Filter results by

Event Recap: Making Security Agile

Last week, Oleg and Sanjay from the SAMI security team were invited to speak at LASCON 2015 about our security automation. We were happy that the presentation was very well received! For everyone who missed the talk or wanted to follow up, here’s the full slideshow.

In the talk, titled “Making Security Agile”, Oleg and Sanjay explain that for a security process to be successful, we need to make sure that it is integrated well with SDLC. In many cases, DevOps teams that have already adopted an agile SDLC are faster than security, which makes the latter a bottleneck. Our Security Transformation Cheat Sheet (see slide 45) will help the broader security community integrate its processes well with DevOps and to make security agile.

The presentation also shows how we customized open source tools to make security work in an agile environment. As we previously discussed here on the blog, we have implemented continuous security testing using dynamic scanners alongside manual testing. Since security teams usually don’t have too many people and resources, we also try to utilize the resources of other teams as much as possible. For example, we have created a framework that allows us to utilize QA unit tests, monitoring QA regression traffic and finding vulnerabilities in real-time while QA regression is in progress. To achieve all that, we use our own open source security automation tool, bscan, OWASP’s ZAP and Portswigger’s Burp.

In addition, a security dashboard such as ThreadFix allows our team to collate and review all security findings before exporting them to a bug tracking system. This ensures that we avoid false positives and correctly assign severity ratings.

We were happy to get a shout-out in the presentation by Denim Group, the makers of ThreadFix. Read this post to learn about how our custom ThreadFix enhancements made it into version 2.3, in the spirit of open collaboration.

Get the ARTIK Newsletter

You like your news fresh! Sign up now and you will be the first to know about our latest software releases, coding tips, upcoming events, blog posts, datasheet updates, and more.

* By checking either box, you may receive notifications by phone, email, text, and/or other electronic means from Samsung Semiconductor, Inc. and its affiliates. If you choose to receive partner notifications, we may forward your contact information to our partners. You may unsubscribe from these services at any time by clicking on the unsubscribe link in our communications or by submitting a request here. Please see our Privacy Policy and Terms of Use for more information about how your data is stored and used.