Presented at
AppSec USA 2015,
Sept. 24, 2015, 3 p.m.
(55 minutes).
Security can be hard to get right. In many organizations, security teams can be relatively small and scaling such teams to tackle the world of continuous software delivery is a very practical challenge. Getting core security tools adopted can be difficult and, when they are, they are often run as just a checklist item. Automation can come to the rescue for this challenge.
We will be presenting a new distributed framework under development where adding any security tool is as easy as adding a plug-in, requiring minimal development effort. This framework can scale to help minimize false positives. One more advantaged of this approach is that it is a client-server based architecture that helps to scale security across teams and works perfectly in a cloud environment like Amazon AWS.
This framework works in client-server mode and is exposed via REST APIs. A few key principles of this framework are:
1 Scalable: Adding any tool to framework can be done using a simple driver file, no bigger than 15 lines of Javascript code. The popular Eclipse development tool inspired this model.
2 Secure: Every component of framework should be self-secured.
3 Cloud-ready: Architecture of framework must support cloud deployment.
4 Agnostic of tools: framework should be agnostic to any architecture and tools used by development teams.
5 Should be easy to update: Updates to framework should be automated using an easy, yet secure, protocol.
This will be live demo of the framework with testing on demo sites. This framework is specifically designed for devops and security team use.
Presenters:
-
Rohit Pitke
- Security Engineer - Adobe Inc
Software Security Engineer with Adobe, I make sure that Adobe Document Cloud is reasonably secure by design, implementation and deployment. I enjoy building secure stuff that are hard to break.
I am offensive security certified professional(OSCP)
Links:
Similar Presentations: