoulder? ©2018 – Puma Security, LLC "DevOps is an excuse for developers to have global access to production. No way." - The dictator CISO "Perfect, I get to wire up crappy security scanners and break the build." - The security jerk "We cannot use continuous delivery and remain PCI compliant. " - The uninformed compliance manager
What is DevSecOps DevSecOps / SecDevOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2018 – Puma Security, LLC "In DevSecOps, security is a first-class problem and the security team is a first-class citizen." - Jim Bird, CTO, SANS Analyst & DEV540 co-author
Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
Applying security to Wills, Edwards, & Humble's CALMS: • Culture - No security jerks (Etsy), turning "no" into "yes" • Automation - Rely on security tools for efficiency + repeatability • Lean - Apply lean engineering practices to risk assessments / code reviews • Measurement - Use security data to drive decisions, improve, and respond in real time (or near real time) • Sharing - Sharing threat intel, secure frameworks, and postmortems across the organization Keeping CALM & DevSecOps On ©2018 – Puma Security, LLC
DevSecOps Phases • DevSecOps cycles through 5 key phases • SANS DevSecOps Toolchain lists several OSS tools for each phase – Written by Ben Allen, Jim Bird, Eric Johnson, & Frank Kim • https://sans.org/u/zAi ©2018 – Puma Security, LLC PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS sans.org/u/zAi
Breaking down the security controls in each DevSecOps phase: DevSecOps Security Controls PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
Applying security controls before code is written and committed: DevSecOps Phases | Pre-Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
Threat modeling must apply lean engineering principles: • Lightweight and incremental review • The source code is the design • Focus on data classification, entry points, high risk code, and writing security stories / abuse cases • Categorize the risk level (high risk, paved road, control gates) Pre-Commit| Threat Modeling PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
Weaponizing the toolchain: • Raindance – https://github.com/devsecops/raindance • Mozilla's Rapid Risk Assessment (RRA) – https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessme nt.html • OWASP Threat Dragon – https://www.owasp.org/index.php/OWASP_Threat_Dragon Pre-Commit| Threat Modeling Tools PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
High risk code may perform any of following functionality (not inclusive): • Infrastructure Code • Pipeline definitions • Authentication • Access control • Output encoding • Input validation • Automated security / compliance tests • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography Pre-Commit | High Risk Code Examples ©2018 – Puma Security, LLC
Mozilla's rapid risk assessment guidance and Google Doc provide a blueprint for 30 minute RRAs: Pre-Commit| Threat Modeling Example ©2018 – Puma Security, LLC
Opportunity to identify vulnerabilities in infrastructure and application code as code is written or saved to disk: Pre-Commit | IDE Security Plugins IDE SECURITY PLUGINS PRE- COMMIT • Security becomes part of the engineering workflow • Shiftings as far left as possible in the kill chain • Must have low false positive rates (important) ©2018 – Puma Security, LLC
Weaponizing the toolchain: Pre-Commit | IDE Security Tools IDE SECURITY PLUGINS PRE- COMMIT • FindSecurityBugs (Java) • Puma Scan (C#) • Sonar Lint (Java, C#, JavaScript) • DevSkim (C#, JavaScript) ©2018 – Puma Security, LLC
Puma Scan identifying a JSON deserialization vulnerability: Pre-Commit | IDE Security Example ©2018 – Puma Security, LLC
Run security checkers before committing code to git: Pre-Commit | Git Hooks PRE- COMMIT • Invoke additional CLI scans / security checks before code reaches continuous integration • Use for secrets management, keys, access keys, etc. • Important to note these client-side protections can be disabled by engineers ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
Weaponizing the toolchain: Pre-Commit | Git Hook Tools PRE- COMMIT • AWS Labs git-secrets – https://github.com/awslabs/git-secrets • Talisman – https://github.com/thoughtworks/talisman • Auth0 repo-supervisor – https://github.com/auth0/repo-supervisor • Yelp Pre-Commit Framework – https://pre-commit.com/ ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
AWS git-secrets blocking a commit that contains an access key and secret key id: Pre-Commit | Git Hook Example ©2018 – Puma Security, LLC $ git commit -m "testing git-secrets" Web/PumaScan.Licensing.Web/appsettings.json:5: "AccessKey": "AKIAJNQ7C2FCRR6B4VWA", Web/PumaScan.Licensing.Web/appsettings.json:6: "SecretKey": "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" [ERROR] Matched one or more prohibited patterns 1 2 3 4 5 6 7
Peer code reviews are mandatory in disciplined DevSecOps organizations: Pre-Commit | Peer Reviews PRE- COMMIT • Allows engineers to discover hard-coded secrets, logic flaws in high risk code, backdoors • Compensating control for separation of duties in continuous deployment • Relies on the reviewer's application security skillset ©2018 – Puma Security, LLC PEER CODE REVIEWS
Weaponizing the toolchain: Pre-Commit | Peer Review Toolchain PRE- COMMIT • GitHub Pull Request • GitLab Merge Request • Bitbucket Pull Request • Gerrit (Google) • Review Board – https://github.com/reviewboard/reviewboard ©2018 – Puma Security, LLC PEER CODE REVIEWS
