SlideShare une entreprise Scribd logo

Fixing security by fixing software development

Nick Galbreath
Nick Galbreath

Fixing Security by Fixing Software Development Using Continuous Deployment Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.

1  sur  78
Télécharger pour lire hors ligne
Fixing Security by Fixing Software Development Using Continuous Deployment Nick Galbreath, VP Eng IPONWEB, http://www.iponweb.com/ @ngalbreath http://www.client9.com/ May 14-15, San Francisco, California
Follow Along Latest version posted online:   http://slidesha.re/144OIv3 http://www.client9.com/
Nick Galbreath (@ngalbreath) ! Spoken at Black Hat, DEFCON, OWASP ! Author of libinjection: advanced SQLi detection used in > 2 WAFs, 1 Honeypot ! Book on cryptography ! but really... ! Engineering Management and Software Development for high growth startups. ! Personal site http://www.client9.com/
IPONWEB ! customized online advertising infrastructure and exchanges ! engineering offices in Moscow, with business offices in London, New York and Tokyo.
Original Abstract Fixing Security by Fixing Software Development Using Continuous Deployment Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
Well that's a bold statement... "Fixing Security by Fixing Development Using Continuous Deployment"
and here's another For web applications, our release-based software development lifecycle is still based on a pre-Internet model and is harmful to organizations and
 particularly harmful for security.
What needs fixing? ! SQLi dropped from #8 to #14 in the latest White Hat "The State of Web Security" report. Good news, right? ! This means SQLi is only 7% of websites. That's 1 in 15. And this is #14 vulnerability! ! And time to fix was on average 196 days. 
 That's embarrassing. Veracode claims 32% of incoming web applications have SQLi
 https://info.veracode.com/state-of-software-security-report-volume5.html https://reg.whitehatsec.com/WPstats0513
Even worse... ! Number 1 driver to fix security problems...
 compliance. ! Number 1 reason to not fix security is...
 compliance. ! Not.. ! keeping our employees and customers safe ! protecting corporate interests. ! improving quality ! being good at what we do.
Security Products #1 .. in security bugs VeraCode: State of Software Security, V4 December 2011
Let's Just Give Up ! “You could spend all your resources chasing such things as this,” William Ribich, the former president of Technology Solutions Group [ QintelIQ ], said in an interview in January. Ribich, who retired in November 2009, shortly after the discovery of a major data theft, said he needed to balance the uncertain risk that the hackers could use what they stole against a growing shopping list of security products and consulting fees. ! "You finally have to reach a point where you say
 ’let’s move on,’” he said. http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
I would call that broken ! But preventing SQLi isn't a technically hard problem. ! And most security patches are very small. ! How did we get here?
Software Product Model ! Code flows between functional groups ! Product Managers spec code ! Engineers write code ! QA engineers tests code ! Release engineers package code ! Operations runs code ! ... and Security does something too.
High Distribution Cost ! The Software Product Model is designed for software where the cost of distribution is high. "High" might be financial, risk, time, resources, customer annoyance. ! Retail, physical product, CD/DVD ! Embedded of Exotic Hardware ! Safety, Medical or Defense Systems ! Operating Systems (desk or phone) ! Homework (1-time deploy)
Software Product Lifecycle
Change to Production
Web Applications Year 2000 ! Mostly followed Software Product Model since that's all we knew. ! High barrier to entry ! Specialized Hardware, Software and People needed to get started. ! Lots of engineering needed to keep things running. ! (side note: CERT/CVE started in 1999)
True Story #1 ! "Can't push out the spelling error fix – it's too risky" ! "That code as already been through QA, it's locked down." ! "Product has to prioritize that change, else we aren't touching it."
True Story #2 ! We'll do an iteration, where we try to fix as many things as possible. ! This won't be a scheduled iteration, it will be done because things are so bad ! So the spelling error will get fixed... 
 uhh, who knows when.
Web Applications 2013 ! Almost no barrier to entry ! Commodity hardware ! Programming not that hard ! Scaling problems can 
 be mostly outsourced
 (mostly)
Cost of Distribution 2013 ! Frequently no compile step
 or it's very fast. ! Moving to production a few kilobytes or megabytes of code over 1Gbps, 10Gbps link. ! In other words... free
Failure is very different however ! Most web applications are data-driven. ! Frequently have social features, APIs, user-generated content. ! Failures might be due to algorithmic problems... but... ! Most likely to due to user input, bad data in database or operational load. ! this means data in past can cause problems in the future.
