Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017 IBM Corporation
Leverage DevOps & Agile
Development to Transform Your
Application Testing Program:
Client Case Study
Speakers
Shuchita Gupta
Senior Software Client
Architect & Leader
IBM
Sona Srinivasan
Senior IT Architect, Global
Architec...
State of Application Security
Average time to
detect APT
256 days
Average cost of a
U.S. data breach
$6.5M
Percentage of b...
Conversations & Challenges
How often should you think about
security in the SDLC? Are
automated DAST scans enough?
Should ...
Poll Question #1
5
The Sec Ops Journey
Conversations that launched
with Agile
The Steps to
Cognitive Security
Examples of
Continuous Security...
Continuous Security Example #1
Architecture & Security Requirements
• Threat Modeling By Feature & Design - For
every majo...
Continuous Security Example #2
Running static security scans on GIT repo branches
is considered continuous security with:
...
Continuous Security Example #3
Automated DAST is seen as continuous security with security benchmarking
• Quality Pre-requ...
Continuous Security Example #4
Management of Incident Response data
and mapping to application attacks,
environment attack...
Poll Question #2
11
Development Platform as a Service
Cloud
Apps
Apps
Built
Apps
Bought
Web
Mobile
Mobile
Web
DAST
Deployment
……
Repo
Mgmt.
Bi...
APP Profiling & DPAAS Choice
App
Stack
Provisioning
& App
Profiling
Cloud API
Web App Built
Cloud App
Mobile App Built
Web...
Poll Question #3
14
Continuous Security at Cisco
People &
Skillset
Technology &
Automation
Governance
& Audits
1. Continuous Education on
Proc...
Journey to COGNITIVE
•Good
Domain
Knowledge
• Developer
Skill-Set will
range from
beginner to
seasoned
Simplify
• Process ...
Managing Risk Holistically
Comprehensive
attack surface
minimization
through insights
Bottoms up &
Top down
Vulnerability
...
Key Resources to Learn More
18
• Forrester Report “Secure Applications at the Speed of DevOps”
• Gartner 2017 Magic Quadra...
Q & A
19
© 2017 IBM Corporation
Thank You!
Upcoming SlideShare
Loading in …5
×

of

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 1 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 2 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 3 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 4 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 5 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 6 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 7 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 8 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 9 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 10 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 11 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 12 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 13 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 14 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 15 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 16 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 17 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 18 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 19 Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study Slide 20
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

