SlideShare une entreprise Scribd logo

Weaponizing Your DevOps Pipeline

Puma Security, LLC
Puma Security, LLC

Modern development teams are delivering features at a rapid pace using modern technologies such as containers, microservices, and serverless functions. Operations and infrastructure teams are supporting these rapid delivery cycles using Infrastructure as Code, Test Driven Infrastructure (TDI), and cloud automation. Yet, most security teams are still using traditional security approaches and can't keep up with the rate of accelerated change. Security must be reinvented in a DevOps world to take advantage of the opportunities provided by continuous integration and delivery pipelines. In this talk, attendees will take a journey through the DevSecOps Toolchain broken down into the key phases: pre-commit, commit, acceptance, production, and operations. We will explore the pre-commit and commit phases in-depth, identifying security controls, open source tools, and how to integrate these tools into a pipeline. Attendees will walk away with a practical approach for weaponizing the toolchain and building a successful DevSecOps program.

Logiciels
1  sur  50
Télécharger pour lire hors ligne
Weaponizing Your DevOps Pipeline OWASP MSP Thursday, July 19th 2018 Eric Johnson (@emjohn20)
Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC
Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
State of DevOps ©2018 – Puma Security, LLC State of DevOps report (2017) indicates high performing organizations: • Deploy 46x more frequently • Have 440x shorter lead times • Recover from failures 96x faster • Spend 50% less time remediating security issues
The DevOps toolchain enabling the rapid delivery cycles (not inclusive): The DevOps Toolchain ©2018 – Puma Security, LLC Git Jenkins Docker Artifactory Puppet / Chef Terraform Kubernetes Packer
• External vendor performing annual assessments • Internal security team receives 1,000 page PDF reports • Internal security team manually running scanners, fuzzers, etc. State of Traditional Security ©2018 – Puma Security, LLC img:https://paperlesschase.com/wp-content/uploads/2013/08/Tired-clerk-with-paper-on-desk.jpg
• Published October 2016 • Release frequency up 30x • 42% indicate silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2018 – Puma Security, LLC
• Security is not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for security in the pipeline The Problem ©2018 – Puma Security, LLC
Why The Cold Shoulder? ©2018 – Puma Security, LLC "DevOps is an excuse for developers to have global access to production. No way." - The dictator CISO "Perfect, I get to wire up crappy security scanners and break the build." - The security jerk "We cannot use continuous delivery and remain PCI compliant. " - The uninformed compliance manager
What is DevSecOps DevSecOps / SecDevOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2018 – Puma Security, LLC "In DevSecOps, security is a first-class problem and the security team is a first-class citizen." - Jim Bird, CTO, SANS Analyst & DEV540 co-author
Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
Applying security to Wills, Edwards, & Humble's CALMS: • Culture - No security jerks (Etsy), turning "no" into "yes" • Automation - Rely on security tools for efficiency + repeatability • Lean - Apply lean engineering practices to risk assessments / code reviews • Measurement - Use security data to drive decisions, improve, and respond in real time (or near real time) • Sharing - Sharing threat intel, secure frameworks, and postmortems across the organization Keeping CALM & DevSecOps On ©2018 – Puma Security, LLC
DevSecOps Phases • DevSecOps cycles through 5 key phases • SANS DevSecOps Toolchain lists several OSS tools for each phase – Written by Ben Allen, Jim Bird, Eric Johnson, & Frank Kim • https://sans.org/u/zAi ©2018 – Puma Security, LLC PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS sans.org/u/zAi
Breaking down the security controls in each DevSecOps phase: DevSecOps Security Controls PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
Applying security controls before code is written and committed: DevSecOps Phases | Pre-Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
Threat modeling must apply lean engineering principles: • Lightweight and incremental review • The source code is the design • Focus on data classification, entry points, high risk code, and writing security stories / abuse cases • Categorize the risk level (high risk, paved road, control gates) Pre-Commit| Threat Modeling PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