Releases and Problems ! When a web-release goes out, and has problems.... ! Next week is spent tracking down who changed what, where. ! Re-QA ! Re-Push ! meanwhile new code is piling up.
When SPM meets Web Apps ! A long time between code being written and code being released. ! Might be weeks or months ! Feedback loop between code-in-dev and code-in-production is broken ! When security or bug reports come in, the author is likely on a different project.
Hypothesis ! It is impossible to simulate the production environment in development, either due to operational differences or data differences. ! No amount of QA or Security Testing can prove you don't have bugs, vulnerabilities, or cause severe operational problems. ! You have bugs and vulnerabilities,
 right now, in your application.
Impedance Mismatch ! Easy to write code, + ! Long release cycles + ! Security as an end-of-line or out of band process == ! no one cares
So the Answer is... ! Going slower? I'm sure your boss will love that suggestion ! More steps and process? In other words, slower. ! Asking for more people? Sure but good luck hiring them. Doesn't scale. ! Asking for more products? Since the others have worked so well.
Continuous Deployment ! Also known as Continuous Delivery. ! A System of Software Production Characterized by Numerous Small Changes the Production Environment, initiated by the author of the change. You change it, you push it to prod.
Deployment != Feature Release
"Writing Software" ! Software Developers think their job is writing software. ! And so, they love to make things perfect before anyone else sees it. ! Impolite: "data hiding" ! code is hiding on developer's computer ! or on some branch ! in other words invisible until it's ready.
Actually ! The software engineer's job is actually writing running software, that works well. ! This idea is so alien, that companies have to remind the engineers of this.
Rackspace Haiku writing code is hard
 if you cannot deploy it does not matter @paulvx from DevOpsDays Austin 2013
Facebook "Move Fast and 
 Break Things.... Except "Push" (deployment system) via http://mitadmissions.org/blogs/entry/ move_fast_and_break_things
Etsy Mantra Just Ship
Today's goal ! but for today the goal is getting the developer to care about their code
 in production. ! If you don't have that, I don't think you can really solve security problems.
How does this work? ! Really? Developers push their own code out? ! How is this not a disaster. ! How is this not a security disaster?
The Deploy Button ! What is you had a button that said
 "DEPLOY" ! That pushed to production, whatever is current in your source control system. ! And took about a minute ! The change and who pressed the button is logged, but that's it.
Part 1: Fear ! No one is going to push it ;-) ! Meanwhile code is piling up Real example: A new hire I had at Etsy was afraid 
 of deploying an HTML change that they made. "But I don't want to break the site!"
Part 2: First Push ! Someone brave will press the button ! And very likely the site will explode, and a rollback will need to be done. ! They'll know since someone else will have told them.
Part 3: With Graphs ! Let's get all those operational graphs out in the open. And put them right next to the button.
Part 4: Push #2 ! Repush ! Site might still explode ! But the developer is aware and can rollback.
Take 5: Isolation ! Hmmm, the developer notices that in the change set, a million things are going out. ! Maybe just pushing out a smaller change will help isolate the issue.
Take 6: Success! ! Yes, the developer just pushed out some code and made the site better. ! The secret about continuous deployment is small changes that can be easily understood.
Take 7: Dark Pushes ! Now we got some bugs fixed, let's push a feature. ! First let's push out all the supporting files. Since they aren't being called, they do nothing and are safe to push out. ! Now everyone can see them
Take 8: Getting the feature live ! Instead of "all at once", we slowly ramp up a feature. ! if (user_id % 20 == 0):
 do new feature; ! we change change the percentage easily with another code push. ! or turn it down. Much nicer change log. ! While the site didn't explode, it's hard to see if the feature is being used or not.
Take 9: Application Level Graphs ! Allow developers to instrument their code so they can see what is happening in production. ! Enter StatsD and other UDP-based tools ! Enter centralized logging and in- application method to make it easy to log problems.
Take 10: Communication ! So far good for one developer. ! To scale up, you'll need a system to allow developers. ! IRC-like tools work well (e.g. "the push channel") – skype, jabber, hangouts, etc
Along the way ! Expose production logs to developers ! Add in a staging-step where the code goes to faction of the cluster, so developers can test with real traffic ! Try to make development closer to prod. ! Make "smoke tests" to catch basic errors ! Add syntax checkers to eliminate obvious issues. ! Use static analysis to find bugs
