Continuous security

Continuous security
Kim van Wilgen
Schuberg Philis
@kimvanwilgen
nl.linkedin.com/kimvanwilgen
kimvanwilgen@gmail.com
www.kimvanwilgen.com

About me Kim van Wilgen
Customer director at Schuberg Philis
Former head of development at ANVA
Former head of IT at Klaverblad
Programming since 2018
@kimvanwilgen
nl.linkedin.com/kimvanwilgen

A 100% STORY
100% CUSTOMER
SATISFACTION

With the hypes of agile
and continuous
delivery focus shifted
to speed…and nothing
else

Shifting panels
- Cloud computing
- Microservices architectures
- IAAS, immutability, serverless
- IoT, AI, machine learning

Autonomous teams and
T, Pi and Key shaped people

Why is it boring?
Security roleplay or
responsibility

Security is not a core competence
of developers

@kimvanwilgen | www.kimvanwilgen.comContinuous security
Regulations

The fourth industrial
revolution?
Terrorism
Competetive advantage
Business continuity

Security all-in

DevSecOps

“I never once spoke with the security team
at Google. Not because they weren’t doing
their job, but exactly because they were
doing their job. They encoded their
expertise into self-service tools and
libraries, and we just used them ourselves”
Randy Shoup, WeWork

“When designing the software
architecture a security expert helps
to do a risk assessment early and
mitigate important risks by
design”
- Simon Brown -

Continuous Delivery (CD) is a set of practices and principles
in software engineering aimed at building, testing and
releasing software faster and more frequently. They help
reduce the cost, time and risk of delivering changes, and
ultimately value, to customers by allowing for more
incremental changes to applications in production.
Wikipedia, 2017

Continuous Security (CS) is a set of practices and principles
in software engineering aimed at building, testing and
releasing software faster and more frequently. They help

in software engineering aimed at designing, developing,
testing and running software more securely. They help

reduce the cost, time and risk of delivering integrity,
availability and data protection, and ultimately security, to
applications in production.

reduce the cost, time and risk of delivering integrity,
availability and data protection, and ultimately security, to
applications in production. Continuous security is essential for
delivering Continuous Delivery.

Gartner DevSecOps Top 10
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Adapt your SAST, & DAST
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Treat security tests as source code
Train for the basics

Security Satellite team
5 dev
(1 architect
2 devs
2 testers)
3 ops

Security board

#2: Don’t eliminate all risk

Risk and cost based security
Small tests and risk based

Alignment of security and
business value by taking it
to the teams

Integration in
the pipeline
#3:DevOps driven

Automate first
• SAST
• DAST
• Proxy tools
• Dependency checks
• Custom scripts
Integration in the pipelines

SAST: sourcecode or binary code testing for security
vulnerabilities typically at the programming and/or
testing software life cycle (SLC) phases
Leaders: Checkmarx, Veracode, Appscan (IBM), fortify
(Microfocus), PT application inspector, covarity
(Synopsys)
+ Find problems early in lifecycle, detailed feedback,
- False positives & false negatives
SAST
Static Analyses Security Testing

DAST: running state security testing, simulates attacks
against an application or system (typically web-enabled
applications and services), analyzes results and, thus,
determines whether it is vulnerable.
Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7
+ Tests the application at runtime, realistic view
- More complex, harder to track, running instance (slow)
DAST
Dynamic Application Security Testing

DAST: Zed attack proxy (ZAP)

#4: Identify and remove: start small

I’ve added over a 100 security rules in
SonarQube and sent the top X screwups to the
team. They are more aware and will solve their
own issues.
Dominik, member of the ANVA security satellite team

I enabled the dependency check. We had
hundreds of vulnarabilities. We solved them
within a day with critical upgrades and the
removal of obsolete depencencies.

I ran Docker Bench. We found privileges
were too high and corrected them.

I’ve set up our internal learning platform with
webgoat. We can now practice attacks and grow
awareness and knowledge of defences.
Michiel, member of the ANVA security satellite team

#5: Adapt your SAST, DAST and security tests

Learn and adapt first before you break the build

Application Security Verification Standard
Unrelevant / Sast / Dast /
RAST / other
Train for risks we can’t
automate

Evil user stories
As a Malicious Hacker, I want to gain
access to this web application’s Cloud
Hosting account so that I can lock out
the legitimate owners and delete the
servers and their backups, to destroy
their entire business.

Owasp dependency check
Eliminate known vulnerabilities
58
550 vulnerabilities

Hack yourself first too
Chaos Engineering is the
discipline of experimenting on a
distributed system in order to
build confidence in the system’s
capability to withstand turbulent
conditions in production.

“Think as an offender will show the real
threats of your application and grow
awareness from finding out how easy it is.”
Troy Hunt, MVP for developer
security and creator of ‘Have I
been PWNED”

One of the benefits of using containers, especially in
microservices-based applications, is they make it
easier to secure applications via runtime
immutability—or never-changing—and applying least-
privilege principles that limit what a container can do.
Tsvi Korren - Chief Solutions Architect at Aqua Security

#9: Treat security tests as source code

Automate security
features and scan
against bugs and
vulnerabilities
Check for logical
flaws manually,
educate and
automate them

Academy sessions

Overview
Continuous Security
Automation
SAST
DAST
Proxytools
Customscripts
Depen-dency
checks
Knowledge
Training
Feedbackfrom
detection
Detection
Hackyourself
first
External
pentesting
Defence
Immutable
infrastructure
Detectchanges

@kimvanwilgen | www.kimvanwilgen.com
References
and questions
@kimvanwilgen

https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
https://cybersecurity.isaca.org/static-assets/documents/State-of-
Cybersecurity-part-2-infographic_res_eng_0517.pdf
https://www.sans.org/reading-room/whitepapers/critical/continuous-security-
implementing-critical-controls-devops-environment-36552
10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017,
IDG00341371
https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb
https://www.thoughtworks.com/radar/techniques
https://www.mmc.com/content/dam/mmc-web/Global-Risk-
Center/Files/MMC-Cyber-Handbook_2016-web-final.pdf
Sources

Continuous security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Continuous security

Similar to Continuous security (20)

More from Kim van Wilgen

More from Kim van Wilgen (11)

Recently uploaded

Recently uploaded (20)

Continuous security