continuous security
TRANSCRIPT
CONTINUOUS SECURITY
THANK YOU!
@parker0phil
@parker0phil
How do we achieve Security in aContinuous Delivery environment?
@parker0phil
3. Continuous Delivery IS MORE secure!
@parker0phil
2. Continuous Delivery IS MORE secure!
@parker0phil
2. Continuous Delivery IS MORE secure!
@parker0phil
2. Continuous Delivery IS MORE secure!
@parker0phil
1. Continuous Delivery IS MORE secure!
Mean Time toDetect(MTTD)
Mean Time toResolve(MTTR)
RELEASE
FINDVULN
FIXVULN
Attack Window
MTTD MTTE
@parker0phil
Continuous Delivery IS MORE secure!
@parker0phil
3. Thinking about Security
@parker0phil
3. Thinking about Security
@parker0phil
2. Thinking about Security
Exploitability Impact
@parker0phil
1. Thinking about Security
1. Rely on developers and testers more than security specialists.
2. Secure while we work more than after we’re done.3. Implement features securely more than adding on
security features.4. Mitigate risks more than fix bugs.
@parker0phil
Thinkingabout Security
@parker0phil
Pet Hate #3
@parker0phil
Encoding Hashing
Encryption Signing
Pet Hate #2
b2JmdXNjYXRpb24=
%3Cscript%3Ealert(0)%3C%2Fscript%3E
Integrity +Non-repudiation
Confidentiality
@parker0phil
Pet Hate #1
@parker0phil
Pet Hates!
@parker0phil
3. Enumeration of Usernames
@parker0phil
3. Enumeration of Usernames
@parker0phil
2. Unvalidated Redirects
?queryString=param
Cookie:value
Persisted
@parker0phil
2. Unvalidated Redirects
?queryString=param
Cookie:value
Persisted
@parker0phil
1. Cross-Site Request Forgery (CSRF)
@parker0phil
BONUS. SelfXSS
@parker0phil
BONUS. SelfXSS
@parker0phil
My Favouriteattacks!
@parker0phil
Continuous Delivery IS MORE secure
How we achieve Security in a CD environment
Mental Models for Security
Pet Hates
My Favourite attacks
@parker0phil
Security is HARD
#DevSecOpsDevSecOps#DevSecOps
CONTINUOUSSECURITY