Security learns to sprint: DevSecOps

Security learns to sprint: DevSecOps - Tanya Janca

Рет қаралды 787

LocoMocoSec: Hawaii Product Security Conference

Күн бұрын

This talk will explain what security teams needs to adjust in order to turn DevOps into
DevSecOps within their organizations. Several strategies are presented for weaving
security into each of the "Three Ways", with clear steps audience members can start
implementing immediately.
This talk will argue that DevOps could be the best thing to happen to application security
since OWASP, if developers and operations teams are enabled to make security a part of
their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security,
security now needs to concentrate on creating tools, processes and opportunities for dev
and ops that result in more-secure products, instead of trying to do it all themselves like they
did in days past. We must build security into each of “The Three Ways”; automating and/or
improving efficiency of all security activities to ensure we don’t slow down developers,
speeding up feedback loops for security related activities so that we fix the bugs faster and
sooner, and providing continuous learning opportunities in relation to security, for both
teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no
longer be used as a justification for project delays. If developers are sprinting, then we need
to sprint too. So put on your running shoes; it’s time for DevSecOps!

Пікірлер: 1

@jjohn8457 4 жыл бұрын

I saw the OWAZP demonstration on youtube and it is very informative. I am new to security testing as my experience is in software development. I have a question regarding OWAZP dependency check. Should we execute the OWASP dependency check on published dlls/binaries or on actual project files Consider the following two scenarios? I have a .Net core project. The actual source code containers .csproject and .cs files. But if we publish, we will get a folder with dlls only which is going to be deployed in the IIS virtual directory. The virtual directory is the one that is going to be exposed to the external world. I have an angular project and in that, a lot of npm modules are installed. But if we publish, we will get a small subset of javascript files which is going to be deployed in a web server. In both cases, if we run the dependency check, we will get a lot of warning/issues in reports. So my question, where exactly should we execute our scan? In the original repository or the output binaries? What will be rational for the decision? It will be great if I could get some pointers in this as I couldn't find any answer in stack overflow or similar blogs. Thanks in advance.