Mistakes will happen ! Do postmortem analysis ! Everyone thought they were doing the right thing at the time. ! "How can the environment be changed to prevent this" and build tools to enforce it. ! (Rarely can you truly change people)
Sounds good, 
 but what about...
That guy who pushes at 3am ! Courtesy and convention will converge very quickly when the site goes down at 3am and the developer starts getting calls ;-) ! Of hours pushes of course can happen, when they notify operations.
What About Code Reviews? ! Yes, please do them. ! Nothing here prevents code reviews. ! In fact code reviews are easier since ! they are small ! they are in mainline not some branch
What about Security Reviews ! Please do them. ! Nothing here eliminates architectural planning or review. ! This actually doesn't change the SDLC very much.
What about Agile Methods ! (everyone seems to have a different idea of what Agile is but..) ! Agile methodologies typically work to improve the business spec / development cycle. (are you building what the customer wants) ! But doesn't address code deployment. ! They are complimentary practices.
What about Customer Service? ! "Don't they freak out with all the changes?" ! Remember: deployment != feature release ! Most deployments do very little from the customer point of view ! Feature releases (frequently controlled by ramp-ups or flags) always needs to be coordinated with product and customer service.
What about Compliance? PCI? ! Let me tell you about compliance... ! mechanism not policy
Back to Security
Obvious Benefit to Security ! Security patches can go out quickly ! You know this since they are now just part of a normal development cycle.
More Importantly ! That Engineer who previously didn’t push code is now sensitized that their code has consequences and are responsive and empowered to fix it. ! It’s amazing how interested engineers become in security when you find problems with their code when they are able to fix quickly themselves.
Hack The Stack ! A side effect of this you now have tools to repurpose for security and
 monitoring of production ! Note that most changes are not security problems.
Logging ! Due to allow developers to see application logging, it's now very easy to instrument the application to log security events. ! Or add logs to times when you are under attack.
Graphing ! Make dashboards of ! SQLi and XSS attacks ! Every type of log-in failure ! Core Dumps ! Database Syntax Errors
Static Analysis ! You now have a place to insert them. ! Work with QA group to add more code quality tests.
Post-Commit Checks ! Alert on when sensitive areas of the code are changed (auth) ! Alert on crypto usage (why is developer using MD5.. hmmm) ! Alert your programming languages "dangerous functions" This allows you to engage the developer at the start of the cycle.
Faster is Better ! You could do most of this in a normal release-cycle software lifecycle. ! The difference is you are finding problems at the start instead of 10m before the launch and telling everyone to stop. ! The feedback loop works.
New Roles, Less Silos ! Developers: works with operations ! QA: works on building systems for testing, to empower others to write better tests ! Release Engineering: tools to enable code to flow faster ! Security: in-house consultancy, secure-by- default architecture, monitoring
Getting Started
Goal: 50% reduction in deploy times times ! Whatever your state of deployment is, no matter how many people are involved, no matter how long it currently takes, make a goal of cutting it in half. ! This is an easy sell to management just on cost basis. ! Everything else flows from this.
Mechanism not Policy ! Strive for the fastest deployment mechanism for possible ! But you define the "continuous" in Continuous Deployment ! Yes, Etsy was 60+ deploys per day, with each having multiple authors. ! Current gig? we have rules of no more than 3 per week since our customer have asked for that, and only deployed at "low-tide"
In Other Contexts
In other contexts: Operations ! How fast can you deploy OS changes to you production environment?
In other contexts: IT ! How fast can you deploy desktop changes?
In other contexts: software product ! here "production" might be getting code into the main branch and running automated build / test. ! It's the flow of code: little changes vs big.
In other contexts: silicon ! Continuous deployment already done for silicon! wut? ! Only small changes, with tests are allowed to be committed! ! Big changes are rejected.
 Learned the hard way that big changes are completely unmanageable
One more thing...
Your Attackers Use Continuous Deployment
Continuous Deployment Start with 50% Reduction Build the Deploy Button Nick Galbreath ★ @ngalbreath ★ nickg@client9.com ★ http://www.client9.com/ http://slidesha.re/144OIv3
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Fixing Security by Fixing Software Development Using Continuous Deployment Nick Galbreath ★ @ngalbreath ★ http://www.client9.com ★ nickg@client9.com

