Profile picture
Gene Gotimer at OWASP Global AppSec DC
@CoverosGene
, 15 tweets, 8 min read Read on Twitter
DevSecOps: Essential Tooling to Enable Continuous Security by @armillz @GlobalAppSecDC
As DevOps/Agile processes push code continuously, disjoint/mysterious security teams can’t keep up. No time for slow, manual, late-cycle security. We want to be “secure enough” all the time. @armillz @GlobalAppSecDC
Application code must be assessed at multiple levels as it makes it way through the delivery lifecycle. @armillz @GlobalAppSecDC
From a pipeline and tooling standpoint, we want quality gates. Quality = Quality, Security, Maintainability, and every other -ility. Provide an overall picture of code health, stop bad code from getting through. @armillz @GlobalAppSecDC
Static Application Scanning
- static code analysis
- software composition analysis
- platform vulnerability scanning
- container scanning
@armillz @GlobalAppSecDC
Dynamic Functional Testing
- unit testing
- health tests
- API testing
- UI testing
@armillz @GlobalAppSecDC
Non-functional testing
- DAST
- performance testing
- 508 accessibility testing
- other compliance testing
@armillz @GlobalAppSecDC
Real-time monitoring
- log aggregation
- real-time container and host monitoring
- container and host scanning
- performance monitoring
Wraps into SIEM
@armillz @GlobalAppSecDC
Integrate your dev, sec, QA, ops teams to streamline your delivery process and enable success. Can’t succeed with only compliance box checkers.
Get the teams to work together.
- Security consultants, not security police
- Contributors, not naysayers
@armillz @GlobalAppSecDC
You will never have enough security engineers for every team. Need cross-team functions (vs. just cross-functional teams)
@armillz @GlobalAppSecDC
Strive for continuous assessment. Develop a culture of security.
Start small, possibly free.
@armillz @GlobalAppSecDC
Use time budgets to arrange your security tests and scans. Do a lightweight scan up front, then move deeper scans later (overnight, weekends). Break it up in smaller chunks (one advantage of microservices).
@armillz @GlobalAppSecDC
It is hard/impossible to keep up with all the new tools. Find something the works. You don’t need the perfect tool, you just need a tool. Try free, then once you learn more you might find that the expensive commercial tool saves you money in hours.
@armillz @GlobalAppSecDC
I guess a few people were interested in @armillz’s talk @GlobalAppSecDC
Split up your security tasks to spread them throughout your sprint-ly activities. E.g., 20 minutes of threat modeling during each story planning, not 3 days of threat modeling once a release.
@armillz @GlobalAppSecDC
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Gene Gotimer at OWASP Global AppSec DC
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
Troy SK
@troysk704
Some of you might be aware; I have been on a 4 year quest to build a smarthome. I am using and sometimes hacking existing solutions in most cases. I found some glaring lapses of security and privacy. A thread on @Xiaomi/@XiaomiIndia #security #privacy #iot @internetofshit
First up; my favourite robot which keeps my home clean. The Roborock S55 uses SLAM technology with cameras & sensors to generate a model of the house. It cleans really well & it leaks even better as it doesn't use HTTPS to communicate. It misses its home and keeps calling back!
Next up; one of the cheapest smart cameras in the market. The Xiaomi XiaoFang WiFi camera does 1080p video and costs less than Rs. 1200. I have many around the house for security purposes. It is a great oxymoron as its a security device with no security.
Read 15 tweets
Profile picture
Melissa Perri
@lissijean
Seeing a trend in large (and not originally software based) companies making a move to more outcome oriented models and feature teams not understand that you need #prodmgmt leadership.

You can’t have a product organization of a bunch of entry level folks and expect magic. /1
What these companies typically want to do is move people from other parts of the business into PO roles on Scrum teams.

Totally fine. You can do that and train those people.

But who is pulling all those scrum teams together into a holistic product vision for the group? /2
Who is going to keep mentoring those people once the trainers and coaches you hired leave?

Who is going to align the business strategy back to the software strategies?

/3
Read 6 tweets
Profile picture
Tom Leaman
@tleam
Central organizations != silos. Looking forward to hearing from @rusmeshenberg about how Netflix utilizes central teams to enable #devops in “The Role of Central Teams in DevOps Organizations” at #reInvent
How do central orgs develop at a company? It’s all tied to growth. You may have a central-central team or even local-central teams @rusmeshenberg #reInvent
Did you know Daredevil DevOps? He definitely DevOps #reinvent
Read 25 tweets
Profile picture
Susanne
@susannehusebo
I’ve worked with lots of agile #teams, and some of the symptoms of a well functioning high-perfoming teams that I see are:

👇
They start their daily standups on time.
They tend to laugh a lot and have fun.
Read 86 tweets
Profile picture
John Cutler
@johncutlefish
So let’s take an org that is experiencing 50%+ drag due to technical debt.

You would think that would ring alarm bells everywhere, right? It would be all hands on deck fixing the issue, right?

Well... (1/13) #leanagile #devops
“How could YOU ever let it get this way?”
“Well, WE’VE been warning YOU about it since.”
“But YOU never said it would be THIS bad!”

“We did. You’d ask for a plan. We’d give you a plan. You’d say no way. And then we’d settle on a band-aid like 10% time” (2/13) #leanagile #devops
Typically, someone was raising the alarm, somewhere. But it all got watered down...

the org was experiencing growth, hiring lots of people, launching new products. So much noise. Little signal.

“Oh, it’s just developers complaining...” (3/13) #leanagile #devops
Read 13 tweets
Profile picture
Fauzan Emmerling
@femmerling
Banyak banget yang nanya, ngerjain startup tu asik ya? Gw share dikit ya ilmu gw di per-startup-an selama 13 tahun terakhir. Bakal panjang ya jadi sabar-sabar ngikutinnya
Gw yakin banyak banget di sini yang ngebayangin jadi kaya Mark Zuckerberg gara-gara nonton the social network. Bikin startup tidak seindah itu, apalagi jaman sekarang, PENUH PENDERITAAN. Iya lo ga salah baca. PENUH PENDERITAAN. Tapi bukan berarti ga asik kok sob nanti lo liat
Pengalaman startup pertama gw dimulai tahun 2005. Startup pertama gw adalah sebuat software house. Jaman itu masih ngenes lah. Kenapa ngenes? Itu jamannya masih kalo lo di bidang IT harus bisa jadi superman yang bisa segala macem dan dibayar serendah mungkin
Read 175 tweets

Trending hashtags

#DevOps #ModiSarkar #Flask #NavjotSinghSidhu #tech #security #Hinduism #design #Recycle #prodmgmt #agile #joinforces #Haridwar #stats #JavaScript #privacy #XP #DidiDharna #ನರೇಂದ್ರಮೋದಿ #peoplematters #Yoga4ClimateAction #DidiDrama #ModiSarkar2 #microservices #release
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!