Soumettre la recherche
Mettre en ligne
Application Security at DevOps Speed - DevOpsDays Singapore 2016
•
7 j'aime
•
1,379 vues
Stefan Streichsbier
Suivre
This is an ignite version of my talk given at Agile Singapore. 20 slides, 15 seconds each.
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 20
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Null application security in an agile world
Null application security in an agile world
Stefan Streichsbier
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
Integrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
DevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
PIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
PIACERE
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
Recommandé
Null application security in an agile world
Null application security in an agile world
Stefan Streichsbier
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
Integrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon London 2017: How far left do you want to go with security? by Javie...
DevSecCon
DevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
PIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
PIACERE
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
Introduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
Benefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
The Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
DevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
DevSecOps
DevSecOps
Joel Divekar
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
How to automate your DevSecOps successfully
How to automate your DevSecOps successfully
Manuel Pistner
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
A Secure DevOps Journey
A Secure DevOps Journey
Veracode
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
Turning security into code by Jeff Williams
Turning security into code by Jeff Williams
DevSecCon
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
Continuous Testing
Continuous Testing
Karim Fanadka
Contenu connexe
Tendances
Introduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
Benefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
The Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
DevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
WhiteSource
DevSecOps
DevSecOps
Joel Divekar
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
James Wickett
How to automate your DevSecOps successfully
How to automate your DevSecOps successfully
Manuel Pistner
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
Priyanka Aash
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
DevSecOpsSg
A Secure DevOps Journey
A Secure DevOps Journey
Veracode
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
Turning security into code by Jeff Williams
Turning security into code by Jeff Williams
DevSecCon
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
Tendances
(20)
Introduction to DevSecOps
Introduction to DevSecOps
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
Benefits of DevSecOps
Benefits of DevSecOps
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
The Journey to DevSecOps
The Journey to DevSecOps
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
DevSecOps : an Introduction
DevSecOps : an Introduction
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
DevSecOps
DevSecOps
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
How to automate your DevSecOps successfully
How to automate your DevSecOps successfully
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
The Rise of DevSecOps - Fabian Lim - DevSecOpsSg
A Secure DevOps Journey
A Secure DevOps Journey
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Turning security into code by Jeff Williams
Turning security into code by Jeff Williams
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
Similaire à Application Security at DevOps Speed - DevOpsDays Singapore 2016
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Dinis Cruz
Continuous Testing
Continuous Testing
Karim Fanadka
Continuous Testing 2016
Continuous Testing 2016
Karim Fanadka
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Dag Rowe
Scale security for a dollar or less
Scale security for a dollar or less
Mohammed A. Imran
BSides Vienna 2015
BSides Vienna 2015
Daniel Liber
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
Matteo Emili
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Mohammed A. Imran
Product Security
Product Security
Steven Carlson
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
Building an API Security Strategy
Building an API Security Strategy
SmartBear
Dev{sec}ops
Dev{sec}ops
Steven Carlson
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Mohammed A. Imran
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!
Sandeep Joshi
DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
Similaire à Application Security at DevOps Speed - DevOpsDays Singapore 2016
(20)
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
Continuous Testing
Continuous Testing
Continuous Testing 2016
Continuous Testing 2016
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
Scale security for a dollar or less
Scale security for a dollar or less
BSides Vienna 2015
BSides Vienna 2015
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
How not to fall into the DevSecOps trap
How not to fall into the DevSecOps trap
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
Product Security
Product Security
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Building an API Security Strategy
Building an API Security Strategy
Dev{sec}ops
Dev{sec}ops
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
DevOps Dilemma - Make Dev work with Ops!
DevOps Dilemma - Make Dev work with Ops!
DevSecOps 101
DevSecOps 101
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Plus de Stefan Streichsbier
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
The Future of DevSecOps
The Future of DevSecOps
Stefan Streichsbier
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
Stefan Streichsbier
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
Stefan Streichsbier
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Stefan Streichsbier
Security and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week Jakarta
Stefan Streichsbier
Securing a great Developer Experience - v1.3
Securing a great Developer Experience - v1.3
Stefan Streichsbier
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
Stefan Streichsbier
DevSecOps - The big picture
DevSecOps - The big picture
Stefan Streichsbier
DevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
Plus de Stefan Streichsbier
(13)
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
The Future of DevSecOps
The Future of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
Security and Mobility Co Create Week Jakarta
Security and Mobility Co Create Week Jakarta
Securing a great Developer Experience - v1.3
Securing a great Developer Experience - v1.3
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
A Tale of Three Horses - RSAC 2017 APJ - DevOps Connect: DevSecOps Edition, S...
DevSecOps - The big picture
DevSecOps - The big picture
DevSecOps Singapore introduction
DevSecOps Singapore introduction
Dernier
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
Knoldus Inc.
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
UiPathCommunity
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
Bernd Ruecker
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
itnewsafrica
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
A Framework for Development in the AI Age
A Framework for Development in the AI Age
Cprime
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
Curtis Poe
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
panagenda
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
Nathaniel Shimoni
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Wes McKinney
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Kaya Weers
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
LoriGlavin3
2024 April Patch Tuesday
2024 April Patch Tuesday
Ivanti
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
IES VE
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
ThousandEyes
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Alkin Tezuysal
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
TopCSSGallery
Dernier
(20)
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
A Framework for Development in the AI Age
A Framework for Development in the AI Age
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
2024 April Patch Tuesday
2024 April Patch Tuesday
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
Application Security at DevOps Speed - DevOpsDays Singapore 2016
1.
Security at DevOps
Speed Stefan Streichsbier CTO Vantage Point Founder DevSecOps Singapore stefan@vantagepoint.sg @s_streichsbier
2.
What is AppSec?
3.
Why does AppSec == Pain?
4.
Pentesters after turning a
report in...
5.
Security
6.
Meanwhile outside the security camp ...
7.
0 20 40 60 80 100 120 140 2005 2010 2015
2020 The frequency of releases over time Releases per app per year Towards CD From Waterfall The frequency increased
8.
8 So many releases?!
9.
Security DevOps
10.
10 Agile + DevOps
+ Security = DevSecOps
11.
Step 1: Security as part
of Agile
12.
1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product
Backlog Sprint Backlog Let’s look at SCRUM Start with understanding the process
13.
1-4 Weeks 24 hours Develop Test Design Plan Output Shippable Increment Product
Backlog Sprint Backlog Secure SCRUM Security Training Security Requirements Security Activities Threat Modelling Design Review Pairing Manual Security Tests Automatic Security Tests Security Feature Demo Security Retrospective Security Acceptance Criteria
14.
(Security) User Stories
15.
(Security) Unit Tests
16.
0 20 40 60 80 100 120 Sprint 1 Sprint
2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 % Remaining Security work % App Robustness, Security Skills Security Debt Burndown
17.
Step 2: DevSecOps
18.
Vulnerability Repository • Security Unit Tests •
SAST • SCA • DAST • IAST • VA • Security as Code • RASP • NG WAF • Red Team • GOPT • Actual Attackers • Sec Requirements • Design Review • Threat Modelling AppSec Pipeline
19.
Instead of this
...
20.
...Let’s do this...
Télécharger maintenant