Scaling Security Assessment at the Speed of DevOps

Presented at AppSec USA 2016, Oct. 14, 2016, 2:15 p.m. (60 minutes)

Scaling Security Testing at the Speed of DevOps Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures. While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code. Consumers are now being forced to adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector. As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions. This evolution must address three primary problems elucidated by the aforementioned development trends: 1. Testability: Security requirements should be testable and verifiable. 2. Scalability: Security requirement should be capable of being automated in a best-effort fashion so as to scale effectively. 3. Accessibility: Security tools and results should be easily digestible by software engineers and testers, and new security tools should be accessible to all development and test engineers. Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale. This framework automates multiple open-source and vendor security tools and aggregates their results for review. It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

Presenters:

• Roger Seagle - Principal Engineer - Cisco
  Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly audits embedded systems and web applications, configures and monitors internal production servers, and serves as a technical advisor. Roger holds a PhD and MS degree in Computer Science from the University of Tennessee, Knoxville in Computer Science as well as a BS in Computer Science from Wake Forest University. He currently resides in Asheville, NC where he enjoys hiking in the Blue Ridge mountains with his wife, son, and hound dog.
• Brian Manifold - Cisco
  Brian Manifold has worked as a software/security engineer at Cisco for the past 4 1/2 years. His main areas of interest at work are web development and web security. Outside of work he enjoys playing music, anything CNC (milling, 3d printing, etc..) related, hardware electronics, and spending time with his family.
• Blake Hitchcock - Software Engineer - Cisco
  Blake Hitchcock has been building and breaking web applications for 6 years with Cisco. He loves writing in Ruby, and 'Burp' is not just something he does after a few too many kielbasas. When he's not doing web stuff, Blake enjoys fitness, food, sports, and cheering for his beloved Tennessee Volunteers.

Links:

• https://appsecusa2016.sched.com/event/7tAf/scaling-security-assessment-at-the-speed-of-devops
• https://www.youtube.com/watch?v=hEHCB7iWUzk

Similar Presentations:

• AppSec USA 2017 / Test Driven Security in the DevOps pipeline
• Global AppSec - DC 2019 / DevSecOps: Essential Pipeline Tooling to Enable Continuous Security
• AppSec USA 2015 / Security as Code: A New Frontier