How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released?
Traditional application security tools which require lengthy periods of configuration, tuning and
application learning have become irrelevant in these fast-pace environments. Yet, falling back only on
the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.
16. Step 1: Plan for Security
• Identify unsecured APIs and frameworks
• Map security sensitive code portions. E.g. password
changes mechanism, user authentication
mechanism.
• Anticipate regulatory problems, plan for it.
18. Step 2: Engage the Developers. And Be Engaged
• Connect developers to security
– Going to OWASP? Bring a developer with you!
• Is your house on fire? Share the details with your
developers.
• Have an open door approach
• Set up an online collaboration platform E.g. Jive,
Confluence etc.
20. Step 3: Arm the Developer
• Secure frameworks:
– Use a secure framework such as Spring Security, JAAS, Apache
Shiro, Symfony2
– ESAPI is a very useful OWASP security framework
• SCA tools that can provide security feedback on pre-commit stage.
– Rapid response
– Small chunks
22. Step 3: Automate the Process
• Integrate within your build (Jenkins, Bamboo,
TeamCity, etc.)
– SAST
– DAST
• Fail the build if security does not pass the bar.
24. Security within Continuous Deployment
Tests
Develop
Code
Commit
Source
Control
Build
Trigger
Deploy
to Test
Env
SCA
Test
Publish to
Automatic Report release
security
repository
&
test
Notify
Deploy
to
Production
28. Summary
• DevOps is happening. Right Now.
– During the time of this talk, Amazon has released
75 features and bug fixes.
• Security should not be compromised
• Don’t be overwhelmed. Start small
29. The 3 Takeaways
1. Plan from the ground
2. Engage with your developers
3. Integrate security into automatic build
process.