�ݺ�ߣshows by User: kfealey

�ݺ�ߣshows by User: kfealey / http://www.slideshare.net/images/logo.gif �ݺ�ߣshows by User: kfealey / Thu, 31 Oct 2019 12:25:20 GMT �ݺ�ߣShare feed for �ݺ�ߣshows by User: kfealey A Stratagem on Strategy: Rolling Security Testing into Product Testing /slideshow/a-stratagem-on-strategy-rolling-security-testing-into-product-testing/188921015 lascon2019securityteststrategy-final-191031122521
Commercial software products rely on formal test strategies to describe who will perform testing, when testing will occur, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly. Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, manual testing, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans. Especially in a DevOps environment where silos are broken and responsibilities are shared across dev, ops, test, and security, use of common methodologies will help to reduce confusion and improve pipeline throughput. During this talk we will discuss: - What are test strategies and how are they used by product teams to provide consistency in testing (something security generally lacks)? - What are test plans and how are they used by product teams to enable visibly strong test coverage (something security also lacks)? - In a DevOps environment, what is security’s role in existing test strategies? - How can security teams leverage test plans to provide better visibility on test coverage and map findings back to requirements to reduce confusion and demonstrate security value to stakeholders throughout the value stream? - What other lessons can we learn from how dev, ops, and test support quality deliveries that can enable more effective and efficient security (e.g. security as code)?]]>
Commercial software products rely on formal test strategies to describe who will perform testing, when testing will occur, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly. Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, manual testing, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans. Especially in a DevOps environment where silos are broken and responsibilities are shared across dev, ops, test, and security, use of common methodologies will help to reduce confusion and improve pipeline throughput. During this talk we will discuss: - What are test strategies and how are they used by product teams to provide consistency in testing (something security generally lacks)? - What are test plans and how are they used by product teams to enable visibly strong test coverage (something security also lacks)? - In a DevOps environment, what is security’s role in existing test strategies? - How can security teams leverage test plans to provide better visibility on test coverage and map findings back to requirements to reduce confusion and demonstrate security value to stakeholders throughout the value stream? - What other lessons can we learn from how dev, ops, and test support quality deliveries that can enable more effective and efficient security (e.g. security as code)?]]> Thu, 31 Oct 2019 12:25:20 GMT /slideshow/a-stratagem-on-strategy-rolling-security-testing-into-product-testing/188921015 kfealey@slideshare.net(kfealey) A Stratagem on Strategy: Rolling Security Testing into Product Testing kfealey Commercial software products rely on formal test strategies to describe who will perform testing, when testing will occur, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly. Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, manual testing, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans. Especially in a DevOps environment where silos are broken and responsibilities are shared across dev, ops, test, and security, use of common methodologies will help to reduce confusion and improve pipeline throughput. During this talk we will discuss: - What are test strategies and how are they used by product teams to provide consistency in testing (something security generally lacks)? - What are test plans and how are they used by product teams to enable visibly strong test coverage (something security also lacks)? - In a DevOps environment, what is security’s role in existing test strategies? - How can security teams leverage test plans to provide better visibility on test coverage and map findings back to requirements to reduce confusion and demonstrate security value to stakeholders throughout the value stream? - What other lessons can we learn from how dev, ops, and test support quality deliveries that can enable more effective and efficient security (e.g. security as code)? <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/lascon2019securityteststrategy-final-191031122521-thumbnail.jpg?width=120&height=120&fit=bounds" /> Commercial software products rely on formal test strategies to describe who will perform testing, when testing will occur, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly. Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, manual testing, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans. Especially in a DevOps environment where silos are broken and responsibilities are shared across dev, ops, test, and security, use of common methodologies will help to reduce confusion and improve pipeline throughput. During this talk we will discuss: - What are test strategies and how are they used by product teams to provide consistency in testing (something security generally lacks)? - What are test plans and how are they used by product teams to enable visibly strong test coverage (something security also lacks)? - In a DevOps environment, what is security’s role in existing test strategies? - How can security teams leverage test plans to provide better visibility on test coverage and map findings back to requirements to reduce confusion and demonstrate security value to stakeholders throughout the value stream? - What other lessons can we learn from how dev, ops, and test support quality deliveries that can enable more effective and efficient security (e.g. security as code)?