Recommandé

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 

Recommandé

Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Making operations visible - devopsdays tokyo 2013
Making operations visible - devopsdays tokyo 2013Nick Galbreath
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineMatt Tesauro
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java Vulnerabilities(java2days) The Anatomy of Java Vulnerabilities
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
 
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Dave Olsen
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimDynatrace
 
XRebel - Real Time Insight, Faster Apps
XRebel - Real Time Insight, Faster AppsXRebel - Real Time Insight, Faster Apps
XRebel - Real Time Insight, Faster AppsZeroTurnaround
 
GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side Steve Poole
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was ReleasedGene Kim
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...Skelton Thatcher Consulting Ltd
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for goodDevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for goodSteve Poole
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Meteorjs
MeteorjsMeteorjs
MeteorjsRadhouen Assakra
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Why do mobile projects (still) fail - September 2014 edition
Why do mobile projects (still) fail - September 2014 editionWhy do mobile projects (still) fail - September 2014 edition
Why do mobile projects (still) fail - September 2014 editionIndiginox
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security LifecycleApigee | Google Cloud
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 

Contenu connexe

Tendances

Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Dave Olsen
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDynatrace
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimDynatrace
 
XRebel - Real Time Insight, Faster Apps
XRebel - Real Time Insight, Faster AppsXRebel - Real Time Insight, Faster Apps
XRebel - Real Time Insight, Faster AppsZeroTurnaround
 
GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side Steve Poole
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was ReleasedGene Kim
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooAlex Stamos
 
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...Skelton Thatcher Consulting Ltd
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)Gene Kim
 
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for goodDevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for goodSteve Poole
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Denim Group
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience ReportGene Kim
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Why do mobile projects (still) fail - September 2014 edition
Why do mobile projects (still) fail - September 2014 editionWhy do mobile projects (still) fail - September 2014 edition
Why do mobile projects (still) fail - September 2014 editionIndiginox
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
 

Tendances (20)

Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
Everything You Know is Not Quite Right Anymore: Rethinking Best Practices to ...
 
DevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the WorldDevOps: Cultural and Tooling Tips Around the World
DevOps: Cultural and Tooling Tips Around the World
 
Why Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene KimWhy Everyone Needs DevOps Now - Gene Kim
Why Everyone Needs DevOps Now - Gene Kim
 
XRebel - Real Time Insight, Faster Apps
XRebel - Real Time Insight, Faster AppsXRebel - Real Time Insight, Faster Apps
XRebel - Real Time Insight, Faster Apps
 
GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side GeeCON 2015 DevOps and the dark side
GeeCON 2015 DevOps and the dark side
 
2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released2019 Top Lessons Learned Since the Phoenix Project Was Released
2019 Top Lessons Learned Since the Phoenix Project Was Released
 
Security at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at YahooSecurity at Scale - Lessons from Six Months at Yahoo
Security at Scale - Lessons from Six Months at Yahoo
 
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
Continuous Delivery antipatterns from the wild - Matthew Skelton - Continuous...
 
The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)The Unicorn Project and The Five Ideals (older: see notes for newer version)
The Unicorn Project and The Five Ideals (older: see notes for newer version)
 
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for goodDevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
DevOps & the Dark Side 10 ways to convince your team DevOps is a force for good
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya JancaDevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya JancaDevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
 
Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset Application Security Testing for a DevOps Mindset
Application Security Testing for a DevOps Mindset
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
 
Meteorjs
MeteorjsMeteorjs
Meteorjs
 
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
2019 12 Clojure/conj: Love Letter To Clojure, and A Datomic Experience Report
 
Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Why do mobile projects (still) fail - September 2014 edition
Why do mobile projects (still) fail - September 2014 editionWhy do mobile projects (still) fail - September 2014 edition
Why do mobile projects (still) fail - September 2014 edition
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves Security
 

En vedette

Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsApigee | Google Cloud
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyApigee | Google Cloud
 
The Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business PlanThe Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business PlanApigee | Google Cloud
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Apigee | Google Cloud
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldApigee | Google Cloud
 
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynotePlatforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynoteApigee | Google Cloud
 
