Presenter: Josh Wallace
- What does your security team think of devops?
- They slow you down, right?
- In my situation we have no security team, so a little different when dealing with super small team
- How do you inject dynamic analysis into your pipeline if releasing every few minutes as Amazon does
- They slow you down, right?
- Should you automate your processes if they are not good?
- Is automation good on its face even if perpetuating a bad practice underneath, especially from a security perspective.
- Applications tend to be tested equally, but now well
- functional testing of security requirements usually not done, if security requirements exist at all
- Do not have to apply the same level of testing and security scrutiny to all applications, level or risk should dictate how thoroughly an app is beat up.
- How do we fix the above situations? Introducing a framework for continuous security! (Crimson and Clover)
- Define our requirements during planning and pre-planning phases
- application inventory
- apps ranked by risk
- secure coding guidelines
- threat modeling
- required security controls based on risk
- All security requirement should be tested
- break the ci build so get feedback immediately
- Testable security requirements are needed
- requirements need to be written in a manner that is testable
- written in dev speak, not security speak
- train developers on security
- requirements need to be written in a manner that is testable
- Automate security testing, put in pipeline
- Pipeline should be scale-able and flexible, not many
- One good pipeline with if/then logic better than one per app
- Don’t write your own crypto code, ever.
- There are plenty of good, easy to use libraries that are essentially unbreakable
- Define our requirements during planning and pre-planning phases