A Stratagem on Strategy: Rolling Security Testing into Product Testing from Kevin Fealey

]]> 140 0 https://cdn.slidesharecdn.com/ss_thumbnails/lascon2019securityteststrategy-final-191031122521-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 DevSecOps without DevOps is Just Security /slideshow/devsecops-without-devops-is-just-security/126589468 lascon2018-devsecopswithoutdevopsisjustsecurityfinal-181223193108
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.]]>
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.]]> Sun, 23 Dec 2018 19:31:08 GMT /slideshow/devsecops-without-devops-is-just-security/126589468 kfealey@slideshare.net(kfealey) DevSecOps without DevOps is Just Security kfealey The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/lascon2018-devsecopswithoutdevopsisjustsecurityfinal-181223193108-thumbnail.jpg?width=120&height=120&fit=bounds" /> The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.

DevSecOps without DevOps is Just Security from Kevin Fealey

]]> 285 2 https://cdn.slidesharecdn.com/ss_thumbnails/lascon2018-devsecopswithoutdevopsisjustsecurityfinal-181223193108-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Simplify Dev with Complicated Security Tools /slideshow/simplify-dev-with-complicated-security-tools-70965052/70965052 simplifydevwithcomplicatedsecuritytools1-170112213520
Abstract: Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.]]>
Abstract: Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.]]> Thu, 12 Jan 2017 21:35:19 GMT /slideshow/simplify-dev-with-complicated-security-tools-70965052/70965052 kfealey@slideshare.net(kfealey) Simplify Dev with Complicated Security Tools kfealey Abstract: Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/simplifydevwithcomplicatedsecuritytools1-170112213520-thumbnail.jpg?width=120&height=120&fit=bounds" /> Abstract: Writing secure applications is not easy, but keeping a security mindset during development can help reduce the rework caused by pre-release security assessments. No one should expect developers to be security experts – that’s not the path you’ve chosen – but the prevalence of free, open-source security tools and information can enable devs to detect many common and critical security issues before QA. This talk will focus on how developers can maximize the return on their security investment by automating detection of many vulnerabilities that security teams would find later in the SDLC. We’ll talk about freely available tools and techniques – some of which may already be in your dev environment – that can enable non-disruptive security testing in development. And for those developers who are already security testing their code, we'll discuss how to take your testing to the next level by embedding it into your functional testing.

