Post on 16-Apr-2017
Security at DevOps Speed
Stefan StreichsbierCTO Vantage PointFounder DevSecOps Singapore stefan@vantagepoint.sg
@s_streichsbier
What is AppSec?
Why does AppSec == Pain?
Pentesters after turning a report in...
Security
Meanwhile outside the security camp...
0
20
40
60
80
100
120
140
2005 2010 2015 2020
The frequency of releases over time
Releases per app per year
Towards CD
From Waterfall
The frequency increased
8
So many releases?!
Security
DevOps
10
Agile + DevOps + Security = DevSecOps
Step 1:Security as part of Agile
1-4Weeks
24 hours
Develop
Test
Design
Plan
Output
Shippable Increment
Product Backlog Sprint Backlog
Let’s look at SCRUM
Start with understanding the process
1-4Weeks
24 hours
Develop
Test
Design
Plan
Output
Shippable Increment
Product Backlog Sprint Backlog
Secure SCRUM
Security Training
Security Requirements
Security Activities
Threat Modelling
Design Review
Pairing
Manual Security Tests
Automatic Security Tests
Security Feature Demo Security Retrospective
Security Acceptance Criteria
(Security)User Stories
(Security) Unit Tests
0
20
40
60
80
100
120
Sprint 1 Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6% Remaining Security work % App Robustness, Security Skills
Security Debt Burndown
Step 2: DevSecOps
VulnerabilityRepository
• Security Unit Tests
• SAST• SCA
• DAST• IAST• VA
• Security as Code• RASP• NG WAF
• Red Team• GOPT• Actual Attackers
• Sec Requirements• Design Review• Threat Modelling
AppSec Pipeline
Instead of this ...
...Let’s do this...