Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Continuous Security
Search
Laura Bell
September 01, 2015
Technology
3
1.1k
Continuous Security
Presented at AgileNZ by Laura Bell
Laura Bell
September 01, 2015
Tweet
Share
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
220
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
52
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
79
Practical tools for privacy audit
ladynerd
0
170
For the greater good? Open sourcing weaponisable code
ladynerd
1
300
Other Decks in Technology
See All in Technology
マネジメント視点でのre:Invent参加 ~もしCEOがre:Inventに行ったら~
kojiasai
0
470
10分でわかるfreeeのQA
freee
1
3.4k
君は隠しイベントを見つけれるか?
mujyun
0
300
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
590
初心者に Vue.js を 教えるには
tsukuha
5
390
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
Fargateを使った研修の話
takesection
0
120
新卒1年目が向き合う生成AI事業の開発を加速させる技術選定 / ai-web-launcher
cyberagentdevelopers
PRO
7
1.5k
生成AIと知識グラフの相互利用に基づく文書解析
koujikozaki
1
140
IaC運用を楽にするためにCDK Pipelinesを導入したけど、思い通りにいかなかった話
smt7174
1
110
物価高なラスベガスでの過ごし方
zakky
0
380
Featured
See All Featured
The World Runs on Bad Software
bkeepers
PRO
65
11k
Scaling GitHub
holman
458
140k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Embracing the Ebb and Flow
colly
84
4.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Music & Morning Musume
bryan
46
6.1k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Transcript
Continuous Security Laura Bell SafeStack
Con$nuous Security Laura Bell F O U N D
E R & L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
once upon a $me*… * Some'me in the last week
for some of you
and the whole world went to hell
common misconcep$ons
it’s not my job (that’s why we have a
security team)
it’s impossible so why try
we’ve always done this… nobody’s hacked us yet
we’re too li@le to fail (at security)
agility increases risk
what is con$nuous security?
design code stuff idea test deploy
design code stuff idea test deploy
Ini'al Risk Assessment Design Review Code and Implementa'on Review Penetra'on Tes'ng
None
con$nuous
principles of con$nuous security
automated autonomous integrated repeatable scalable
automated “the best technical people I know work really
hard to make themselves redundant”
Deployment Provisioning Tes$ng Sta$c analysis Vulnerability mgmt
autonomous “no boMlenecks, breakdowns or ripples”
None
Skills Authority Accountability every team
integrated “bite-‐sized security that works with every step of
your lifecycle”
None
Woven in to keep you going Respected enough to stop
you
repeatable “security fails when it’s a special event”
Every story Every sprint Every developer Every $me
Standard Security Stories h@p:/ /www.safecode.org
scalable “more than just a single team experiment”
Business as usual Managed Measured Controlled Universal Special Proof of
concept Blue sky Experiment Innova$on
Case Study
Fast growing 110 developers Compliance environment New
code Legacy code Mul$ple languages
Requirements Standard Security Stories Architecture Inclusion Reusable
requirements
Code review IDE based free tools Peer Review Security guild
Tes$ng Automated ZAP tes$ng Selenium Standard security tests
Deployment Vulnerability checks Infrastructure as code On demand deployments
Collabora$on Security guild Chat ops Hack events
Good stuff speed of change skill level increase increased
awareness priority of legacy use of security resource
Lessons learned security guilds tool cost tool quality approaches training
at scale
achieving con$nuous security
choose tools wisely integra$ons with workflows, API, speed
easy to digest resources keep your examples, templates and
reusable stuff as close to your developers as possible
educate everyone skills are the number one bo@leneck
give testers some love test environments, clean test data
and tools
no special treatment legacy code needs security too
dev == test == prod remove the differences to
remove deployment complexity
Ques$ons? Laura Bell F O U N D E R
& L E A D C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o
@lady_nerd Laura Bell SafeStack Thanks for listening…