Simplify Dev with Complicated Security Tools from Kevin Fealey

]]> 624 3 https://cdn.slidesharecdn.com/ss_thumbnails/simplifydevwithcomplicatedsecuritytools1-170112213520-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Interact Differently: Get More From Your Tools Through Exposed APIs /kfealey/interact-differently-get-more-from-your-tools-through-exposed-apis interact-differently-get-more-from-your-tools-through-exposed-apis-shared-161104181057
Most tools are designed with a single function in mind, but can often be leveraged for additional workflows as well. For example, SonarQube is a marketed as a platform to manage code quality, but custom plugins can also enable security testing. At its heart, Jenkins is a build tool, but it can be used for security testing as well. Don't like the security dashboard applications bundled with your commercial security tools? Either Jenkins or SonarQube can replace them! Can't stand viewing your tool exports in Excel? A simple XML transformation can allow you to see your data in a way that makes sense to you. Welcome to the age of APIs. Nearly every major software product now exposes RESTful APIs, an SDK, command line, or plugin interface. Don't limit yourself to out-of-the-box functionality - customize your tools to work best for you. This talk will describe some ways exposed APIs and plugin interfaces in commercial and open source products have been used to make work more effective and efficient. We'll demonstrate simple tools that interact with common software packages, like Jenkins, SonarQube, and OWASP ZAP, to streamline workflows and provide better visibility on what matters most to us. And we'll tell you how to get started getting more out of the tools you already use. ]]>
Most tools are designed with a single function in mind, but can often be leveraged for additional workflows as well. For example, SonarQube is a marketed as a platform to manage code quality, but custom plugins can also enable security testing. At its heart, Jenkins is a build tool, but it can be used for security testing as well. Don't like the security dashboard applications bundled with your commercial security tools? Either Jenkins or SonarQube can replace them! Can't stand viewing your tool exports in Excel? A simple XML transformation can allow you to see your data in a way that makes sense to you. Welcome to the age of APIs. Nearly every major software product now exposes RESTful APIs, an SDK, command line, or plugin interface. Don't limit yourself to out-of-the-box functionality - customize your tools to work best for you. This talk will describe some ways exposed APIs and plugin interfaces in commercial and open source products have been used to make work more effective and efficient. We'll demonstrate simple tools that interact with common software packages, like Jenkins, SonarQube, and OWASP ZAP, to streamline workflows and provide better visibility on what matters most to us. And we'll tell you how to get started getting more out of the tools you already use. ]]> Fri, 04 Nov 2016 18:10:56 GMT /kfealey/interact-differently-get-more-from-your-tools-through-exposed-apis kfealey@slideshare.net(kfealey) Interact Differently: Get More From Your Tools Through Exposed APIs kfealey Most tools are designed with a single function in mind, but can often be leveraged for additional workflows as well. For example, SonarQube is a marketed as a platform to manage code quality, but custom plugins can also enable security testing. At its heart, Jenkins is a build tool, but it can be used for security testing as well. Don't like the security dashboard applications bundled with your commercial security tools? Either Jenkins or SonarQube can replace them! Can't stand viewing your tool exports in Excel? A simple XML transformation can allow you to see your data in a way that makes sense to you. Welcome to the age of APIs. Nearly every major software product now exposes RESTful APIs, an SDK, command line, or plugin interface. Don't limit yourself to out-of-the-box functionality - customize your tools to work best for you. This talk will describe some ways exposed APIs and plugin interfaces in commercial and open source products have been used to make work more effective and efficient. We'll demonstrate simple tools that interact with common software packages, like Jenkins, SonarQube, and OWASP ZAP, to streamline workflows and provide better visibility on what matters most to us. And we'll tell you how to get started getting more out of the tools you already use. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/interact-differently-get-more-from-your-tools-through-exposed-apis-shared-161104181057-thumbnail.jpg?width=120&height=120&fit=bounds" /> Most tools are designed with a single function in mind, but can often be leveraged for additional workflows as well. For example, SonarQube is a marketed as a platform to manage code quality, but custom plugins can also enable security testing. At its heart, Jenkins is a build tool, but it can be used for security testing as well. Don't like the security dashboard applications bundled with your commercial security tools? Either Jenkins or SonarQube can replace them! Can't stand viewing your tool exports in Excel? A simple XML transformation can allow you to see your data in a way that makes sense to you. Welcome to the age of APIs. Nearly every major software product now exposes RESTful APIs, an SDK, command line, or plugin interface. Don't limit yourself to out-of-the-box functionality - customize your tools to work best for you. This talk will describe some ways exposed APIs and plugin interfaces in commercial and open source products have been used to make work more effective and efficient. We'll demonstrate simple tools that interact with common software packages, like Jenkins, SonarQube, and OWASP ZAP, to streamline workflows and provide better visibility on what matters most to us. And we'll tell you how to get started getting more out of the tools you already use.

Interact Differently: Get More From Your Tools Through Exposed APIs from Kevin Fealey

