Last week, Oleg and Sanjay from the SAMI security team were invited to speak at LASCON 2015 about our security automation. We were happy that the presentation was very well received! For everyone who missed the talk or wanted to follow up, here’s the full slideshow.
In the talk, titled “Making Security Agile”, Oleg and Sanjay explain that for a security process to be successful, we need to make sure that it is integrated well with SDLC. In many cases, DevOps teams that have already adopted an agile SDLC are faster than security, which makes the latter a bottleneck. Our Security Transformation Cheat Sheet (see slide 45) will help the broader security community integrate its processes well with DevOps and to make security agile.
The presentation also shows how we customized open source tools to make security work in an agile environment. As we previously discussed here on the blog, we have implemented continuous security testing using dynamic scanners alongside manual testing. Since security teams usually don’t have too many people and resources, we also try to utilize the resources of other teams as much as possible. For example, we have created a framework that allows us to utilize QA unit tests, monitoring QA regression traffic and finding vulnerabilities in real-time while QA regression is in progress. To achieve all that, we use our own open source security automation tool, bscan, OWASP’s ZAP and Portswigger’s Burp.
In addition, a security dashboard such as ThreadFix allows our team to collate and review all security findings before exporting them to a bug tracking system. This ensures that we avoid false positives and correctly assign severity ratings.
We were happy to get a shout-out in the presentation by Denim Group, the makers of ThreadFix. Read this post to learn about how our custom ThreadFix enhancements made it into version 2.3, in the spirit of open collaboration.