Lightning Talk - Application Security in a DevOps World: Three Methods for Shifting Left

Presented at AppSec USA 2016, Oct. 13, 2016, 9:45 a.m. (10 minutes)

Application Security in a DevOps World: Three Methods for Shifting Left  Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to "just make it work." The same can be said about many other activities, including application security. This isn't intended to be derision aimed at development-it's just a feature of how processes have historically been demarcated.  But with the emergence of the DevOps movement, organizations are beginning to apply the "shift-left" principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles.  In this presentation, we discuss how to get development and operations working together to build security into the application. We'll outline three methods and discuss their merits and drawbacks: • Penetration testing: This is the approach most commonly used. • Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws. • Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches.

Presenters:

• Aaron Lindsay
  Aaron Lindsay been helping Parasoft's clients harden code, develop functional testing solutions, and virtualize their environments for almost 4 years. He has worked on projects all across America and South America, incorporating service virtualization into verticals that range from banking and healthcare to defense organizations. Aaron also worked with R&D team under Dr. Ciera Jaspan to identify collaboration constrains in Java frameworks and developed static analysis tools that would identify defects. He also contributed to the California Aqueducts Project.

Links:

• https://appsecusa2016.sched.com/event/7uAl/lightning-talk-application-security-in-a-devops-world-three-methods-for-shifting-left

Similar Presentations:

• BSidesSF 2017 / Five Keys to Building an Application Security Program in the Age of DevOps
• AppSec USA 2015 / Ah mom, why do I need to eat my vegetables?
• AppSec USA 2016 / Glad You Could Join Us: Bringing Security into the DevOps Fold