Download to read offline

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

  1. 1. © 2017 IBM Corporation Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study
  2. 2. Speakers Shuchita Gupta Senior Software Client Architect & Leader IBM Sona Srinivasan Senior IT Architect, Global Architecture and Technology Services IT CISCO Systems, Inc. Alan Shimel Moderator, Editor-in-Chief DevOps.com 2
  3. 3. State of Application Security Average time to detect APT 256 days Average cost of a U.S. data breach $6.5M Percentage of breaches due to Web attacks 40% Sources: IBM X-Force Threat Intelligence 2015; 2016 Verizon Data Breach Investigations Report; 2016 Cost of Data Breach Study: Global Analysis Average size of a U.S. data breach 30K records 3
  4. 4. Conversations & Challenges How often should you think about security in the SDLC? Are automated DAST scans enough? Should I stop my release in a continuous delivery pipeline if my critical vulnerabilities aren't fixed? Can running SAST scans on each build reduce my need to run DAST scans? Should my user stories for security be incorporated in a sprint, or be a part of my design? Key: SAST – Static Application Security Testing DAST – Dynamic Application Security Testing 4
  5. 5. Poll Question #1 5
  6. 6. The Sec Ops Journey Conversations that launched with Agile The Steps to Cognitive Security Examples of Continuous Security Continuous Security at Cisco Adapting to Threats & Attacks Together 6 6
  7. 7. Continuous Security Example #1 Architecture & Security Requirements • Threat Modeling By Feature & Design - For every major application re-design or major feature change, Threat Models must be built based on the application’s design changes • Security assessments and User Stories Tie in, where security assessments answer the Who, Why and What of the feature and application. Documented Security Design Revisit of the data classification for data at Rest, and Transit • E.g.: Employee data on Company System becomes Customer Data on Insurance System, data changes classification from system to system, depending on the consuming application • Application Profiling at the time of Provisioning for baselining 7
  8. 8. Continuous Security Example #2 Running static security scans on GIT repo branches is considered continuous security with: • Code Tagging (E.g.: deployed code tags needs to have meta data about the code) with insights into code patterns (E.g.: Singleton Usages, Factory patterns etc. tied to security insights) • Developer Behaviors (E.g.: Developers who code in JAVA might need training in SQL Injections etc., novice developers might need training in XSS) • Code-branch Patterns (E.g.: Code reposes with fewer branches might have more to catch as branched code might be more modularized and secure) • Vulnerability Trends (E.g.: HR apps have SQL Injections, while Service X might have the most vulnerable code) • Types of Languages used tied to type of data classification (E.g.: Cisco is a big JAVA and PL/SQL Shop with movement towards Apex and Angular etc.…) 8
  9. 9. Continuous Security Example #3 Automated DAST is seen as continuous security with security benchmarking • Quality Pre-requisites for DAST – Can Deployment workflows check for Quality & Load Tests before running DAST scans? (Have QA bugs been fixed so DAST is spending more time on the security threat classes?) • Are the DAST Test environments close to Production and stable enough for graceful recovery from the DAST attacks (DMZ, Core Zone, Data Center, PaaS profile), especially in a continuous environment? Example - Network latency of the source call of the DAST scan to the Application Destination environment (Eg: India to Richardson) 9
  10. 10. Continuous Security Example #4 Management of Incident Response data and mapping to application attacks, environment attacks with: • Pre-Deployment Security Posture and: • SAST • DAST • Open Source Scanning • App Profiling (Cloud native, hybrid, on premise etc.) • Penetration Test Results • Post-Deployment Security Posture of: • Applications • Data • Environment 10
  11. 11. Poll Question #2 11
  12. 12. Development Platform as a Service Cloud Apps Apps Built Apps Bought Web Mobile Mobile Web DAST Deployment …… Repo Mgmt. Binary Executable Mgmt. Executable Mgmt. …… …… …… …… Binary Analyzer Mobile DAST Build Automation SAST Cloud Ready DAST Quality Assurance Deployment Post-Deployment Mgmt. Penetration Test Deployment Repo Mgmt. Repo Mgmt. Build Automation Build Automation Quality Assurance Quality Assurance SAST SAST Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. Quality Assurance Quality Assurance DAST Binary Analyzer Mobile DAST Deployment Deployment Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. APIs Repo Mgmt. Build Automation Quality Assurance SAST Deployment Cloud Ready DAST Penetration Test Post-Deployment Mgmt. 12
  13. 13. APP Profiling & DPAAS Choice App Stack Provisioning & App Profiling Cloud API Web App Built Cloud App Mobile App Built Web App Packaged Mobile App Packaged Incidents & Security Breaches App Profile (comp- osite) 13
  14. 14. Poll Question #3 14
  15. 15. Continuous Security at Cisco People & Skillset Technology & Automation Governance & Audits 1. Continuous Education on Process & Technology 2. In-Context Training as opposed to On-Demand  3. Federated Security Personnel in the functions 1. Watch the Market & Developer world 2. Our eyes are on PaaS changes and Developer Tools & Technology Changes 1. Bringing The Policy to the user 2. Moving Governance into the Life Cycle – Start Right, rather than shift left  3. Multi-Check Points 15
  16. 16. Journey to COGNITIVE •Good Domain Knowledge • Developer Skill-Set will range from beginner to seasoned Simplify • Process is simple and mature for automation •Intermediate Skill-Set of the Developer Automate • Go from multiple sub- systems to digital components in streams • Expert Developer Digitize • Developer is knowledgeable enough on when to apply machine learning to enable speed • Adding Specific Bots to address bottlenecks is a great way to ease the experience problem for security tools & their complexity Machine Learning • Developer is a Highly Seasoned with domain expertise and data architectures which then leverage cognitive APIs for Proactive Security Guidance Cognitive Process Complexity Developer Skillset 16
  17. 17. Managing Risk Holistically Comprehensive attack surface minimization through insights Bottoms up & Top down Vulnerability management Technology ecosystem – with Vendors Always remember the application is the front door - Trained Ninjas 17
  18. 18. Key Resources to Learn More 18 • Forrester Report “Secure Applications at the Speed of DevOps” • Gartner 2017 Magic Quadrant for Application Security Testing • Forrester Total Economic Impact (TEI) Study • E-Guide: 5 Steps to Achieve Risk-Based Application Security Management
  19. 19. Q & A 19
  20. 20. © 2017 IBM Corporation Thank You!

Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study

Views

Total views

184

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

8

Shares

0

Comments

0

Likes

0

×