GitHub pull request requiring peer review approval: Pre-Commit | Peer Review Example ©2018 – Puma Security, LLC
Applying automated, fast, accurate security controls in the CI pipeline: DevSecOps Phases | Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
Limited opportunity for static analysis in CI & CD pipelines: Commit | Static Code Analysis STATIC CODE ANALYSIS COMMIT • Speed matters (< 5 minutes) • High accuracy rules • Low false positive rates • Disable rules that do not provide value to engineers ©2018 – Puma Security, LLC
Weaponizing the toolchain: Commit | Static Code Analysis Tools STATIC CODE ANALYSIS COMMIT • Brakeman (Ruby) • ESLint (NodeJS) • Puma Scan (C#) • FindSecurityBugs (Java) • Puppet Lint Security • And many, many commercial offerings…. ©2018 – Puma Security, LLC
Puma Scan failing a build in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
Capturing and reporting vulnerability data in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
Built on top of standard unit and integration tests to enforce security requirements: Commit | Security Unit Tests SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • Leverage abuse cases and evil user stories from rapid risk assessment • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline • Can be used to enforce security requirements
Weaponizing the toolchain: Commit | Security Unit Test Tools SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • JUnit • XUnit • Mocha (NodeJS) • RSpec
• Engineers often stay on the "happy path" • Prove the code works under normal usage Commit | Happy Path Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "1", HttpStatusCode.Found)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11
Testing common SQL injection characters: Commit | Validation Unit Text Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "'", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "*", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ")", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ",", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ";", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "#", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "&", HttpStatusCode.NotFound)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Verifying checksums on high risk code: Commit | High Risk Code Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("/Web/Controllers/AccountController.cs", "2ffbf33b66ddb07616f882ceed0718826af298a7")] [InlineData("/Shared/Services/Cryptography/Hash.cs", "d51bfd137d37a7ed908737552568bcc5241f5021")] [InlineData("/Shared/Services/Cryptography/Asymmetric.cs", "fe83bf6f453698c5f78cab167bca14c72daf32c0")] [InlineData("/Shared/Services/Cryptography/Symmetric.cs", "ae951207f4fbdbe2d9661297f285dc99857f32d4")] public void HighRiskCode_CheckSumTest(string file, string checksum) { bool match = checksum.Equals(Hash.GetChecksum(file)); if(!match) NotificaionService.RequestCodeReview(file); Assert.True(match); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Containers present an entirely new attack surface for engineering teams to deal with: Commit | Container Security COMMIT ©2018 – Puma Security, LLC • Managing container secrets • Poisoned / untrusted images • Hardening image operating system • Docker daemon / API attack surface • This topic alone is an hour + conversation CONTAINER SECURITY
Weaponizing the toolchain: Commit | Container Security Tools COMMIT ©2018 – Puma Security, LLC • Anchore – https://anchore.com/opensource/ • Actuary – https://github.com/diogomonica/actuary • Clair – https://github.com/coreos/clair • Falco – https://github.com/draios/falco CONTAINER SECURITY
Anchore scan results via Jenkins CI: Commit | Container Security Scan Example ©2018 – Puma Security, LLC
Builds a bill of material from operation and application dependencies Commit | Dependency Management COMMIT ©2018 – Puma Security, LLC • Scans manifests, templates, and libraries • Identifies packages and libraries with known vulnerabilities • Suggests package version updates to remediate vulnerabilities DEPENDENCY MANAGEMENT
Weaponizing the toolchain: Commit | Dependency Management Tools COMMIT ©2018 – Puma Security, LLC • OWASP Dependency Check • PHP Security Checker • Retire.JS • Node Security Project DEPENDENCY MANAGEMENT
Dependency check scan results via Jenkins CI: Commit | Dependency Management Example ©2018 – Puma Security, LLC
Applying security controls during delivery of infrastructure or applications to acceptance: DevSecOps Phases | Acceptance PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
Applying security controls during deployment of infrastructure or application to production: DevSecOps Phases | Production PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
Continuous security monitoring, testing, and compliance checks in production: DevSecOps Phases | Operations PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
• Open source security source code analyzers • 50+ application security-specific rules • Install guide, rule docs, source code: https://www.pumascan.com/community https://github.com/pumasecurity @puma_scan • Presenting Wednesday August 8th at Black Hat Arsenal https://www.blackhat.com/us-18/arsenal/schedule/#puma- scan-12003 Puma Scan | Black Hat Arsenal 2018 ©2018 – Puma Security, LLC
Questions? Contact Info: eric.johnson@pumascan.com @emjohn20 ©2018 – Puma Security, LLC

