SlideShare a Scribd company logo

ContinuousSecurity, Beyond Automation.pdf

Neelu Tripathy, profile picture
Neelu Tripathy

Neelu Tripathy, a security practice lead at ThoughtWorks India with over 13 years of experience, emphasizes the importance of continuous security beyond mere automation in product development. The document discusses various aspects of securing products, including vulnerability assessments, threat modeling, and integrating security practices into development processes. It highlights real-world examples of security breaches and the need for a comprehensive approach to manage risks effectively across the software development lifecycle.

Technology
Related topics:
Information Security
1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
NEELU TRIPATHY NEELU TRIPATHY CONTINUOUS SECURITY: BEYOND AUTOMATION Continuous Security: Beyond Automation
NEELU TRIPATHY Work Conferences Contact Interests & Certifications § Security Practice Lead, Thoughtworks India § 13+ years of InfoSec experience § Establishing Security practices for client facing product development § Speaker/Trainer: c0c0n, BlackHat, BSidesDelhi, NSRCEL IIMB; Villages at Nullcon, DefCon, rootconf § Organizer: SecConf, Thoughtworks § Review Board: NullCon, bSides SGP, CySEK Karnataka § DevSecOps, Continuous Security, Vulnerability Assessments, Pentesting for Web & Networks, Red Teaming, Social Engineering, Threat Modelling & Design Reviews § OSCP, GraphQLParser for Burp @neelutripathy br3akp0int@Null/Git neelutripathy ABOUT ME
NEELU TRIPATHY § Affected: 23000 users/customers § Leaked Credentials in Docker image § Bash uploader Script modified § Created a backdoor from customer Cis § Stole Git creds, tokens, keys § Malware: APT29 § Affected: FireEye, US Treasury § § Target: NMS Orion; 300000 Customers(US Fed, DoD, 425/Fortune 500) § Build Server compromised § Wasn’t present in code § March – June – 2020 § Handcrafted: sleep b4 execute, custom to environments, avoid private IPs § 57 million customer and driver records stolen § $100,000 for cover-up § $148 million total cost to Uber § AWS credentials in Github § Github repo was exposed § CSO Joe Sullivan forced to leave LAST FEW YEARS..
NEELU TRIPATHY MAINTENANCE RELEASE DEPLYMENT TEST DEVELOPMENT DESIGN REQUIREMENTS REQUIREMENTS DESIGN DEVELOPMENT TEST DEPL0Y REVIEW RELEASE WATERFALL AGILE AGILE & WATERFALL DEVELOPMENT
NEELU TRIPATHY CONTINUOUS SECURITY VULNERABILITIES PREDICTABLE Automation TOOLS PRODUCTS NOT PREDICTABLE PEOPLE PROCESSES CONTINUOUS SECURITY: LIMITATIONS OF AUTOMATION
NEELU TRIPATHY Detective •SAST •DAST •Dependency Checking •IDE Static Analysis •RASP/IAST Preventive •Secrets Check-in prevention •pre-commit/push hooks •Security Unit tests •Compliance as Code •Security in IaC Environmental •Container Security •Version Controls •Network/Host/cloud •Hardening •Dev Components Configuration •WAF •Logging & Monitoring •DoS Protection AUTOMATING CONTROLS
NEELU TRIPATHY NEELU TRIPATHY SECURITY OF THE PRODUCT VS PRODUCT DELIVERY
NEELU TRIPATHY Security Practices Standards Supply Chain Security Product Security Awareness SECURING YOUR PRODUCT DEVELOPMENT
NEELU TRIPATHY Product Security SECURING YOUR PRODUCT DEVELOPMENT
NEELU TRIPATHY Product is secure(enough) Fewer vulnerabilities in the product Code is written securely Cannot be abused to cause damage
NEELU TRIPATHY PRODUCT SECURITY: KASEYA KASEYA • Ransomware attack • Kaseya's VSA software • Affected: 50 direct customers, and between 800 and 1,500 businesses down the chain • Cause: authentication bypass vulnerability in the Kaseya VSA • Authentication Bypass >> SQL injection >> code execution >> management agent update with REvil ransomware.
NEELU TRIPATHY Infrastructure § Threat Modeling § Architecture Review Design § Vulnerability assessment § Penetration testing § Mobile/Device Testing Dynamic Application/Service Static Code § Static Code Security review § License verification § Dependency checking § Network VA/PT (BB/GB) § Container Scanning § Cloud Security Assessment MAKING A SECURE SOFTWARE
NEELU TRIPATHY Supply Chain Security SECURING YOUR PRODUCT DEVELOPMENT
NEELU TRIPATHY Security of the DELIVERY Source:sysdig.com DEV TEST STAGING PROD SECURITY OF THE DELIVERY
NEELU TRIPATHY Source:sysdig.com DEV TEST STAGING PROD ATTACK SURFACE
NEELU TRIPATHY Standards Awareness SECURING YOUR PRODUCT DEVELOPMENT
NEELU TRIPATHY Tech Stack specific Role specific awareness General Security Awareness AWARENESS Developer Business Analyst QA Tech Lead Tech Architect
NEELU TRIPATHY Frameworks & Standards • NIST Cybersecurity Framework • ISO 27001 • GDPR • PCI • and so on.. Password Policy Mobile/Device security Endpoint Security Network security Risk Assessment & Treatment Physical environment Product security Communicatio ns & operations Maintenance, Patching STANDARDS
NEELU TRIPATHY Security Practices SECURING YOUR PRODUCT DEVELOPMENT
NEELU TRIPATHY 20 § Secure Baselines as a starting point § Hardening § Configuration § Security Acceptance Criteria § DevSecOps KPIs, SLAs/TATs § Observability & Threat Management § Backlog > Project Dashboard § Vulnerability Management § Create Feedback Loops § Security Unit Tests § Code Review Checkpoints § Audit/Secure Delivery Checklists § ITMs § Access Management § Change Management § Sustainable § Evolving Awareness SECURITY PRACTICES
NEELU TRIPATHY 21 Educate Dev Teams Define and design Security backlog Planning Team card wall/board 1 2 3 4 5 Feedback/Security Unit Tests Infra Security Review Container Scanning DAST Develop 10 9 8 7 6 Security Epic User Story-Sec ACs Epic User Story Epic Fix Story TO DO DOING DONE Analyze SCA SAST Test and review Network Vulnerability Assessment Inspect and adapt Priority Threat Modelling Technology & Automation Process People Sec Champ /Dev/QA/TL/BA Sec Champ/Expert: Optional DevOps Product Tech Principle/Lead Project Manager Security Expert Sec Champ /Dev/QA/TL/BA As the story goes
NEELU TRIPATHY 1 2 3 4 5 Promote security as code Secure by design Automating security gates Security is everyone’s responsibility Security in the definition of done Key Takeaways
NEELU TRIPATHY References • https://news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain- ransomware-attack/ • https://www.informationisbeautiful.net/visualizations/worlds-biggest- data-breaches-hacks/ • https://owasp.org/www-project-devsecops-maturity-model/ • https://owasp.org/www-project-application-security-verification- standard/ • https://martinfowler.com/articles/agile-threat-modelling.html
NEELU TRIPATHY Q & A
NEELU TRIPATHY THANK YOU! Contact @neelutripathy br3akp0int@Null/Git neelutripathy Neelu Tripathy Security Practice Lead, Thoughtworks India