Technology powerpoint presentations
Technology powerpoint presentationsTechnology powerpoint presentations
Technology powerpoint presentationsismailraesha
 

En vedette (14)

API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
Apigee Products Overview
Apigee Products OverviewApigee Products Overview
Apigee Products Overview
 
Enhancing your Security APIs
Enhancing your Security APIsEnhancing your Security APIs
Enhancing your Security APIs
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber Threats
 
Cloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are KeyCloud Deployments Done Right: Why APIs are Key
Cloud Deployments Done Right: Why APIs are Key
 
The Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business PlanThe Business of APIs: Your 100-Day API Business Plan
The Business of APIs: Your 100-Day API Business Plan
 
Architecture for the API-enterprise
Architecture for the API-enterpriseArchitecture for the API-enterprise
Architecture for the API-enterprise
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?Are ESBs Relevant in the Age of Microservices?
Are ESBs Relevant in the Age of Microservices?
 
Managing Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices WorldManaging Sensitive Information in an API and Microservices World
Managing Sensitive Information in an API and Microservices World
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die KeynotePlatforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
Platforms, Cloud-Native Architectures, and APIs: Chicago Adapt or Die Keynote
 
Technology powerpoint presentations
Technology powerpoint presentationsTechnology powerpoint presentations
Technology powerpoint presentations
 

Similaire à Fixing security by fixing software development

Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...DevOps Indonesia
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsn|u - The Open Security Community
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️Ori Pekelman
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleSteve Poole
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Continuous integration
Continuous integrationContinuous integration
Continuous integrationBoris Dominic
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Stefan Streichsbier
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecurityDeja vu Security
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysOri Pekelman
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservicesDynatrace
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Burr Sutter
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 

Similaire à Fixing security by fixing software development (20)

Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
 
From 🤦 to 🐿️
From 🤦 to 🐿️From 🤦 to 🐿️
From 🤦 to 🐿️
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Final Report_213110090
Final Report_213110090Final Report_213110090
Final Report_213110090
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
 
Securing Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu SecuritySecuring Underprotected APIs - Deja vu Security
Securing Underprotected APIs - Deja vu Security
 
From DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed ApidaysFrom DevOps to NoOps how not to get Equifaxed Apidays
From DevOps to NoOps how not to get Equifaxed Apidays
 
6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices6 ways DevOps helped PrepSportswear move from monolith to microservices
6 ways DevOps helped PrepSportswear move from monolith to microservices
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devops
 
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
Teaching Elephants to Dance (and Fly!) A Developer's Journey to Digital Trans...
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 

Plus de Nick Galbreath

DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListNick Galbreath
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Nick Galbreath
 
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
 
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open ForumNick Galbreath
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachineNick Galbreath
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012Nick Galbreath
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on whiteNick Galbreath
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 

Plus de Nick Galbreath (14)

DevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading ListDevOpsDays Austin 2013 Reading List
DevOpsDays Austin 2013 Reading List
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
 
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
 
Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA Rebooting Software Development - OWASP AppSecUSA
Rebooting Software Development - OWASP AppSecUSA
 
libinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYClibinjection and sqli obfuscation, presented at OWASP NYC
libinjection and sqli obfuscation, presented at OWASP NYC
 
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forumlibinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012
 
New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20New techniques in sql obfuscation, from DEFCON 20
New techniques in sql obfuscation, from DEFCON 20
 
Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012Data Driven Security, from Gartner Security Summit 2012
Data Driven Security, from Gartner Security Summit 2012
 
Slide show font sampler, black on white
Slide show font sampler, black on whiteSlide show font sampler, black on white
Slide show font sampler, black on white
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 