Recommended

DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
Cprime
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
Julio Aziz Flores Casab
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
SaaS Testing Overview - Foundation
SaaS Testing Overview - FoundationSaaS Testing Overview - Foundation
SaaS Testing Overview - Foundation
Ram Garg
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
Getting started with containers on Azure
Getting started with containers on AzureGetting started with containers on Azure
Getting started with containers on Azure
Microsoft Tech Community
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Simplilearn
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
Albert Suwandhi
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
Synergetics Learning and Cloud Consulting
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
LibbySchulze
 

More Related Content

What's hot (20)

Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
Julio Aziz Flores Casab
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
SaaS Testing Overview - Foundation
SaaS Testing Overview - FoundationSaaS Testing Overview - Foundation
SaaS Testing Overview - Foundation
Ram Garg
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
Getting started with containers on Azure
Getting started with containers on AzureGetting started with containers on Azure
Getting started with containers on Azure
Microsoft Tech Community
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Simplilearn
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
Albert Suwandhi
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
Synergetics Learning and Cloud Consulting
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
Julio Aziz Flores Casab
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
idsecconf
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
SaaS Testing Overview - Foundation
SaaS Testing Overview - FoundationSaaS Testing Overview - Foundation
SaaS Testing Overview - Foundation
Ram Garg
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
Getting started with containers on Azure
Getting started with containers on AzureGetting started with containers on Azure
Getting started with containers on Azure
Microsoft Tech Community
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Simplilearn
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
Albert Suwandhi
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Introduction to REST - API
Introduction to REST - APIIntroduction to REST - API
Introduction to REST - API
Chetan Gadodia
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
Synergetics Learning and Cloud Consulting
 

Similar to Weaponizing Your DevOps Pipeline (20)

Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
LibbySchulze
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
DevSecOps - Background, Status and Future Challenges
DevSecOps - Background, Status and Future ChallengesDevSecOps - Background, Status and Future Challenges
DevSecOps - Background, Status and Future Challenges
dsc71656
 
DevSecOps Story with added security controls
DevSecOps Story with added security controlsDevSecOps Story with added security controls
DevSecOps Story with added security controls
HareeshNani5
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
DevOps.com
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
Erika Barron
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
LibbySchulze
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
 
DevSecOps - Background, Status and Future Challenges
DevSecOps - Background, Status and Future ChallengesDevSecOps - Background, Status and Future Challenges
DevSecOps - Background, Status and Future Challenges
dsc71656
 
DevSecOps Story with added security controls
DevSecOps Story with added security controlsDevSecOps Story with added security controls
DevSecOps Story with added security controls
HareeshNani5
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
Sanjeev Sharma
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
Deborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
DevOps.com
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
Erika Barron
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
Steven Carlson
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 