Weaponizing the toolchain: • Raindance – https://github.com/devsecops/raindance • Mozilla's Rapid Risk Assessment (RRA) – https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessme nt.html • OWASP Threat Dragon – https://www.owasp.org/index.php/OWASP_Threat_Dragon Pre-Commit| Threat Modeling Tools PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
High risk code may perform any of following functionality (not inclusive): • Infrastructure Code • Pipeline definitions • Authentication • Access control • Output encoding • Input validation • Automated security / compliance tests • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography Pre-Commit | High Risk Code Examples ©2018 – Puma Security, LLC
Mozilla's rapid risk assessment guidance and Google Doc provide a blueprint for 30 minute RRAs: Pre-Commit| Threat Modeling Example ©2018 – Puma Security, LLC
Opportunity to identify vulnerabilities in infrastructure and application code as code is written or saved to disk: Pre-Commit | IDE Security Plugins IDE SECURITY PLUGINS PRE- COMMIT • Security becomes part of the engineering workflow • Shiftings as far left as possible in the kill chain • Must have low false positive rates (important) ©2018 – Puma Security, LLC
Weaponizing the toolchain: Pre-Commit | IDE Security Tools IDE SECURITY PLUGINS PRE- COMMIT • FindSecurityBugs (Java) • Puma Scan (C#) • Sonar Lint (Java, C#, JavaScript) • DevSkim (C#, JavaScript) ©2018 – Puma Security, LLC
Puma Scan identifying a JSON deserialization vulnerability: Pre-Commit | IDE Security Example ©2018 – Puma Security, LLC
Run security checkers before committing code to git: Pre-Commit | Git Hooks PRE- COMMIT • Invoke additional CLI scans / security checks before code reaches continuous integration • Use for secrets management, keys, access keys, etc. • Important to note these client-side protections can be disabled by engineers ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
Weaponizing the toolchain: Pre-Commit | Git Hook Tools PRE- COMMIT • AWS Labs git-secrets – https://github.com/awslabs/git-secrets • Talisman – https://github.com/thoughtworks/talisman • Auth0 repo-supervisor – https://github.com/auth0/repo-supervisor • Yelp Pre-Commit Framework – https://pre-commit.com/ ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
AWS git-secrets blocking a commit that contains an access key and secret key id: Pre-Commit | Git Hook Example ©2018 – Puma Security, LLC $ git commit -m "testing git-secrets" Web/PumaScan.Licensing.Web/appsettings.json:5: "AccessKey": "AKIAJNQ7C2FCRR6B4VWA", Web/PumaScan.Licensing.Web/appsettings.json:6: "SecretKey": "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" [ERROR] Matched one or more prohibited patterns 1 2 3 4 5 6 7
Peer code reviews are mandatory in disciplined DevSecOps organizations: Pre-Commit | Peer Reviews PRE- COMMIT • Allows engineers to discover hard-coded secrets, logic flaws in high risk code, backdoors • Compensating control for separation of duties in continuous deployment • Relies on the reviewer's application security skillset ©2018 – Puma Security, LLC PEER CODE REVIEWS
Weaponizing the toolchain: Pre-Commit | Peer Review Toolchain PRE- COMMIT • GitHub Pull Request • GitLab Merge Request • Bitbucket Pull Request • Gerrit (Google) • Review Board – https://github.com/reviewboard/reviewboard ©2018 – Puma Security, LLC PEER CODE REVIEWS
GitHub pull request requiring peer review approval: Pre-Commit | Peer Review Example ©2018 – Puma Security, LLC
Applying automated, fast, accurate security controls in the CI pipeline: DevSecOps Phases | Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
Limited opportunity for static analysis in CI & CD pipelines: Commit | Static Code Analysis STATIC CODE ANALYSIS COMMIT • Speed matters (< 5 minutes) • High accuracy rules • Low false positive rates • Disable rules that do not provide value to engineers ©2018 – Puma Security, LLC
Weaponizing the toolchain: Commit | Static Code Analysis Tools STATIC CODE ANALYSIS COMMIT • Brakeman (Ruby) • ESLint (NodeJS) • Puma Scan (C#) • FindSecurityBugs (Java) • Puppet Lint Security • And many, many commercial offerings…. ©2018 – Puma Security, LLC
Puma Scan failing a build in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
Capturing and reporting vulnerability data in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
