Jeff Hann (@obihann) AllDayDevOps October 2018 (#AllDayDevOps)
- Over a decade in development (backend, frontend, mobile)
- Two years in DevOps (focused on CI and automation)
- Now a Security Engineer (works directly with engineering and architecture teams)
In today's agile world, we have less time between releases than ever before, and this crunch is often felt by security more than any other team. The risk of a breach due to a rushed product is high but the risk of lost profit due to a missed launch is far higher, so how do we prevent both? Using the same techniques we used to automate our builds and releases we can automate our security testing.
- Code
- Static Analysis
- Unit Testing
- Build
- Binary Analysis
- Open Source Analysis
- Deploy
- Dynamic Analysis
- Continuous Monitoring
- By introducing multiple methods of testing throughout the build and release process we provide our team blunt and honest feedback
- Too often this feedback thought of as a road block and turned into a checklist of extra work required to launch
- Treat each piece of information found as a training opportunity, help your team resolve the issue and advance their skills
- It is very easy to just “fix” a bug via acceptance or mitigation, but then it will happen again and again
- Most good tools will provide some form of explanation on the bug as well links to third party sources to help learn more about them
- Keep track of bugs that pop up regularly and on a annual basis introduce some form of training (conferences, local meet-ups, lunch and learn, e-learning) that focuses on these topics
- Set your priorities and expectations in stone
- Use the Common Vulnerability Scoring System (CVSS), but use it properly
- Use a ticketing system to help manage the load
- Twitter: @obihann
- GitHub: obihann
- HAM Radio: VE1OBI
- IRC: freenode/obihann
Attribution 4.0 International (CC BY 4.0)