More from Puma Security, LLC (10)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Puma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
Puma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
Puma Security, LLC
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Puma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
Puma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
Puma Security, LLC
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 

Recently uploaded (20)

Risk Management in Software Projects: Identifying, Analyzing, and Controlling...
Risk Management in Software Projects: Identifying, Analyzing, and Controlling...Risk Management in Software Projects: Identifying, Analyzing, and Controlling...
Risk Management in Software Projects: Identifying, Analyzing, and Controlling...
gauravvmanchandaa200
 
Climate-Smart Agriculture Development Solution.pptx
Climate-Smart Agriculture Development Solution.pptxClimate-Smart Agriculture Development Solution.pptx
Climate-Smart Agriculture Development Solution.pptx
julia smits
 
Issues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptxIssues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptx
Jalalkhan657136
 
20200823-Intro-to-FIRRTLllllllllllllllllll
20200823-Intro-to-FIRRTLllllllllllllllllll20200823-Intro-to-FIRRTLllllllllllllllllll
20200823-Intro-to-FIRRTLllllllllllllllllll
JonathanSong28
 
Menu in Android (Define,Create,Inflate and Click Handler)
Menu in Android (Define,Create,Inflate and Click Handler)Menu in Android (Define,Create,Inflate and Click Handler)
Menu in Android (Define,Create,Inflate and Click Handler)
Nabin Dhakal
 
Agentic AI Desgin Principles in five slides.pptx
Agentic AI Desgin Principles in five slides.pptxAgentic AI Desgin Principles in five slides.pptx
Agentic AI Desgin Principles in five slides.pptx
MOSIUOA WESI
 
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdfBoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
Ortus Solutions, Corp
 
Marketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptxMarketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptx
julia smits
 
Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...
Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...
Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...
officeiqai
 
What's-New-with-BoxLang-Brad Wood.pptx.pdf
What's-New-with-BoxLang-Brad Wood.pptx.pdfWhat's-New-with-BoxLang-Brad Wood.pptx.pdf
What's-New-with-BoxLang-Brad Wood.pptx.pdf
Ortus Solutions, Corp
 
Multiple Platforms of Unity Game Development.pdf
Multiple Platforms of Unity Game Development.pdfMultiple Platforms of Unity Game Development.pdf
Multiple Platforms of Unity Game Development.pdf
Nova Carter
 
Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan
OnePlan Solutions
 
Microsoft Defender para ponto de extremidade
Microsoft Defender para ponto de extremidadeMicrosoft Defender para ponto de extremidade
Microsoft Defender para ponto de extremidade
leotcerveira
 
Optimising Claims Management with Claims Processing Systems
Optimising Claims Management with Claims Processing SystemsOptimising Claims Management with Claims Processing Systems
Optimising Claims Management with Claims Processing Systems
Insurance Tech Services
 
Why-Choose-an-Authorised-Microsoft-Reseller.pptx
Why-Choose-an-Authorised-Microsoft-Reseller.pptxWhy-Choose-an-Authorised-Microsoft-Reseller.pptx
Why-Choose-an-Authorised-Microsoft-Reseller.pptx
Michael cole
 
How to Create a White Label Crypto Exchange.pdf
How to Create a White Label Crypto Exchange.pdfHow to Create a White Label Crypto Exchange.pdf
How to Create a White Label Crypto Exchange.pdf
zak jasper
 
Chapter_02.pdf Software process Models.pdf
Chapter_02.pdf Software process Models.pdfChapter_02.pdf Software process Models.pdf
Chapter_02.pdf Software process Models.pdf
MaheenVohra
 
Salesforce Experience Cloud Consulting.pdf
Salesforce Experience Cloud Consulting.pdfSalesforce Experience Cloud Consulting.pdf
Salesforce Experience Cloud Consulting.pdf
VALiNTRY360
 
Top 10 Mobile Banking Apps in the USA.pdf
Top 10 Mobile Banking Apps in the USA.pdfTop 10 Mobile Banking Apps in the USA.pdf
Top 10 Mobile Banking Apps in the USA.pdf
LL Technolab
 
How a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdf
How a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdfHow a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdf
How a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdf
mary rojas
 