Built on top of standard unit and integration tests to enforce security requirements: Commit | Security Unit Tests SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • Leverage abuse cases and evil user stories from rapid risk assessment • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline • Can be used to enforce security requirements
Weaponizing the toolchain: Commit | Security Unit Test Tools SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • JUnit • XUnit • Mocha (NodeJS) • RSpec
• Engineers often stay on the "happy path" • Prove the code works under normal usage Commit | Happy Path Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "1", HttpStatusCode.Found)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11
Testing common SQL injection characters: Commit | Validation Unit Text Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "'", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "*", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ")", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ",", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ";", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "#", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "&", HttpStatusCode.NotFound)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Verifying checksums on high risk code: Commit | High Risk Code Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("/Web/Controllers/AccountController.cs", "2ffbf33b66ddb07616f882ceed0718826af298a7")] [InlineData("/Shared/Services/Cryptography/Hash.cs", "d51bfd137d37a7ed908737552568bcc5241f5021")] [InlineData("/Shared/Services/Cryptography/Asymmetric.cs", "fe83bf6f453698c5f78cab167bca14c72daf32c0")] [InlineData("/Shared/Services/Cryptography/Symmetric.cs", "ae951207f4fbdbe2d9661297f285dc99857f32d4")] public void HighRiskCode_CheckSumTest(string file, string checksum) { bool match = checksum.Equals(Hash.GetChecksum(file)); if(!match) NotificaionService.RequestCodeReview(file); Assert.True(match); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Containers present an entirely new attack surface for engineering teams to deal with: Commit | Container Security COMMIT ©2018 – Puma Security, LLC • Managing container secrets • Poisoned / untrusted images • Hardening image operating system • Docker daemon / API attack surface • This topic alone is an hour + conversation CONTAINER SECURITY
Weaponizing the toolchain: Commit | Container Security Tools COMMIT ©2018 – Puma Security, LLC • Anchore – https://anchore.com/opensource/ • Actuary – https://github.com/diogomonica/actuary • Clair – https://github.com/coreos/clair • Falco – https://github.com/draios/falco CONTAINER SECURITY
Anchore scan results via Jenkins CI: Commit | Container Security Scan Example ©2018 – Puma Security, LLC
Builds a bill of material from operation and application dependencies Commit | Dependency Management COMMIT ©2018 – Puma Security, LLC • Scans manifests, templates, and libraries • Identifies packages and libraries with known vulnerabilities • Suggests package version updates to remediate vulnerabilities DEPENDENCY MANAGEMENT
Weaponizing the toolchain: Commit | Dependency Management Tools COMMIT ©2018 – Puma Security, LLC • OWASP Dependency Check • PHP Security Checker • Retire.JS • Node Security Project DEPENDENCY MANAGEMENT
Dependency check scan results via Jenkins CI: Commit | Dependency Management Example ©2018 – Puma Security, LLC
Applying security controls during delivery of infrastructure or applications to acceptance: DevSecOps Phases | Acceptance PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
Applying security controls during deployment of infrastructure or application to production: DevSecOps Phases | Production PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
Continuous security monitoring, testing, and compliance checks in production: DevSecOps Phases | Operations PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
• Open source security source code analyzers • 50+ application security-specific rules • Install guide, rule docs, source code: https://www.pumascan.com/community https://github.com/pumasecurity @puma_scan • Presenting Wednesday August 8th at Black Hat Arsenal https://www.blackhat.com/us-18/arsenal/schedule/#puma- scan-12003 Puma Scan | Black Hat Arsenal 2018 ©2018 – Puma Security, LLC
Questions? Contact Info: eric.johnson@pumascan.com @emjohn20 ©2018 – Puma Security, LLC

