Rootconf Pune edition

On security, network engineering and distributed systems

Tickets

Building a continuous secure delivery pipeline

Submitted by Shirish (@truthyvalue) on Saturday, 13 April 2019

Technical level: Beginner Section: Full talk (40 mins) Category: DevSecOps Status: Rejected

Abstract

In today’s fast paced software development world, we have seen teams facing difficulties keeping up with security requirements. Regular security breach in news highlights how a simple security miss can result into big financial and reputation loss.

To solve this problem, we tried to integrate security as an agile engineering practice, similar to pairing or TDD at ThoughtWorks.

In this talk we will speak about challenges teams face to include security as a practice. We will share some of the lessons learned, tools and techniques to help teams build a continuous delivery pipeline which has security at its core. We will also talk about how a continuously evolving threat model helps team to bake security in the product instead of bloating on in later.

Outline

  • Mindset required to have security at the core of delivery pipeline
  • Tools and techniques to be included in your development and delivery workflow to help build security in.
  • Continuous threat modeling
  • How having a continuously evolving threat-model can help mitigate security risks.

Requirements

-

Speaker bio

Shirish Padalkar is currently working as a lead consultant in ThoughtWorks. He regularly reads and writes code in different languages including Java, Scala, JavaScript, etc. When not coding, he tries to find vulnerabilities in web applications, and preach about secure coding practices to developers. He regularly speaks at Agile, Developer, Security and Testing conferences or meet-ups.

Links

Slides

https://speakerdeck.com/shirishp/building-a-continuous-secure-delivery-pipeline

Comments

  •   Zainab Bawa (@zainabbawa) Reviewer 11 months ago

    Thanks for the submission, Shirish. Upload draft slides and two-min preview video by 20 April so that we can make a full assessment of your proposal.

  •   Zainab Bawa (@zainabbawa) Reviewer 8 months ago

    Hello Shirish,

    We are evaluating this proposal for Rootconf Pune. Here is the initial feedback:

    1. The talk contains broad generalizations without giving concrete examples of specific instances that led to these generalizations. Add the missing examples for us to be convinced about the conclusions you are drawing.
    2. Where possible, explain why certain security choices or tools were used in the examples and therefore, how did these backfire or perform, leading to the a specific learning?

    We’ll expect a revised proposal or detailed slides, incorporating the above feedback in 7 days. If there is no response in 7 days, we will move the proposal to reject for lack of a response from the proposer.

    •   Shirish (@truthyvalue) Proposer 8 months ago

      Hello Zainab. I have updated the link to slides. Please let me know if those answer your questions - https://speakerdeck.com/shirishp/building-a-continuous-secure-delivery-pipeline

      •   Zainab Bawa (@zainabbawa) Reviewer 8 months ago

        Thanks for sharing the slides, Shirish. Here are some comments:

        1. The first part of the slides look very prescriptive. The examples come in far too late, by which time, the audience’s interests will have waned.
        2. You may want to consider narrowing down the scope of this presentation to talk about tools and over-tooling, what we once refererred to as DevSec-oops! This is based on the number of tools you have mentioned in the presentation.

        We will have reviewers comment on your slides and proposal. Suggest you take time to respond to the comments other than posting the slide links.

        This proposal is now under evaluation.

  •   Zainab Bawa (@zainabbawa) Reviewer 8 months ago

    Hello Shirish,

    We carried out a review of your proposal, based on the latest slides. Here are the comments on your slide:

    1. The proposal has a good pitch on maintaining product security for multiple products with small number of security engineers. This is an important problem for DevSecOps.
    2. However, the presentation has lots of tools. We’d like to see the tools that you yourself have used rather than a generic tool list, and the reasons for choosing the same.
    3. The slides don’t explain the success of adopting this process. If you can validate this approach using a practical test case, that will be helpful. For example, some story where this has been used and DevSecOps helped to improve product security. This can be takeaway for attendees where you suggest some process with a success story which can be replicated.
    4. Or, you can talk about challenges faced and solutions used. All the tools mentioned in the slides have different outputs. Some are easy to understand while some need security engineer involvement.
    5. On that note, what are the responsibilities assumed by speaker for developers and security engineers. With all these tools, where security engineers play a role, and where devs plays part is important know for Rootconf participants.
    6. Gitlab EE has AutoDevOps which is based on open-source tools. This is configured in build the pipeline and has uniform result format. Why have you picked many single tools when the entire security pipeline is available to use? This is a commercial tool. You have already talked about SAST.

    Given that these comments require full re-haul of your talk, my suggestion is to consider running a Birds of Feather (BOF) session on either this topic, or on the roles and responsibilities of security engineers and developers in product security. Let us know your interest in running this BOF (by 10 August latest), and we can work on scheduling this.

    •   Shirish (@truthyvalue) Proposer 8 months ago

      Hello Zainab. Thanks for your review and comments. Unfortunately, I recently moved out of India and would not be able to be attend the conference. So please consider my proposal withdrawn.

      I love this conference. Thanks for putting such a great conference together. I will try again next year may be?

      •   Zainab Bawa (@zainabbawa) Reviewer 8 months ago

        sure Shirish. We will run one of the BOFs, based on your proposal idea, and remember you at the conference! :)

        •   Shirish (@truthyvalue) Proposer 8 months ago

          That would be great. Thanks. :)

Login with Twitter or Google to leave a comment