Risk Management in Software Projects: Identifying, Analyzing, and Controlling...
Risk Management in Software Projects: Identifying, Analyzing, and Controlling...Risk Management in Software Projects: Identifying, Analyzing, and Controlling...
Risk Management in Software Projects: Identifying, Analyzing, and Controlling...
gauravvmanchandaa200
 
Climate-Smart Agriculture Development Solution.pptx
Climate-Smart Agriculture Development Solution.pptxClimate-Smart Agriculture Development Solution.pptx
Climate-Smart Agriculture Development Solution.pptx
julia smits
 
Issues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptxIssues in AI Presentation and machine learning.pptx
Issues in AI Presentation and machine learning.pptx
Jalalkhan657136
 
20200823-Intro-to-FIRRTLllllllllllllllllll
20200823-Intro-to-FIRRTLllllllllllllllllll20200823-Intro-to-FIRRTLllllllllllllllllll
20200823-Intro-to-FIRRTLllllllllllllllllll
JonathanSong28
 
Menu in Android (Define,Create,Inflate and Click Handler)
Menu in Android (Define,Create,Inflate and Click Handler)Menu in Android (Define,Create,Inflate and Click Handler)
Menu in Android (Define,Create,Inflate and Click Handler)
Nabin Dhakal
 
Agentic AI Desgin Principles in five slides.pptx
Agentic AI Desgin Principles in five slides.pptxAgentic AI Desgin Principles in five slides.pptx
Agentic AI Desgin Principles in five slides.pptx
MOSIUOA WESI
 
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdfBoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
BoxLang-Dynamic-AWS-Lambda by Luis Majano.pdf
Ortus Solutions, Corp
 
Marketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptxMarketing And Sales Software Services.pptx
Marketing And Sales Software Services.pptx
julia smits
 
Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...
Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...
Feeling Lost in the Blue? Exploring a New Path: AI Mental Health Counselling ...
officeiqai
 
What's-New-with-BoxLang-Brad Wood.pptx.pdf
What's-New-with-BoxLang-Brad Wood.pptx.pdfWhat's-New-with-BoxLang-Brad Wood.pptx.pdf
What's-New-with-BoxLang-Brad Wood.pptx.pdf
Ortus Solutions, Corp
 
Multiple Platforms of Unity Game Development.pdf
Multiple Platforms of Unity Game Development.pdfMultiple Platforms of Unity Game Development.pdf
Multiple Platforms of Unity Game Development.pdf
Nova Carter
 
Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan Delivering More with Less: AI Driven Resource Management with OnePlan
Delivering More with Less: AI Driven Resource Management with OnePlan
OnePlan Solutions
 
Microsoft Defender para ponto de extremidade
Microsoft Defender para ponto de extremidadeMicrosoft Defender para ponto de extremidade
Microsoft Defender para ponto de extremidade
leotcerveira
 
Optimising Claims Management with Claims Processing Systems
Optimising Claims Management with Claims Processing SystemsOptimising Claims Management with Claims Processing Systems
Optimising Claims Management with Claims Processing Systems
Insurance Tech Services
 
Why-Choose-an-Authorised-Microsoft-Reseller.pptx
Why-Choose-an-Authorised-Microsoft-Reseller.pptxWhy-Choose-an-Authorised-Microsoft-Reseller.pptx
Why-Choose-an-Authorised-Microsoft-Reseller.pptx
Michael cole
 
How to Create a White Label Crypto Exchange.pdf
How to Create a White Label Crypto Exchange.pdfHow to Create a White Label Crypto Exchange.pdf
How to Create a White Label Crypto Exchange.pdf
zak jasper
 
Chapter_02.pdf Software process Models.pdf
Chapter_02.pdf Software process Models.pdfChapter_02.pdf Software process Models.pdf
Chapter_02.pdf Software process Models.pdf
MaheenVohra
 
Salesforce Experience Cloud Consulting.pdf
Salesforce Experience Cloud Consulting.pdfSalesforce Experience Cloud Consulting.pdf
Salesforce Experience Cloud Consulting.pdf
VALiNTRY360
 
Top 10 Mobile Banking Apps in the USA.pdf
Top 10 Mobile Banking Apps in the USA.pdfTop 10 Mobile Banking Apps in the USA.pdf
Top 10 Mobile Banking Apps in the USA.pdf
LL Technolab
 