]]> 277 3 https://cdn.slidesharecdn.com/ss_thumbnails/interact-differently-get-more-from-your-tools-through-exposed-apis-shared-161104181057-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Achieving Visible Security at Scale with the NIST Cybersecurity Framework /slideshow/achieving-visible-security-at-scale-with-the-nist-cybersecurity-framework/58942655 t401aspectsecurityfealey-achievingvisiblesecurityatscalewiththenistcybersecurityframework-160302024249
In 2011, Marc Andreessen said "software is eating the world." Today, that statement is truer than ever. Businesses in every industry - from retail, to energy, to financial - are essentially software companies, with millions of lines of custom source code being written and managed in-house. Additionally, advances in the Software Development Life Cycle (SDLC) and the emergence of DevOps have allowed some organizations to deploy new code from development to production dozens of time each day. Traditional approaches to securing such large quantities of code, especially at the speed of current development, have proven to be ineffective, as is evident by recent public data breaches of both public and private sector organizations; as well as the resulting legislation, like Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The only way for cybersecurity teams to keep up with their development counterparts is to automate, but where should they start? The NIST Cybersecurity Framework provides guidance for organizations interested in establishing or improving a cybersecurity program. Today, a security automation plan is a crucial aspect of any cybersecurity program. This talk will describe how the NIST Cybersecurity Framework can be used to establish and implement a plan for integrating security-automation activities into any security program. We'll describe the latest trends in security-automation and DevOps, including how to automatically identify security-best practices being followed, and anti-patterns that indicate a potential risk. Attendees will learn how to consolidate this data in a centralized dashboard of their choosing, and how such information can be automatically distributed to stakeholders throughout their organization. In the coming years, with the growth of Internet of Things (IoT) and Cloud, organizations will become more and more reliant on custom software. Cybersecurity teams who fail to begin automating soon will only continue to fall further behind and put their organizations at greater risk. The NIST Cybersecurity Framework provides the foundation for such teams to establish their roadmap to security, and this talk will build on that foundation to highlight some potential paths.]]>
In 2011, Marc Andreessen said "software is eating the world." Today, that statement is truer than ever. Businesses in every industry - from retail, to energy, to financial - are essentially software companies, with millions of lines of custom source code being written and managed in-house. Additionally, advances in the Software Development Life Cycle (SDLC) and the emergence of DevOps have allowed some organizations to deploy new code from development to production dozens of time each day. Traditional approaches to securing such large quantities of code, especially at the speed of current development, have proven to be ineffective, as is evident by recent public data breaches of both public and private sector organizations; as well as the resulting legislation, like Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The only way for cybersecurity teams to keep up with their development counterparts is to automate, but where should they start? The NIST Cybersecurity Framework provides guidance for organizations interested in establishing or improving a cybersecurity program. Today, a security automation plan is a crucial aspect of any cybersecurity program. This talk will describe how the NIST Cybersecurity Framework can be used to establish and implement a plan for integrating security-automation activities into any security program. We'll describe the latest trends in security-automation and DevOps, including how to automatically identify security-best practices being followed, and anti-patterns that indicate a potential risk. Attendees will learn how to consolidate this data in a centralized dashboard of their choosing, and how such information can be automatically distributed to stakeholders throughout their organization. In the coming years, with the growth of Internet of Things (IoT) and Cloud, organizations will become more and more reliant on custom software. Cybersecurity teams who fail to begin automating soon will only continue to fall further behind and put their organizations at greater risk. The NIST Cybersecurity Framework provides the foundation for such teams to establish their roadmap to security, and this talk will build on that foundation to highlight some potential paths.]]> Wed, 02 Mar 2016 02:42:49 GMT /slideshow/achieving-visible-security-at-scale-with-the-nist-cybersecurity-framework/58942655 kfealey@slideshare.net(kfealey) Achieving Visible Security at Scale with the NIST Cybersecurity Framework kfealey In 2011, Marc Andreessen said "software is eating the world." Today, that statement is truer than ever. Businesses in every industry - from retail, to energy, to financial - are essentially software companies, with millions of lines of custom source code being written and managed in-house. Additionally, advances in the Software Development Life Cycle (SDLC) and the emergence of DevOps have allowed some organizations to deploy new code from development to production dozens of time each day. Traditional approaches to securing such large quantities of code, especially at the speed of current development, have proven to be ineffective, as is evident by recent public data breaches of both public and private sector organizations; as well as the resulting legislation, like Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The only way for cybersecurity teams to keep up with their development counterparts is to automate, but where should they start? The NIST Cybersecurity Framework provides guidance for organizations interested in establishing or improving a cybersecurity program. Today, a security automation plan is a crucial aspect of any cybersecurity program. This talk will describe how the NIST Cybersecurity Framework can be used to establish and implement a plan for integrating security-automation activities into any security program. We'll describe the latest trends in security-automation and DevOps, including how to automatically identify security-best practices being followed, and anti-patterns that indicate a potential risk. Attendees will learn how to consolidate this data in a centralized dashboard of their choosing, and how such information can be automatically distributed to stakeholders throughout their organization. In the coming years, with the growth of Internet of Things (IoT) and Cloud, organizations will become more and more reliant on custom software. Cybersecurity teams who fail to begin automating soon will only continue to fall further behind and put their organizations at greater risk. The NIST Cybersecurity Framework provides the foundation for such teams to establish their roadmap to security, and this talk will build on that foundation to highlight some potential paths. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/t401aspectsecurityfealey-achievingvisiblesecurityatscalewiththenistcybersecurityframework-160302024249-thumbnail.jpg?width=120&height=120&fit=bounds" /> In 2011, Marc Andreessen said "software is eating the world." Today, that statement is truer than ever. Businesses in every industry - from retail, to energy, to financial - are essentially software companies, with millions of lines of custom source code being written and managed in-house. Additionally, advances in the Software Development Life Cycle (SDLC) and the emergence of DevOps have allowed some organizations to deploy new code from development to production dozens of time each day. Traditional approaches to securing such large quantities of code, especially at the speed of current development, have proven to be ineffective, as is evident by recent public data breaches of both public and private sector organizations; as well as the resulting legislation, like Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. The only way for cybersecurity teams to keep up with their development counterparts is to automate, but where should they start? The NIST Cybersecurity Framework provides guidance for organizations interested in establishing or improving a cybersecurity program. Today, a security automation plan is a crucial aspect of any cybersecurity program. This talk will describe how the NIST Cybersecurity Framework can be used to establish and implement a plan for integrating security-automation activities into any security program. We'll describe the latest trends in security-automation and DevOps, including how to automatically identify security-best practices being followed, and anti-patterns that indicate a potential risk. Attendees will learn how to consolidate this data in a centralized dashboard of their choosing, and how such information can be automatically distributed to stakeholders throughout their organization. In the coming years, with the growth of Internet of Things (IoT) and Cloud, organizations will become more and more reliant on custom software. Cybersecurity teams who fail to begin automating soon will only continue to fall further behind and put their organizations at greater risk. The NIST Cybersecurity Framework provides the foundation for such teams to establish their roadmap to security, and this talk will build on that foundation to highlight some potential paths.

