LASCON 2017 has ended
View analytic
Thursday, October 26 • 2:00pm - 3:00pm
Your Security Tools are Just a Stop-Gap to Secure DevOps

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Many organizations are taking a tools-first approach to verifying the security of applications in their CI/CD pipelines. Usually, after the build, [functional] test, and deploy pipelines are finished, security teams are asked to get involved to decide which security tools should be integrated into those pipelines to detect vulnerabilities. Unfortunately, while integrating SAST (or DAST) into a CI pipeline might result in a quick win, the security posture of applications in the pipeline is still largely unknown. Additionally, integrating SAST often leads to manual triage activities which can slow the pipeline tremendously, or results are aggressively filtered to combat false-positives, which leads to real vulnerabilities being untracked.

To truly gain insight into the security of your applications, start by thinking about your greatest risks. Consider the business risks of a successful attack (i.e. what you need to protect) and the threat models of your applications (i.e. how you might be attacked). Use that information to decide how your applications should be built to reduce those risks (i.e. required security controls). Now, think about how to test that the necessary controls exist and are used properly. Last, choose a tool to perform those tests. You may be able to leverage an existing commercial or open source tool, or you may be better off writing custom scripts or plugins for existing tools.

Sound familiar? The above is not just how to secure your DevOps pipeline – for nearly a decade, it's been standard guidance for building an application security program. The required pace of security activities has increased dramatically with the move to CI/CI, but the overall goal has not.

This talk will explain more deeply:
  • why a tools-first approach to securing a CD pipeline will end in a headache;
  • the security components/activities necessary for securing applications in a CD pipeline; and
  • where to start and how to build momentum within your organization.
I'll provide case studies from industry experience to illustrate common challenges and how they can be overcome.This talk will also introduce a high-level maturity model for setting goals and tracking progress while building an application security program that operates at hyper-speed.

avatar for Kevin Fealey

Kevin Fealey

Kevin Fealey is the Director of Aspect Security's Automation & Integration Services Division. He specializes building security into CI/CD pipelines by automating commercial, open source, and custom tools; and developing streamlined processes to provide faster security feedback to developers and real-time security dashboards to executives. Kevin strives to minimize disruptions to existing developer processes by integrating security transparently into the development process. Kevin has spoken about how to build a scalable, efficient, and effective security program at LASCON 2014/2015/2016, IBM InterConnect, the Techno Security... Read More →

Thursday October 26, 2017 2:00pm - 3:00pm

Attendees (16)