Time and money are generally the resources we focus on when building applications. Yet we can’t buy trust; it builds slowly and can be broken quickly when we don’t factor it in to our development process. In this talk, I examined how to leverage security practices to enable an all-team approach to security to help maintain and build that valuable but intangible resource of trust.
I've given this talk at a few conferences including Create Startup Tour, Toronto, devopsdays Portland, devopsdays London, SRECon EU, and Velocity. Over this time, I've updated the slides and the resources. Here are the up-to-date resources in an easily accessible list. This is by no means an exhaustive list of the quality resources in this space.
You can find the current slides on Speaker Deck. Earlier versions of this talk are here:
- DevOpsDays London version of slides
- SRECon EU slides and video
- Velocity slides
- DevOpsDays Chattanooga 2019 slides
- Check whether an account has been compromised in a data breach on https://haveibeenpwned.com.
- Verizon Data Breach Report
- Example of attack.
- Snyk State of Open Source Security Report - 2019
- Pushing left series from Tanya Janca
- OWASP Application Security Verification Standard Project
- Microsoft Threat Modeling Tool
- OWASP Threat Model Project
- Example of issue that could have been prevented with linting
- Compliance as Code
- Microsoft Security Risk Detection - Fuzz Testing
- Learn all about testing with the Test Automation University
- Azure Security Foundations Benchmark (DRAFT) The Azure Security Center has a free tier that is automatically enabled on all Azure subscriptions and provides security policy, continuous security assessment, and actionable security recommendations to help you protect your Azure resources.
- Central documentation for Azure Security Center
- Azure Learn Module for Azure Security Center
- Capture the Flag Resources
- OWASP Juice Shop Project
- Azure Learn Modules for Security Operations
These are a few interesting accounts on Twitter of folks that care about security and privacy.
- Ian Coldwater
- Tinker Fairy
- Teri Radichel
- Tanya Janca
- Jenessa Petersen
- Sarai Rosenberg
- Victoria Drake
- Christopher Harrell
- Yolonda Smith
- Luis Saiz Gimeno
- Christina Morillo
- Quiessence Phillips
- Alison Gianotto
- Pamela Dingle
- Victoria Drake
- Kelly Shortridge
- Ana Oprea
- Contact CTF Circle to get access to the CTF distributed team Slack for Nonbinary Folks and Women
- CTF Circle, a CTF distributed team Slack for Nonbinary Folks and Women
I've shared some different practices, technologies, and examples of specific tools that can help you adopt security within each phase of the development lifecycle in my presentation. What do you do next?
- Identify your team's strengths and weaknesses. How much security is in each part of the development lifecycle.
- Assess where the biggest value is for you now; for example red teaming your application might not be a great use of people's time if you don't have adequate response processes in play to handle incident.
- Level up security knowledge across the team. The earlier that security flaws and bugs are discovered in implementation the easier that it will be to repair them. No matter how much prevention you invest in, there will be vulnerabilities discovered after deployment so make sure that your response process is carefully thought out.
- Incorporate feedback from each phase.
- Update the threat models you have to reflect the knowledge you gain from the systems in use.
Do you have resources that you'd recommend? Please share below and I'll update this page to include them.