How a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdf
How a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdfHow a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdf
How a Staff Augmentation Company IN USA Powers Flutter App Breakthroughs.pdf
mary rojas
 

Weaponizing Your DevOps Pipeline

  • 1. Weaponizing Your DevOps Pipeline OWASP MSP Thursday, July 19th 2018 Eric Johnson (@emjohn20)
  • 2. Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC
  • 3. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  • 4. State of DevOps ©2018 – Puma Security, LLC State of DevOps report (2017) indicates high performing organizations: • Deploy 46x more frequently • Have 440x shorter lead times • Recover from failures 96x faster • Spend 50% less time remediating security issues
  • 5. The DevOps toolchain enabling the rapid delivery cycles (not inclusive): The DevOps Toolchain ©2018 – Puma Security, LLC Git Jenkins Docker Artifactory Puppet / Chef Terraform Kubernetes Packer
  • 6. • External vendor performing annual assessments • Internal security team receives 1,000 page PDF reports • Internal security team manually running scanners, fuzzers, etc. State of Traditional Security ©2018 – Puma Security, LLC img:https://paperlesschase.com/wp-content/uploads/2013/08/Tired-clerk-with-paper-on-desk.jpg
  • 7. • Published October 2016 • Release frequency up 30x • 42% indicate silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2018 – Puma Security, LLC
  • 8. • Security is not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for security in the pipeline The Problem ©2018 – Puma Security, LLC
  • 9. Why The Cold Shoulder? ©2018 – Puma Security, LLC "DevOps is an excuse for developers to have global access to production. No way." - The dictator CISO "Perfect, I get to wire up crappy security scanners and break the build." - The security jerk "We cannot use continuous delivery and remain PCI compliant. " - The uninformed compliance manager
  • 10. What is DevSecOps DevSecOps / SecDevOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2018 – Puma Security, LLC "In DevSecOps, security is a first-class problem and the security team is a first-class citizen." - Jim Bird, CTO, SANS Analyst & DEV540 co-author
  • 11. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  • 12. Applying security to Wills, Edwards, & Humble's CALMS: • Culture - No security jerks (Etsy), turning "no" into "yes" • Automation - Rely on security tools for efficiency + repeatability • Lean - Apply lean engineering practices to risk assessments / code reviews • Measurement - Use security data to drive decisions, improve, and respond in real time (or near real time) • Sharing - Sharing threat intel, secure frameworks, and postmortems across the organization Keeping CALM & DevSecOps On ©2018 – Puma Security, LLC
  • 13. DevSecOps Phases • DevSecOps cycles through 5 key phases • SANS DevSecOps Toolchain lists several OSS tools for each phase – Written by Ben Allen, Jim Bird, Eric Johnson, & Frank Kim • https://sans.org/u/zAi ©2018 – Puma Security, LLC PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS sans.org/u/zAi
  • 14. Breaking down the security controls in each DevSecOps phase: DevSecOps Security Controls PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  • 15. Applying security controls before code is written and committed: DevSecOps Phases | Pre-Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  • 16. Threat modeling must apply lean engineering principles: • Lightweight and incremental review • The source code is the design • Focus on data classification, entry points, high risk code, and writing security stories / abuse cases • Categorize the risk level (high risk, paved road, control gates) Pre-Commit| Threat Modeling PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
  • 17. Weaponizing the toolchain: • Raindance – https://github.com/devsecops/raindance • Mozilla's Rapid Risk Assessment (RRA) – https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessme nt.html • OWASP Threat Dragon – https://www.owasp.org/index.php/OWASP_Threat_Dragon Pre-Commit| Threat Modeling Tools PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
  • 18. High risk code may perform any of following functionality (not inclusive): • Infrastructure Code • Pipeline definitions • Authentication • Access control • Output encoding • Input validation • Automated security / compliance tests • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography Pre-Commit | High Risk Code Examples ©2018 – Puma Security, LLC