Fixing security by fixing software development

  • 1. Fixing Security by Fixing Software Development Using Continuous Deployment Nick Galbreath, VP Eng IPONWEB, http://www.iponweb.com/ @ngalbreath http://www.client9.com/ May 14-15, San Francisco, California
  • 2. Follow Along Latest version posted online:   http://slidesha.re/144OIv3 http://www.client9.com/
  • 3. Nick Galbreath (@ngalbreath) ! Spoken at Black Hat, DEFCON, OWASP ! Author of libinjection: advanced SQLi detection used in > 2 WAFs, 1 Honeypot ! Book on cryptography ! but really... ! Engineering Management and Software Development for high growth startups. ! Personal site http://www.client9.com/
  • 4. IPONWEB ! customized online advertising infrastructure and exchanges ! engineering offices in Moscow, with business offices in London, New York and Tokyo.
  • 5. Original Abstract Fixing Security by Fixing Software Development Using Continuous Deployment Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
  • 6. Well that's a bold statement... "Fixing Security by Fixing Development Using Continuous Deployment"
  • 7. and here's another For web applications, our release-based software development lifecycle is still based on a pre-Internet model and is harmful to organizations and
 particularly harmful for security.
  • 8. What needs fixing? ! SQLi dropped from #8 to #14 in the latest White Hat "The State of Web Security" report. Good news, right? ! This means SQLi is only 7% of websites. That's 1 in 15. And this is #14 vulnerability! ! And time to fix was on average 196 days. 
 That's embarrassing. Veracode claims 32% of incoming web applications have SQLi
 https://info.veracode.com/state-of-software-security-report-volume5.html https://reg.whitehatsec.com/WPstats0513
  • 9. Even worse... ! Number 1 driver to fix security problems...
 compliance. ! Number 1 reason to not fix security is...
 compliance. ! Not.. ! keeping our employees and customers safe ! protecting corporate interests. ! improving quality ! being good at what we do.
  • 10. Security Products #1 .. in security bugs VeraCode: State of Software Security, V4 December 2011
  • 11. Let's Just Give Up ! “You could spend all your resources chasing such things as this,” William Ribich, the former president of Technology Solutions Group [ QintelIQ ], said in an interview in January. Ribich, who retired in November 2009, shortly after the discovery of a major data theft, said he needed to balance the uncertain risk that the hackers could use what they stole against a growing shopping list of security products and consulting fees. ! "You finally have to reach a point where you say
 ’let’s move on,’” he said. http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
  • 12. I would call that broken ! But preventing SQLi isn't a technically hard problem. ! And most security patches are very small. ! How did we get here?
  • 13. Software Product Model ! Code flows between functional groups ! Product Managers spec code ! Engineers write code ! QA engineers tests code ! Release engineers package code ! Operations runs code ! ... and Security does something too.
  • 14. High Distribution Cost ! The Software Product Model is designed for software where the cost of distribution is high. "High" might be financial, risk, time, resources, customer annoyance. ! Retail, physical product, CD/DVD ! Embedded of Exotic Hardware ! Safety, Medical or Defense Systems ! Operating Systems (desk or phone) ! Homework (1-time deploy)
  • 17. Web Applications Year 2000 ! Mostly followed Software Product Model since that's all we knew. ! High barrier to entry ! Specialized Hardware, Software and People needed to get started. ! Lots of engineering needed to keep things running. ! (side note: CERT/CVE started in 1999)
  • 18. True Story #1 ! "Can't push out the spelling error fix – it's too risky" ! "That code as already been through QA, it's locked down." ! "Product has to prioritize that change, else we aren't touching it."
  • 19. True Story #2 ! We'll do an iteration, where we try to fix as many things as possible. ! This won't be a scheduled iteration, it will be done because things are so bad ! So the spelling error will get fixed... 
 uhh, who knows when.
  • 20. Web Applications 2013 ! Almost no barrier to entry ! Commodity hardware ! Programming not that hard ! Scaling problems can 
 be mostly outsourced
 (mostly)
  • 21. Cost of Distribution 2013 ! Frequently no compile step
 or it's very fast. ! Moving to production a few kilobytes or megabytes of code over 1Gbps, 10Gbps link. ! In other words... free
  • 22. Failure is very different however ! Most web applications are data-driven. ! Frequently have social features, APIs, user-generated content. ! Failures might be due to algorithmic problems... but... ! Most likely to due to user input, bad data in database or operational load. ! this means data in past can cause problems in the future.
  • 23. Releases and Problems ! When a web-release goes out, and has problems.... ! Next week is spent tracking down who changed what, where. ! Re-QA ! Re-Push ! meanwhile new code is piling up.
