dev from each team, spending a small amount of time to gain proficiency and lead their team in automating and implementing security
should represent the voice of securityw hile still performing some duties as an application developer
benefits:
understanding security team and increasing trust btwn teams
higher level of security within application
security present throughout entire lifecycle of application development
devs developing security automation
the gain is in cycles that are no longer spent addressing security issues post-deployment and at the end of the application lifecycle.
balancing feature delivery vs doing it correctly
average timeframe to adopt devops is 18 months
how
OWASP top 10 application vulnerabilities
8 secure design principles from salzter and schroeder
economy of mechanism: keep design simple
-- fill in rest later --
owasp/wasc web hacking incident database
equifax
not simple to apply patches in these scenarios. frameworks need to be upgraded, tests ran with new environments, before you can apply patch and update it.
layered security defense when possible
can we get the patch out in 12 hours?
owasp 'juice shop'
great team exercise, gamifies the finding of vulnerabilities and can be done over a lunch break, available on github
general
can we get our patch out in hours - days?
logging
valid backups regularly used
ability to rapidly deploy code
put security callouts in entire application lifecycle (starting with code checkins -- dependency scans, static analysis tools, fuzzing, etc)
risk summary table (type, severity, chance to happen, mitigation plan)
open design principle
share code internally. encourage sharing of components, finding of vulnerabilities and bugs by peers.
NO security through obscurity
encourage vulnerability submissions
extra credit for bug bounties and other internal security efforts (miss a pagerduty rotation?, badges?)
secdevops
not
why automation
typical enterprise ratio: 100:10:1
security champion (spotify model)
dev from each team, spending a small amount of time to gain proficiency and lead their team in automating and implementing security
should represent the voice of securityw hile still performing some duties as an application developer
benefits:
the gain is in cycles that are no longer spent addressing security issues post-deployment and at the end of the application lifecycle.
balancing feature delivery vs doing it correctly
average timeframe to adopt devops is 18 months
how
OWASP top 10 application vulnerabilities
8 secure design principles from salzter and schroeder
owasp/wasc web hacking incident database
equifax
not simple to apply patches in these scenarios. frameworks need to be upgraded, tests ran with new environments, before you can apply patch and update it.
layered security defense when possible
can we get the patch out in 12 hours?
owasp 'juice shop'
great team exercise, gamifies the finding of vulnerabilities and can be done over a lunch break, available on github
general
can we get our patch out in hours - days?
open design principle