Continuous Security

Transcript

1. Continuous Security Laura Bell SafeStack

2. Con$nuous   Security Laura  Bell F O U N D

   E R   &   L E A D   C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o

3. once  upon  a  $me*… *  Some'me  in  the  last  week

    for  some  of  you  

4. and  the  whole  world went  to  hell

5. common  misconcep$ons

6. it’s  not  my  job   (that’s  why  we  have  a

    security  team)

7. it’s  impossible  so  why  try

8. we’ve  always  done  this… nobody’s  hacked  us  yet

9. we’re  too  li@le  to  fail     (at  security)

10. agility  increases  risk

11. what  is  con$nuous  security?

12. design   code  stuff   idea   test   deploy

     

13. design   code  stuff   idea   test   deploy

      Ini'al  Risk   Assessment   Design     Review   Code  and   Implementa'on   Review   Penetra'on   Tes'ng  
14. None

15. con$nuous

16. principles  of  con$nuous  security

17. automated   autonomous   integrated   repeatable   scalable

18. automated “the  best  technical  people  I  know  work   really

     hard  to  make  themselves  redundant”

19. Deployment Provisioning Tes$ng Sta$c  analysis Vulnerability  mgmt

20. autonomous “no  boMlenecks,  breakdowns  or  ripples”

21. None

22. Skills Authority Accountability every  team

23. integrated “bite-­‐sized  security  that  works  with  every  step   of

     your  lifecycle”
24. None

25. Woven  in  to  keep  you  going Respected  enough  to  stop

     you

26. repeatable “security  fails  when  it’s  a  special  event”

27. Every  story Every  sprint Every  developer Every  $me

28. Standard  Security  Stories h@p:/ /www.safecode.org

29. scalable “more  than  just   a  single  team   experiment”

30. Business  as  usual Managed Measured Controlled Universal Special Proof  of

     concept Blue  sky Experiment Innova$on

31. Case  Study

32. Fast  growing   110  developers   Compliance  environment   New

     code   Legacy  code   Mul$ple  languages  

33. Requirements Standard  Security   Stories Architecture   Inclusion Reusable  

    requirements

34. Code  review IDE  based  free  tools Peer  Review Security  guild

     

35. Tes$ng Automated  ZAP   tes$ng Selenium Standard  security   tests

36. Deployment Vulnerability  checks Infrastructure  as  code On  demand  deployments

37. Collabora$on Security  guild Chat  ops Hack  events

38. Good  stuff    speed  of  change skill  level  increase increased

     awareness priority  of  legacy  use  of  security  resource

39. Lessons  learned  security  guilds tool  cost tool  quality approaches training

     at  scale

40. achieving  con$nuous  security

41. choose  tools  wisely   integra$ons  with  workflows,  API,  speed

42. easy  to  digest  resources   keep  your  examples,  templates  and

        reusable  stuff  as  close  to  your  developers     as  possible

43. educate  everyone   skills  are  the  number  one  bo@leneck

44. give  testers  some  love   test  environments,  clean  test  data

     and  tools

45. no  special  treatment   legacy  code  needs  security  too

46. dev  ==  test  ==  prod   remove  the  differences  to

     remove     deployment  complexity

47. Ques$ons? Laura  Bell F O U N D E R

      &   L E A D   C O N S U LTA N T S A F E S TAC K @ l a d y _ n e rd l a u r a @ s a fe s t a c k . i o

48. @lady_nerd Laura Bell SafeStack Thanks for listening…