The slides include
+ links to my favorite #DevSecOps talks, blog posts, & useful tools.
I've organized them by category so that you can easily delve into whichever topics are most useful to you and your company right now.
-
-
Prikaži ovu nit
-
Talk structure
Big Picture
* Mindsets / Principles
* Choosing how to invest your time
Scaling Your Company's Security
* Fundamentals, scaling efforts, long term wins
Action Plan
* Tie everything together and put it into practicePrikaži ovu nit -
Mindsets / Principles
Automate as much as possible
Build guardrails, don't be gatekeepers
Prefer high signal tools & alerting (FNs > FPs)
Devs are your customers - security tool/library UI & UX are important!
And for the kids these days
pic.twitter.com/26oWhsGt0w
Prikaži ovu nit -
Choosing How to Invest Your Time
Ask yourself:
Of my near / medium term tasks, which will provide the most long-term strategic value?
Can I do a near term task a little bit differently to make it much more useful later?Prikaži ovu nit -
Tools in Your Security Tool Belt
Key insight:
Certain approaches are *inherently* better or worse in certain situations, regardless of the specific tool.
Instead of:
"How can I make tool X better?"
Ask:
"Is approach Y a good fit for what I'm trying to do?"pic.twitter.com/xtk17O06vS
Prikaži ovu nit -
I also think it's useful to target vulns in terms of their * Class - XSS, SSRF, access controls, ... * Complexity - What level of analysis complexity is needed to find/prevent it consistently with high signal? Both can influence our approach.pic.twitter.com/Fu3Gz9ZIg1
Prikaži ovu nit -
Eventually your breakdown may look like this: * Secure defaults - solve many issues categorically * Tools - helpful for security baselines *
#BugBounty - Continuous coverage *#Pentesting - Find the hard stuff * Runtime monitoring - Best for finding certain hard casespic.twitter.com/VngdbgEkKa
Prikaži ovu nit -
Here's how the
@netflix#appsec team has been thinking about it: This first image is from@astha_singhal and@coffeetocode@AppSecCali '18: https://www.youtube.com/watch?v=L1WaMzN4dhY&feature=youtu.be&t=1855 … The 2nd is@HelloArbit & Esha Kanekar@AppSecCali '19: https://tldrsec.com/blog/appsec-cali-2019/#a-pragmatic-approach-for-internal-security-partnerships …pic.twitter.com/GUGBjYgPXU
Prikaži ovu nit -
The Fundamentals
* Vulnerability Management
* Continuous Scanning
* Asset Inventory
These are not the fundamentals because they're easy. In fact, they're *really* hard to do well.
But, if you have a solid base, you can build awesome, high leverage things on top of them.Prikaži ovu nit -
Vuln Management
Table stakes for knowing a) how you're currently doing and b) if your future initiatives actually help.
Minimize friction, track all vulns in 1 system, define a consistent workflow, track vuln class/risk/what found it/+ other meta info
Example dashboards
pic.twitter.com/8DztY1deiW
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.