  • 24. When SPM meets Web Apps ! A long time between code being written and code being released. ! Might be weeks or months ! Feedback loop between code-in-dev and code-in-production is broken ! When security or bug reports come in, the author is likely on a different project.
  • 25. Hypothesis ! It is impossible to simulate the production environment in development, either due to operational differences or data differences. ! No amount of QA or Security Testing can prove you don't have bugs, vulnerabilities, or cause severe operational problems. ! You have bugs and vulnerabilities,
 right now, in your application.
  • 26. Impedance Mismatch ! Easy to write code, + ! Long release cycles + ! Security as an end-of-line or out of band process == ! no one cares
  • 27. So the Answer is... ! Going slower? I'm sure your boss will love that suggestion ! More steps and process? In other words, slower. ! Asking for more people? Sure but good luck hiring them. Doesn't scale. ! Asking for more products? Since the others have worked so well.
  • 28. Continuous Deployment ! Also known as Continuous Delivery. ! A System of Software Production Characterized by Numerous Small Changes the Production Environment, initiated by the author of the change. You change it, you push it to prod.
  • 30. "Writing Software" ! Software Developers think their job is writing software. ! And so, they love to make things perfect before anyone else sees it. ! Impolite: "data hiding" ! code is hiding on developer's computer ! or on some branch ! in other words invisible until it's ready.
  • 31. Actually ! The software engineer's job is actually writing running software, that works well. ! This idea is so alien, that companies have to remind the engineers of this.
  • 32. Rackspace Haiku writing code is hard
 if you cannot deploy it does not matter @paulvx from DevOpsDays Austin 2013
  • 33. Facebook "Move Fast and 
 Break Things.... Except "Push" (deployment system) via http://mitadmissions.org/blogs/entry/ move_fast_and_break_things
  • 35. Today's goal ! but for today the goal is getting the developer to care about their code
 in production. ! If you don't have that, I don't think you can really solve security problems.
  • 36. How does this work? ! Really? Developers push their own code out? ! How is this not a disaster. ! How is this not a security disaster?
  • 37. The Deploy Button ! What is you had a button that said
 "DEPLOY" ! That pushed to production, whatever is current in your source control system. ! And took about a minute ! The change and who pressed the button is logged, but that's it.
  • 38. Part 1: Fear ! No one is going to push it ;-) ! Meanwhile code is piling up Real example: A new hire I had at Etsy was afraid 
 of deploying an HTML change that they made. "But I don't want to break the site!"
  • 39. Part 2: First Push ! Someone brave will press the button ! And very likely the site will explode, and a rollback will need to be done. ! They'll know since someone else will have told them.
  • 40. Part 3: With Graphs ! Let's get all those operational graphs out in the open. And put them right next to the button.
  • 41. Part 4: Push #2 ! Repush ! Site might still explode ! But the developer is aware and can rollback.
  • 42. Take 5: Isolation ! Hmmm, the developer notices that in the change set, a million things are going out. ! Maybe just pushing out a smaller change will help isolate the issue.
  • 43. Take 6: Success! ! Yes, the developer just pushed out some code and made the site better. ! The secret about continuous deployment is small changes that can be easily understood.
  • 44. Take 7: Dark Pushes ! Now we got some bugs fixed, let's push a feature. ! First let's push out all the supporting files. Since they aren't being called, they do nothing and are safe to push out. ! Now everyone can see them
  • 45. Take 8: Getting the feature live ! Instead of "all at once", we slowly ramp up a feature. ! if (user_id % 20 == 0):
 do new feature; ! we change change the percentage easily with another code push. ! or turn it down. Much nicer change log. ! While the site didn't explode, it's hard to see if the feature is being used or not.
  • 46. Take 9: Application Level Graphs ! Allow developers to instrument their code so they can see what is happening in production. ! Enter StatsD and other UDP-based tools ! Enter centralized logging and in- application method to make it easy to log problems.
  • 47. Take 10: Communication ! So far good for one developer. ! To scale up, you'll need a system to allow developers. ! IRC-like tools work well (e.g. "the push channel") – skype, jabber, hangouts, etc
  • 48. Along the way ! Expose production logs to developers ! Add in a staging-step where the code goes to faction of the cluster, so developers can test with real traffic ! Try to make development closer to prod. ! Make "smoke tests" to catch basic errors ! Add syntax checkers to eliminate obvious issues. ! Use static analysis to find bugs
