AppSec Europe 2016 has ended
Friday, July 1 • 12:25 - 13:10
SecDevOps: A View from the Trenches

Sign up or log in to save this to your schedule and see who's attending!

DevOps practices have become the de-facto approach to deliver applications at rapid scale and unprecedented speed. However, any process is as fast as its biggest bottleneck and security is becoming the most pervasive bottleneck in most DevOps practices. Teams are unable to come up with security practices that integrate into the DevOps lifecycle and ensure continuous and smooth delivery of applications to customers. In fact, security failures in DevOps amplify security flaws in production as they are delivered at scale. If DevOps should not be at odds with security, then we must find ways to achieve the following on priority: 

- Integrate effective threat modeling into Agile development practices 
- Introduce Security Automation into Continuous Integration 
- Integrate Security Automation into Continuous Deployment 

While there are other elements like SAST and Monitoring that are important to SecDevOps, my talk will essentially focus on these three elements with a higher level of focus on Security Automation. In my talk, I will explore the following, with reference to the topic: 

- The talk will be replete with anecdotes from personal consulting and penetration testing experiences. 
- I will briefly discuss Threat Modeling and its impact on DevOps. I will use examples to demonstrate practical ways that one can use threat modeling effectively to break down obstacles and create security automation that reduces the security bottleneck in the later stages of the DevOps cycle. 
- I firmly believe that Automated Web Vulnerability Assessment (using scanners) no matter how tuned, can only produce 30-40% of the actual results as opposed to a manual application penetration test. I find that scanning tools fail to identify most vulnerabilities with modern Web Services (REST. I will discuss examples and demonstrate how one can leverage automated vulnerability scanners (like ZAP, through its Python API) and simulate manual testing using a custom security automation suite. In Application Penetration Testing, its impossible to have a one size-fits all, but there’s no reason why we can’t deliver custom security automation to simulate most of the manual penetration testing to combine them into a custom security automation suite that integrates with CI tools like Jenkins and Travis. I intend to demonstrate the use a custom security test suite (written in Python that integrates with Jenkins), against an intentionally vulnerable e-commerce app. 
- My talk will also detail automation to identify vulnerabilities in software libraries and components, integrated with CI tools. 
- Finally, I will (with the use of examples and demos) explain how one can use “Infrastructure as Code” practice to perform pre and post deployment security checks, using tools like Chef, Puppet and Ansible.

avatar for Abhay Bhargav

Abhay Bhargav

CEO, we45
Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works... Read More →

Friday July 1, 2016 12:25 - 13:10
Room B (Tiziano Ballroom Sec. 1)