Recommandé

Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 

Recommandé

Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...apidays
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes SecurityKarthik Gaekwad
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailPuma Security, LLC
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 

Contenu connexe

Tendances

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...apidays
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Liran Tal
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesGene Kim
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 

Tendances (20)

Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022Snyk Intro - Developer Security Essentials 2022
Snyk Intro - Developer Security Essentials 2022
 
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case StudiesKeeping The Auditor Away: DevOps Audit Compliance Case Studies
Keeping The Auditor Away: DevOps Audit Compliance Case Studies
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 

Similaire à Weaponizing Your DevOps Pipeline

Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program DevOps.com
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleDeborah Schalm
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example DevOps.com
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporeAmazon Web Services
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014Amazon Web Services
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 

Similaire à Weaponizing Your DevOps Pipeline (20)

Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical ExampleA Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
 
A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example A Discussion of Automated Infrastructure Security with a Practical Example
A Discussion of Automated Infrastructure Security with a Practical Example
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_SingaporePractical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
Practical DevSecOps - How to Continuosly Adapt to Threats_AWSPSSummit_Singapore
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
(SEC312) Taking a DevOps Approach to Security | AWS re:Invent 2014
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 

Plus de Puma Security, LLC

DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructurePuma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 

Plus de Puma Security, LLC (9)

Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 

Dernier

Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 

Dernier (20)

Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 

Weaponizing Your DevOps Pipeline

  • 1. Weaponizing Your DevOps Pipeline OWASP MSP Thursday, July 19th 2018 Eric Johnson (@emjohn20)
  • 2. Puma Security • Principal Security Engineer • Modern static code analysis • DevSecOps automation • Secure Development Lifecycle SANS Institute • Certified Instructor DEV541: Secure Coding in Java DEV534: Secure DevOps • Course Author DEV531: Mobile App Security Essentials DEV540: Secure DevOps & Cloud Application Security DEV544: Secure Coding in .NET Eric Johnson, CISSP, AWS CD, GSSP, GWAPT ©2018 – Puma Security, LLC
  • 3. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  • 4. State of DevOps ©2018 – Puma Security, LLC State of DevOps report (2017) indicates high performing organizations: • Deploy 46x more frequently • Have 440x shorter lead times • Recover from failures 96x faster • Spend 50% less time remediating security issues
  • 5. The DevOps toolchain enabling the rapid delivery cycles (not inclusive): The DevOps Toolchain ©2018 – Puma Security, LLC Git Jenkins Docker Artifactory Puppet / Chef Terraform Kubernetes Packer
  • 6. • External vendor performing annual assessments • Internal security team receives 1,000 page PDF reports • Internal security team manually running scanners, fuzzers, etc. State of Traditional Security ©2018 – Puma Security, LLC img:https://paperlesschase.com/wp-content/uploads/2013/08/Tired-clerk-with-paper-on-desk.jpg
  • 7. • Published October 2016 • Release frequency up 30x • 42% indicate silos still exist between Sec and DevOps HPE | AppSec & DevOps Survey 20% 38% 25% 17% Security in DevOps SecDevOps Gated Reviews Network Defenses Nothing ©2018 – Puma Security, LLC
  • 8. • Security is not invited to the DevOps party • Internal security team does not have development background • Frequent deployments invalidate assessment results • Missing a huge opportunity for security in the pipeline The Problem ©2018 – Puma Security, LLC
  • 9. Why The Cold Shoulder? ©2018 – Puma Security, LLC "DevOps is an excuse for developers to have global access to production. No way." - The dictator CISO "Perfect, I get to wire up crappy security scanners and break the build." - The security jerk "We cannot use continuous delivery and remain PCI compliant. " - The uninformed compliance manager
  • 10. What is DevSecOps DevSecOps / SecDevOps / DevOpsSec is about breaking down walls between security and: • Development • Operations • Business ©2018 – Puma Security, LLC "In DevSecOps, security is a first-class problem and the security team is a first-class citizen." - Jim Bird, CTO, SANS Analyst & DEV540 co-author
  • 11. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  • 12. Applying security to Wills, Edwards, & Humble's CALMS: • Culture - No security jerks (Etsy), turning "no" into "yes" • Automation - Rely on security tools for efficiency + repeatability • Lean - Apply lean engineering practices to risk assessments / code reviews • Measurement - Use security data to drive decisions, improve, and respond in real time (or near real time) • Sharing - Sharing threat intel, secure frameworks, and postmortems across the organization Keeping CALM & DevSecOps On ©2018 – Puma Security, LLC
  • 13. DevSecOps Phases • DevSecOps cycles through 5 key phases • SANS DevSecOps Toolchain lists several OSS tools for each phase – Written by Ben Allen, Jim Bird, Eric Johnson, & Frank Kim • https://sans.org/u/zAi ©2018 – Puma Security, LLC PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION OPERATIONS sans.org/u/zAi
  • 14. Breaking down the security controls in each DevSecOps phase: DevSecOps Security Controls PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  • 15. Applying security controls before code is written and committed: DevSecOps Phases | Pre-Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  • 16. Threat modeling must apply lean engineering principles: • Lightweight and incremental review • The source code is the design • Focus on data classification, entry points, high risk code, and writing security stories / abuse cases • Categorize the risk level (high risk, paved road, control gates) Pre-Commit| Threat Modeling PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
  • 17. Weaponizing the toolchain: • Raindance – https://github.com/devsecops/raindance • Mozilla's Rapid Risk Assessment (RRA) – https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessme nt.html • OWASP Threat Dragon – https://www.owasp.org/index.php/OWASP_Threat_Dragon Pre-Commit| Threat Modeling Tools PRE-COMMIT ©2018 – Puma Security, LLC THREAT MODELING