  • 49. Mistakes will happen ! Do postmortem analysis ! Everyone thought they were doing the right thing at the time. ! "How can the environment be changed to prevent this" and build tools to enforce it. ! (Rarely can you truly change people)
  • 50. Sounds good, 
 but what about...
  • 51. That guy who pushes at 3am ! Courtesy and convention will converge very quickly when the site goes down at 3am and the developer starts getting calls ;-) ! Of hours pushes of course can happen, when they notify operations.
  • 52. What About Code Reviews? ! Yes, please do them. ! Nothing here prevents code reviews. ! In fact code reviews are easier since ! they are small ! they are in mainline not some branch
  • 53. What about Security Reviews ! Please do them. ! Nothing here eliminates architectural planning or review. ! This actually doesn't change the SDLC very much.
  • 54. What about Agile Methods ! (everyone seems to have a different idea of what Agile is but..) ! Agile methodologies typically work to improve the business spec / development cycle. (are you building what the customer wants) ! But doesn't address code deployment. ! They are complimentary practices.
  • 55. What about Customer Service? ! "Don't they freak out with all the changes?" ! Remember: deployment != feature release ! Most deployments do very little from the customer point of view ! Feature releases (frequently controlled by ramp-ups or flags) always needs to be coordinated with product and customer service.
  • 56. What about Compliance? PCI? ! Let me tell you about compliance... ! mechanism not policy
  • 58. Obvious Benefit to Security ! Security patches can go out quickly ! You know this since they are now just part of a normal development cycle.
  • 59. More Importantly ! That Engineer who previously didn’t push code is now sensitized that their code has consequences and are responsive and empowered to fix it. ! It’s amazing how interested engineers become in security when you find problems with their code when they are able to fix quickly themselves.
  • 60. Hack The Stack ! A side effect of this you now have tools to repurpose for security and
 monitoring of production ! Note that most changes are not security problems.
  • 61. Logging ! Due to allow developers to see application logging, it's now very easy to instrument the application to log security events. ! Or add logs to times when you are under attack.
  • 62. Graphing ! Make dashboards of ! SQLi and XSS attacks ! Every type of log-in failure ! Core Dumps ! Database Syntax Errors
  • 63. Static Analysis ! You now have a place to insert them. ! Work with QA group to add more code quality tests.
  • 64. Post-Commit Checks ! Alert on when sensitive areas of the code are changed (auth) ! Alert on crypto usage (why is developer using MD5.. hmmm) ! Alert your programming languages "dangerous functions" This allows you to engage the developer at the start of the cycle.
  • 65. Faster is Better ! You could do most of this in a normal release-cycle software lifecycle. ! The difference is you are finding problems at the start instead of 10m before the launch and telling everyone to stop. ! The feedback loop works.
  • 66. New Roles, Less Silos ! Developers: works with operations ! QA: works on building systems for testing, to empower others to write better tests ! Release Engineering: tools to enable code to flow faster ! Security: in-house consultancy, secure-by- default architecture, monitoring
  • 68. Goal: 50% reduction in deploy times times ! Whatever your state of deployment is, no matter how many people are involved, no matter how long it currently takes, make a goal of cutting it in half. ! This is an easy sell to management just on cost basis. ! Everything else flows from this.
  • 69. Mechanism not Policy ! Strive for the fastest deployment mechanism for possible ! But you define the "continuous" in Continuous Deployment ! Yes, Etsy was 60+ deploys per day, with each having multiple authors. ! Current gig? we have rules of no more than 3 per week since our customer have asked for that, and only deployed at "low-tide"
  • 71. In other contexts: Operations ! How fast can you deploy OS changes to you production environment?
  • 72. In other contexts: IT ! How fast can you deploy desktop changes?
  • 73. In other contexts: software product ! here "production" might be getting code into the main branch and running automated build / test. ! It's the flow of code: little changes vs big.
  • 74. In other contexts: silicon ! Continuous deployment already done for silicon! wut? ! Only small changes, with tests are allowed to be committed! ! Big changes are rejected.
 Learned the hard way that big changes are completely unmanageable
  • 77. Continuous Deployment Start with 50% Reduction Build the Deploy Button Nick Galbreath ★ @ngalbreath ★ nickg@client9.com ★ http://www.client9.com/ http://slidesha.re/144OIv3
  • 78. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Fixing Security by Fixing Software Development Using Continuous Deployment Nick Galbreath ★ @ngalbreath ★ http://www.client9.com ★ nickg@client9.com