  • 19. Mozilla's rapid risk assessment guidance and Google Doc provide a blueprint for 30 minute RRAs: Pre-Commit| Threat Modeling Example ©2018 – Puma Security, LLC
  • 20. Opportunity to identify vulnerabilities in infrastructure and application code as code is written or saved to disk: Pre-Commit | IDE Security Plugins IDE SECURITY PLUGINS PRE- COMMIT • Security becomes part of the engineering workflow • Shiftings as far left as possible in the kill chain • Must have low false positive rates (important) ©2018 – Puma Security, LLC
  • 21. Weaponizing the toolchain: Pre-Commit | IDE Security Tools IDE SECURITY PLUGINS PRE- COMMIT • FindSecurityBugs (Java) • Puma Scan (C#) • Sonar Lint (Java, C#, JavaScript) • DevSkim (C#, JavaScript) ©2018 – Puma Security, LLC
  • 22. Puma Scan identifying a JSON deserialization vulnerability: Pre-Commit | IDE Security Example ©2018 – Puma Security, LLC
  • 23. Run security checkers before committing code to git: Pre-Commit | Git Hooks PRE- COMMIT • Invoke additional CLI scans / security checks before code reaches continuous integration • Use for secrets management, keys, access keys, etc. • Important to note these client-side protections can be disabled by engineers ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
  • 24. Weaponizing the toolchain: Pre-Commit | Git Hook Tools PRE- COMMIT • AWS Labs git-secrets – https://github.com/awslabs/git-secrets • Talisman – https://github.com/thoughtworks/talisman • Auth0 repo-supervisor – https://github.com/auth0/repo-supervisor • Yelp Pre-Commit Framework – https://pre-commit.com/ ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
  • 25. AWS git-secrets blocking a commit that contains an access key and secret key id: Pre-Commit | Git Hook Example ©2018 – Puma Security, LLC $ git commit -m "testing git-secrets" Web/PumaScan.Licensing.Web/appsettings.json:5: "AccessKey": "AKIAJNQ7C2FCRR6B4VWA", Web/PumaScan.Licensing.Web/appsettings.json:6: "SecretKey": "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" [ERROR] Matched one or more prohibited patterns 1 2 3 4 5 6 7
  • 26. Peer code reviews are mandatory in disciplined DevSecOps organizations: Pre-Commit | Peer Reviews PRE- COMMIT • Allows engineers to discover hard-coded secrets, logic flaws in high risk code, backdoors • Compensating control for separation of duties in continuous deployment • Relies on the reviewer's application security skillset ©2018 – Puma Security, LLC PEER CODE REVIEWS
  • 27. Weaponizing the toolchain: Pre-Commit | Peer Review Toolchain PRE- COMMIT • GitHub Pull Request • GitLab Merge Request • Bitbucket Pull Request • Gerrit (Google) • Review Board – https://github.com/reviewboard/reviewboard ©2018 – Puma Security, LLC PEER CODE REVIEWS
  • 28. GitHub pull request requiring peer review approval: Pre-Commit | Peer Review Example ©2018 – Puma Security, LLC
  • 29. Applying automated, fast, accurate security controls in the CI pipeline: DevSecOps Phases | Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  • 30. Limited opportunity for static analysis in CI & CD pipelines: Commit | Static Code Analysis STATIC CODE ANALYSIS COMMIT • Speed matters (< 5 minutes) • High accuracy rules • Low false positive rates • Disable rules that do not provide value to engineers ©2018 – Puma Security, LLC
  • 31. Weaponizing the toolchain: Commit | Static Code Analysis Tools STATIC CODE ANALYSIS COMMIT • Brakeman (Ruby) • ESLint (NodeJS) • Puma Scan (C#) • FindSecurityBugs (Java) • Puppet Lint Security • And many, many commercial offerings…. ©2018 – Puma Security, LLC
  • 32. Puma Scan failing a build in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
  • 33. Capturing and reporting vulnerability data in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
  • 34. Built on top of standard unit and integration tests to enforce security requirements: Commit | Security Unit Tests SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • Leverage abuse cases and evil user stories from rapid risk assessment • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline • Can be used to enforce security requirements