  • 18. High risk code may perform any of following functionality (not inclusive): • Infrastructure Code • Pipeline definitions • Authentication • Access control • Output encoding • Input validation • Automated security / compliance tests • High risk business logic • Data entitlement checks • Handling confidential data • Cryptography Pre-Commit | High Risk Code Examples ©2018 – Puma Security, LLC
  • 19. Mozilla's rapid risk assessment guidance and Google Doc provide a blueprint for 30 minute RRAs: Pre-Commit| Threat Modeling Example ©2018 – Puma Security, LLC
  • 20. Opportunity to identify vulnerabilities in infrastructure and application code as code is written or saved to disk: Pre-Commit | IDE Security Plugins IDE SECURITY PLUGINS PRE- COMMIT • Security becomes part of the engineering workflow • Shiftings as far left as possible in the kill chain • Must have low false positive rates (important) ©2018 – Puma Security, LLC
  • 21. Weaponizing the toolchain: Pre-Commit | IDE Security Tools IDE SECURITY PLUGINS PRE- COMMIT • FindSecurityBugs (Java) • Puma Scan (C#) • Sonar Lint (Java, C#, JavaScript) • DevSkim (C#, JavaScript) ©2018 – Puma Security, LLC
  • 22. Puma Scan identifying a JSON deserialization vulnerability: Pre-Commit | IDE Security Example ©2018 – Puma Security, LLC
  • 23. Run security checkers before committing code to git: Pre-Commit | Git Hooks PRE- COMMIT • Invoke additional CLI scans / security checks before code reaches continuous integration • Use for secrets management, keys, access keys, etc. • Important to note these client-side protections can be disabled by engineers ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
  • 24. Weaponizing the toolchain: Pre-Commit | Git Hook Tools PRE- COMMIT • AWS Labs git-secrets – https://github.com/awslabs/git-secrets • Talisman – https://github.com/thoughtworks/talisman • Auth0 repo-supervisor – https://github.com/auth0/repo-supervisor • Yelp Pre-Commit Framework – https://pre-commit.com/ ©2018 – Puma Security, LLC PRE-COMMIT HOOKS
  • 25. AWS git-secrets blocking a commit that contains an access key and secret key id: Pre-Commit | Git Hook Example ©2018 – Puma Security, LLC $ git commit -m "testing git-secrets" Web/PumaScan.Licensing.Web/appsettings.json:5: "AccessKey": "AKIAJNQ7C2FCRR6B4VWA", Web/PumaScan.Licensing.Web/appsettings.json:6: "SecretKey": "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" [ERROR] Matched one or more prohibited patterns 1 2 3 4 5 6 7
  • 26. Peer code reviews are mandatory in disciplined DevSecOps organizations: Pre-Commit | Peer Reviews PRE- COMMIT • Allows engineers to discover hard-coded secrets, logic flaws in high risk code, backdoors • Compensating control for separation of duties in continuous deployment • Relies on the reviewer's application security skillset ©2018 – Puma Security, LLC PEER CODE REVIEWS
  • 27. Weaponizing the toolchain: Pre-Commit | Peer Review Toolchain PRE- COMMIT • GitHub Pull Request • GitLab Merge Request • Bitbucket Pull Request • Gerrit (Google) • Review Board – https://github.com/reviewboard/reviewboard ©2018 – Puma Security, LLC PEER CODE REVIEWS
  • 28. GitHub pull request requiring peer review approval: Pre-Commit | Peer Review Example ©2018 – Puma Security, LLC
  • 29. Applying automated, fast, accurate security controls in the CI pipeline: DevSecOps Phases | Commit PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE CLOUD INFRASTRUCTURE
  • 30. Limited opportunity for static analysis in CI & CD pipelines: Commit | Static Code Analysis STATIC CODE ANALYSIS COMMIT • Speed matters (< 5 minutes) • High accuracy rules • Low false positive rates • Disable rules that do not provide value to engineers ©2018 – Puma Security, LLC
  • 31. Weaponizing the toolchain: Commit | Static Code Analysis Tools STATIC CODE ANALYSIS COMMIT • Brakeman (Ruby) • ESLint (NodeJS) • Puma Scan (C#) • FindSecurityBugs (Java) • Puppet Lint Security • And many, many commercial offerings…. ©2018 – Puma Security, LLC
  • 32. Puma Scan failing a build in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
  • 33. Capturing and reporting vulnerability data in a Jenkins CI pipeline: Commit | Static Code Analysis Example ©2018 – Puma Security, LLC
  • 34. Built on top of standard unit and integration tests to enforce security requirements: Commit | Security Unit Tests SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • Leverage abuse cases and evil user stories from rapid risk assessment • Focus on high risk code and business logic flaws • Fast execution in the IDE / CI pipeline • Can be used to enforce security requirements
  • 35. Weaponizing the toolchain: Commit | Security Unit Test Tools SECURITY UNIT TESTS COMMIT ©2018 – Puma Security, LLC • JUnit • XUnit • Mocha (NodeJS) • RSpec
  • 36. • Engineers often stay on the "happy path" • Prove the code works under normal usage Commit | Happy Path Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "1", HttpStatusCode.Found)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11