Achieving Visible Security at Scale with the NIST Cybersecurity Framework from Kevin Fealey

]]> 866 4 https://cdn.slidesharecdn.com/ss_thumbnails/t401aspectsecurityfealey-achievingvisiblesecurityatscalewiththenistcybersecurityframework-160302024249-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Static Analysis Security Testing for Dummies... and You /slideshow/static-analysis-security-testing-for-dummies-and-you/54324482 sastfordummiesfinal-151024025147-lva1-app6891
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program. In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues]]>
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program. In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues]]> Sat, 24 Oct 2015 02:51:47 GMT /slideshow/static-analysis-security-testing-for-dummies-and-you/54324482 kfealey@slideshare.net(kfealey) Static Analysis Security Testing for Dummies... and You kfealey Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program. In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/sastfordummiesfinal-151024025147-lva1-app6891-thumbnail.jpg?width=120&height=120&fit=bounds" /> Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program. In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues

Static Analysis Security Testing for Dummies... and You from Kevin Fealey

]]> 4205 10 https://cdn.slidesharecdn.com/ss_thumbnails/sastfordummiesfinal-151024025147-lva1-app6891-thumbnail.jpg?width=120&height=120&fit=bounds presentation 000000 http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks /slideshow/automation-your-tools-how-to-free-up-your-security-professionals-for-actual-security-tasks/48959735 automatingyourtoolsfinal-150603195508-lva1-app6892
This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015. Abstract: Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.]]>
This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015. Abstract: Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.]]> Wed, 03 Jun 2015 19:55:08 GMT /slideshow/automation-your-tools-how-to-free-up-your-security-professionals-for-actual-security-tasks/48959735 kfealey@slideshare.net(kfealey) Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks kfealey This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015. Abstract: Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/automatingyourtoolsfinal-150603195508-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds" /> This presentation was given at the Techno Security & Forensics Investigations Conference in Myrtle Beach, SC on June 2, 2015. Abstract: Manual application security testing alone doesn't cut it anymore -- scanning with SAST, DAST, and IAST tools is necessary to achieve security at portfolio scale; but as agile development practices become more popular, tool-assisted security reviews used as gates to production become more disruptive and expensive. While development teams evolve toward continuous release and deployment, the security industry continues to use the same paradigms developed 15 years ago. If organizations hope to produce more secure code at DevOps speed, something has to change. This session will describe how many of the application security tasks performed manually today can be automated to allow security professionals to look for novel security problems, rather than just low-hanging fruit. I'll explain 1) How open source and commercial tools can add value when integrated into the development lifecycle; 2) How using security tools as automated sensors can improve security visibility and provide real-time actionable intelligence; and 3) How automating simple security tasks can free up security teams to work on real security challenges. We'll also describe some common pitfalls when incorporating security into development, as well as real-world solutions learned from our work in this area over the past 6 years.

