Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing you from being responsible for your ...

Otavio Santana
September 16, 2021

Preventing you from being responsible for your company's next security disaster[Xgeeks]

Currently, we see several cases of security breaches that caused a loss of millions, either as credibility or as new fines. As a result, new data protection laws emerge.
Betting on information security guarantees quality and helps prevent these headaches, in addition to avoiding scandals that could make a software project unfeasible.
The company and its team are aware of the importance of safety and prevention; it is necessary to develop a DevSecOps culture. In this talk, you will learn more about this working model and how to prevent you or someone on your team from being responsible for the next security disaster.

Otavio Santana

September 16, 2021
Tweet

More Decks by Otavio Santana

Other Decks in Technology

Transcript

  1. >_< @zupinnovation zup.com.br Preventing you from being responsible for your

    company's next security disaster Otavio Santana @otaviojava
  2. <> @zupinnovation zup.com.br Who am I? Otavio Santana Distinguished Engineer

    @otaviojava • Pas Jean Valjean • Java Champion • JCP-EC-EG-EGL • Apache Committer • Eclipse Committer • Eclipse Project Leader • Book and blog writer who
  3. <> @zupinnovation zup.com.br Who am I? Wilian Gabriel da Silva

    Tech Lead @wiliangds • Golang Developer • JS/TS Developer • Python Developer • Compilers Developer • Blog writer • Youtube recorder • Zup Open Source Committer
  4. <> @zupinnovation zup.com.br The biggest data breaches of the 21st

    century Ref: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html Accounts Yahoo + Pieces of user data Alibaba + 700 million users LinkedIn Accounts Sina Weibo + Facebook 3 bi 1.1 bi 700 mi 538 mi Accounts 533 mi
  5. <> @zupinnovation zup.com.br 800 and 1,500 businesses around the world

    have been affected IBM’s Data Breach Study $300 million $7 million Target paid this amount for breach remediation Can a data breach really bankrupt your business?
  6. <> @zupinnovation zup.com.br Code Vulnerability Every 3 out of 4

    applications • Injection • Cross-Site Scripting (XSS) • Buffer Overflow • Broken Authentication • Sensitive Data Exposure • Broken Access Control
  7. <> @zupinnovation zup.com.br Operations Vulnerability “New research shows 75% of

    ‘open’ Redis servers infected” • Default, blank, and weak username/password. • Extensive user and group privileges
  8. <> @zupinnovation zup.com.br “DevSecOps is DevOps done securely” “DevOps has

    provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization.” “Whether you call it "DevOps" or "DevSecOps," it has always been ideal to include security as an integral part of the entire app life cycle.” Definition through bibliography
  9. <> @zupinnovation zup.com.br The 12 Factors App 1. Codebase 2.

    Dependencies 3. Config 4. Backing services 5. Build, release, run 6. Process 7. Port binding 8. Concurrency 9. Disposability 10. Dev/prod parity 11. Logs 12. Admin processes
  10. <> @zupinnovation zup.com.br Horusec is an open-source framework that enhances

    the identification of vulnerabilities in your project with just one command.
  11. <> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer

    @zupInnovation Wilian Gabriel da Silva @wiliangds Tech Lead Q&A