  • 37. Testing common SQL injection characters: Commit | Validation Unit Text Example ©2018 – Puma Security, LLC [Theory] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "'", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "*", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ")", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ",", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", ";", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "#", HttpStatusCode.NotFound)] [InlineData("bob@app.com", "L1ttleB0bbyTable$", "&", HttpStatusCode.NotFound)] public async Task License_DownloadTest(string username, string password, string id, HttpStatusCode responseCode) { … var request = new HttpRequestMessage(HttpMethod.Get, $"/download/{id}"); request.Headers.Add("Cookie", $"app-portal=${authCookie};"); var response = await _client.SendAsync(request); Assert.Equal(responseCode, response.StatusCode); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
  • 38. Verifying checksums on high risk code: Commit | High Risk Code Unit Test Example ©2018 – Puma Security, LLC [Theory] [InlineData("/Web/Controllers/AccountController.cs", "2ffbf33b66ddb07616f882ceed0718826af298a7")] [InlineData("/Shared/Services/Cryptography/Hash.cs", "d51bfd137d37a7ed908737552568bcc5241f5021")] [InlineData("/Shared/Services/Cryptography/Asymmetric.cs", "fe83bf6f453698c5f78cab167bca14c72daf32c0")] [InlineData("/Shared/Services/Cryptography/Symmetric.cs", "ae951207f4fbdbe2d9661297f285dc99857f32d4")] public void HighRiskCode_CheckSumTest(string file, string checksum) { bool match = checksum.Equals(Hash.GetChecksum(file)); if(!match) NotificaionService.RequestCodeReview(file); Assert.True(match); } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
  • 39. Containers present an entirely new attack surface for engineering teams to deal with: Commit | Container Security COMMIT ©2018 – Puma Security, LLC • Managing container secrets • Poisoned / untrusted images • Hardening image operating system • Docker daemon / API attack surface • This topic alone is an hour + conversation CONTAINER SECURITY
  • 40. Weaponizing the toolchain: Commit | Container Security Tools COMMIT ©2018 – Puma Security, LLC • Anchore – https://anchore.com/opensource/ • Actuary – https://github.com/diogomonica/actuary • Clair – https://github.com/coreos/clair • Falco – https://github.com/draios/falco CONTAINER SECURITY
  • 41. Anchore scan results via Jenkins CI: Commit | Container Security Scan Example ©2018 – Puma Security, LLC
  • 42. Builds a bill of material from operation and application dependencies Commit | Dependency Management COMMIT ©2018 – Puma Security, LLC • Scans manifests, templates, and libraries • Identifies packages and libraries with known vulnerabilities • Suggests package version updates to remediate vulnerabilities DEPENDENCY MANAGEMENT
  • 43. Weaponizing the toolchain: Commit | Dependency Management Tools COMMIT ©2018 – Puma Security, LLC • OWASP Dependency Check • PHP Security Checker • Retire.JS • Node Security Project DEPENDENCY MANAGEMENT
  • 44. Dependency check scan results via Jenkins CI: Commit | Dependency Management Example ©2018 – Puma Security, LLC
  • 45. Applying security controls during delivery of infrastructure or applications to acceptance: DevSecOps Phases | Acceptance PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  • 46. Applying security controls during deployment of infrastructure or application to production: DevSecOps Phases | Production PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  • 47. Continuous security monitoring, testing, and compliance checks in production: DevSecOps Phases | Operations PRE-COMMIT COMMIT (CI) ACCEPTANCE PRODUCTION IDE SECURITY PLUGINS PRE-COMMIT HOOKS PEER CODE REVIEWS STATIC CODE ANALYSIS SECURITY UNIT TESTS CONTAINER SECURITY INFRASTRUCTURE SCANNING DYNAMIC SECURITY TESTS CLOUD INFRASTRUCTURE SECURITY SMOKE TESTS SECURITY CONFIGURATION SECRETS MANAGEMENT THREAT MODELING DEPENDENCY MANAGEMENT SECURITY ACCEPTANCE TESTS SERVER HARDENING ©2018 – Puma Security, LLC OPERATIONS BLAMELESS POSTMORTEMS CONTINUOUS MONITORING PENETRATION TESTING THREAT INTELLIGENCE
  • 48. Roadmap • The DevOps Problem • DevSecOps Program Pre-Commit Commit Acceptance Production Operations • Conclusion ©2018 – Puma Security, LLC
  • 49. • Open source security source code analyzers • 50+ application security-specific rules • Install guide, rule docs, source code: https://www.pumascan.com/community https://github.com/pumasecurity @puma_scan • Presenting Wednesday August 8th at Black Hat Arsenal https://www.blackhat.com/us-18/arsenal/schedule/#puma- scan-12003 Puma Scan | Black Hat Arsenal 2018 ©2018 – Puma Security, LLC