  • 35. Weaponizing the toolchain: Commit | Security Unit Test Tools SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • JUnit • XUnit • Mocha (NodeJS) • RSpec
  • 36. • Engineers often stay on the "happy path" • Prove the code works under normal usage Commit | Happy Path Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("[email protected]", "L1ttleB0bbyTable$", "1", HttpStatusCode.Found)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11
  • 37. Testing common SQL injection characters: Commit | Validation Unit Text Example ©2018 – Puma Security, LLC [Theory] [InlineData("[email protected]", "L1ttleB0bbyTable$", "'", HttpStatusCode.NotFound)] [InlineData("[email protected]", "L1ttleB0bbyTable$", "*", HttpStatusCode.NotFound)] [InlineData("[email protected]", "L1ttleB0bbyTable$", ")", HttpStatusCode.NotFound)] [InlineData("[email protected]", "L1ttleB0bbyTable$", ",", HttpStatusCode.NotFound)] [InlineData("[email protected]", "L1ttleB0bbyTable$", ";", HttpStatusCode.NotFound)] [InlineData("[email protected]", "L1ttleB0bbyTable$", "#", HttpStatusCode.NotFound)] [InlineData("[email protected]", "L1ttleB0bbyTable$", "&", HttpStatusCode.NotFound)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
  • 38. Verifying checksums on high risk code: Commit | High Risk Code Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("/Web/Controllers/AccountController.cs", "2ffbf33b66ddb07616f882ceed0718826af298a7")] [InlineData("/Shared/Services/Cryptography/Hash.cs", "d51bfd137d37a7ed908737552568bcc5241f5021")] [InlineData("/Shared/Services/Cryptography/Asymmetric.cs", "fe83bf6f453698c5f78cab167bca14c72daf32c0")] [InlineData("/Shared/Services/Cryptography/Symmetric.cs", "ae951207f4fbdbe2d9661297f285dc99857f32d4")] public void HighRiskCode_CheckSumTest(string file, string checksum) { bool match = checksum.Equals(Hash.GetChecksum(file)); if(!match) NotificaionService.RequestCodeReview(file); Assert.True(match); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  • 39. Containers present an entirely new attack surface for engineering teams to deal with: Commit | Container Security COMMIT ©2018 – Puma Security, LLC • Managing container secrets • Poisoned / untrusted images • Hardening image operating system • Docker daemon / API attack surface • This topic alone is an hour + conversation CONTAINER SECURITY
  • 40. Weaponizing the toolchain: Commit | Container Security Tools COMMIT ©2018 – Puma Security, LLC • Anchore – https://anchore.com/opensource/ • Actuary – https://github.com/diogomonica/actuary • Clair – https://github.com/coreos/clair • Falco – https://github.com/draios/falco CONTAINER SECURITY
  • 41. Anchore scan results via Jenkins CI: Commit | Container Security Scan Example ©2018 – Puma Security, LLC
  • 42. Builds a bill of material from operation and application dependencies Commit | Dependency Management COMMIT ©2018 – Puma Security, LLC • Scans manifests, templates, and libraries • Identifies packages and libraries with known vulnerabilities • Suggests package version updates to remediate vulnerabilities DEPENDENCY MANAGEMENT
  • 43. Weaponizing the toolchain: Commit | Dependency Management Tools COMMIT ©2018 – Puma Security, LLC • OWASP Dependency Check • PHP Security Checker • Retire.JS • Node Security Project DEPENDENCY MANAGEMENT
  • 44. Dependency check scan results via Jenkins CI: Commit | Dependency Management Example ©2018 – Puma Security, LLC
  • 45. Applying security controls during delivery of infrastructure or applications to acceptance: DevSecOps Phases | Acceptance PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  • 46. Applying security controls during deployment of infrastructure or application to production: DevSecOps Phases | Production PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  • 47. Continuous security monitoring, testing, and compliance checks in production: DevSecOps Phases | Operations PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  • 48. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  • 49. • Open source security source code analyzers • 50+ application security-specific rules • Install guide, rule docs, source code: https://www.pumascan.com/community https://github.com/pumasecurity @puma_scan • Presenting Wednesday August 8th at Black Hat Arsenal https://www.blackhat.com/us-18/arsenal/schedule/#puma- scan-12003 Puma Scan | Black Hat Arsenal 2018 ©2018 – Puma Security, LLC

Download presentation

Your download has started