Preventing you from being responsible for your company's next security disaster[Xgeeks]

Transcript

1. >_< @zupinnovation zup.com.br Preventing you from being responsible for your

   company's next security disaster Otavio Santana @otaviojava

2. <> @zupinnovation zup.com.br Who am I? Otavio Santana Distinguished Engineer

   @otaviojava • Pas Jean Valjean • Java Champion • JCP-EC-EG-EGL • Apache Committer • Eclipse Committer • Eclipse Project Leader • Book and blog writer who

3. <> @zupinnovation zup.com.br Who am I? Wilian Gabriel da Silva

   Tech Lead @wiliangds • Golang Developer • JS/TS Developer • Python Developer • Compilers Developer • Blog writer • Youtube recorder • Zup Open Source Committer

4. <> @zupinnovation zup.com.br Who does need security? A brief context

5. <> @zupinnovation zup.com.br The biggest data breaches of the 21st

   century Ref: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html Accounts Yahoo + Pieces of user data Alibaba + 700 million users LinkedIn Accounts Sina Weibo + Facebook 3 bi 1.1 bi 700 mi 538 mi Accounts 533 mi

6. <> @zupinnovation zup.com.br 800 and 1,500 businesses around the world

   have been affected IBM’s Data Breach Study $300 million $7 million Target paid this amount for breach remediation Can a data breach really bankrupt your business?

7. <> @zupinnovation zup.com.br Security is a nutshell Confidentiality Integrity Availability

8. <> @zupinnovation zup.com.br "Small" mistake > Big consequences 1. Code

   Vulnerability 2. Operations Vulnerability

9. <> @zupinnovation zup.com.br Code Vulnerability Every 3 out of 4

   applications • Injection • Cross-Site Scripting (XSS) • Buffer Overflow • Broken Authentication • Sensitive Data Exposure • Broken Access Control

10. <> @zupinnovation zup.com.br Operations Vulnerability “New research shows 75% of

    ‘open’ Redis servers infected” • Default, blank, and weak username/password. • Extensive user and group privileges

11. <> @zupinnovation zup.com.br The top code vulnerability issues

12. <> @zupinnovation zup.com.br SQL Injection

13. <> @zupinnovation zup.com.br Sanitize all input

14. <> @zupinnovation zup.com.br Scan dependencies vulnerabilities

15. <> @zupinnovation zup.com.br "Avengers assemble!" What can we do to

    avoid these mistakes?

16. <> @zupinnovation zup.com.br Breaking down the silos Avoid delay Integration

    Prevent

17. <> @zupinnovation zup.com.br Agile 2001 DevOps 2010 DevSecOps 2015 We

    evolved until...

18. <> @zupinnovation zup.com.br DevSecOps

19. <> @zupinnovation zup.com.br “DevSecOps is DevOps done securely” “DevOps has

    provided speed and quality benefits with continuous development and deployment methods, but it does not guarantee the security of an entire organization.” “Whether you call it "DevOps" or "DevSecOps," it has always been ideal to include security as an integral part of the entire app life cycle.” Definition through bibliography

20. <> @zupinnovation zup.com.br Layered security

21. <> @zupinnovation zup.com.br The 12 Factors App 1. Codebase 2.

    Dependencies 3. Config 4. Backing services 5. Build, release, run 6. Process 7. Port binding 8. Concurrency 9. Disposability 10. Dev/prod parity 11. Logs 12. Admin processes

22. <> @zupinnovation zup.com.br Tools What can help you on this

    challenge?

23. <> @zupinnovation zup.com.br Tools Avoid security issues 700 mi Identify

    vulnerabilities Monitoring bugs

24. <> @zupinnovation zup.com.br Horusec is an open-source framework that enhances

    the identification of vulnerabilities in your project with just one command.

25. <> @zupinnovation zup.com.br

26. <> @zupinnovation zup.com.br Demo

27. <> @zupinnovation zup.com.br And more... • Language Analysis • Integrate

    with CI/CD • Fancy Dashboard • Extensible

28. @zupinnovation zup.com.br <> Zup at TDC

29. <> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer

    @zupInnovation Wilian Gabriel da Silva @wiliangds Tech Lead Q&A

30. <> @zupinnovation zup.com.br Thank you! Otávio Santana @otaviojava Distinguished Engineer

    @zupInnovation Q&A