Automating Your Tools: How to Free Up Your Security Professionals for Actual Security Tasks from Kevin Fealey

]]> 980 1 https://cdn.slidesharecdn.com/ss_thumbnails/automatingyourtoolsfinal-150603195508-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Static Application Security Testing Strategies for Automation and Continuous Delivery /slideshow/static-application-security-testing-strategies-for-automation-and-continuous-delivery/45191176 sastforautomationandcdinterconnect2015final-150226134729-conversion-gate02
Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.]]>
Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.]]> Thu, 26 Feb 2015 13:47:29 GMT /slideshow/static-application-security-testing-strategies-for-automation-and-continuous-delivery/45191176 kfealey@slideshare.net(kfealey) Static Application Security Testing Strategies for Automation and Continuous Delivery kfealey Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/sastforautomationandcdinterconnect2015final-150226134729-conversion-gate02-thumbnail.jpg?width=120&height=120&fit=bounds" /> Static Application Security Testing (SAST) introduces challenges with existing Software Development Lifecycle Configurations. Strategies at different points of the SDLC improve deployment time, while still improving the quality and security of the deliverable. This session will discuss the different strategies that can be implemented for SAST within SDLC—strategies catering to developers versus security analysts versus release engineers. The strategies consider the challenges each team may encounter, allowing them to incorporate security testing without jeopardizing deadlines or existing process.

Static Application Security Testing Strategies for Automation and Continuous Delivery from Kevin Fealey

]]> 3578 5 https://cdn.slidesharecdn.com/ss_thumbnails/sastforautomationandcdinterconnect2015final-150226134729-conversion-gate02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools /slideshow/what-good-is-this-tool-final/45191021 whatgoodisthistoolfinal-150226134322-conversion-gate01
Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual]]>
Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual]]> Thu, 26 Feb 2015 13:43:22 GMT /slideshow/what-good-is-this-tool-final/45191021 kfealey@slideshare.net(kfealey) What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools kfealey Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/whatgoodisthistoolfinal-150226134322-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Abstract: Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are: • An understanding the real value of each type of AST tool (SAST, DAST, IAST); • How to leverage your tools for better security visibility and process efficiency; • Steps to find the right tool for your security program; • Keys to finding the best stage of the SDLC to implement each tool type within your security program; • How to integrate new tools with your existing DevOps or Agile environments and processes Additional Takeaways: • Examine the strengths and limitations of SAST, DAST, and IAST tools • Learn how to choose the right tools for your security program • Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes • Provide security visibility to developers, managers, and executives by enhancing your existing technology • Learn to use your tools to improve the efficiency of security tasks that are currently manual

What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools from Kevin Fealey

]]> 2069 14 https://cdn.slidesharecdn.com/ss_thumbnails/whatgoodisthistoolfinal-150226134322-conversion-gate01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 https://cdn.slidesharecdn.com/profile-photo-kfealey-48x48.jpg?cb=1572524705 My interests span technology and business. After receiving a BS in Computer Science, my career began as an Associate Security Engineer, where I primarily performed manual code reviews and penetration tests. However, since receiving my MBA, I have become highly interested in integrating security into the application development process. Through research and development, I have created several new service offerings for Aspect Security, all focused on automating security tasks as early as possible in the SDLC, while minimizing disruptions to developers. I have worked with a wide-range of development environments and processes, especially those that leverage Agile practices with Continuous ... https://cdn.slidesharecdn.com/ss_thumbnails/lascon2019securityteststrategy-final-191031122521-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/a-stratagem-on-strategy-rolling-security-testing-into-product-testing/188921015 A Stratagem on Strateg... https://cdn.slidesharecdn.com/ss_thumbnails/lascon2018-devsecopswithoutdevopsisjustsecurityfinal-181223193108-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/devsecops-without-devops-is-just-security/126589468 DevSecOps without DevO... https://cdn.slidesharecdn.com/ss_thumbnails/simplifydevwithcomplicatedsecuritytools1-170112213520-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/simplify-dev-with-complicated-security-tools-70965052/70965052 Simplify Dev with Comp...