More Related Content

PPTX
Container orchestration overview
Wyn B. Van Devanter
 
PDF
Getting Started with Kubernetes
VMware Tanzu
 
PDF
More the merrier: a microservices anti-pattern
Chris Richardson
 
PDF
Service Mesh on Kubernetes with Istio
Michelle Holley
 
PPTX
Azure App Service
BizTalk360
 
PDF
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PPTX
Kubernetes 101 for Beginners
Oktay Esgul
 
Container orchestration overview
Wyn B. Van Devanter
 
Getting Started with Kubernetes
VMware Tanzu
 
More the merrier: a microservices anti-pattern
Chris Richardson
 
Service Mesh on Kubernetes with Istio
Michelle Holley
 
Azure App Service
BizTalk360
 
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
DevSecOps : an Introduction
Prashanth B. P.
 
Kubernetes 101 for Beginners
Oktay Esgul
 

What's hot (20)

PPTX
Azure container instances
Karthikeyan VK
 
PDF
Introduction to DevOps slides.pdf
BoreVishnusai
 
PDF
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
PDF
Aws Architecture Fundamentals
2nd Watch
 
PDF
Kubernetes
erialc_w
 
PDF
Containerd + buildkit breakout
Docker, Inc.
 
PDF
Intro to containerization
Balint Pato
 
PPTX
DevOps introduction
Mettje Heegstra
 
PDF
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
PDF
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
Edureka!
 
PDF
Multi cluster management with rancher
Kyohei Mizumoto
 
PDF
Microservice Architecture
Nguyen Tung
 
PPTX
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
Prateek Mishra
 
PPTX
Drive business outcomes using Azure Devops
Belatrix Software
 
PPTX
Azure role based access control (rbac)
Srikanth Kappagantula
 
PPTX
Introduction to Microservices
Roger van de Kimmenade
 
ODP
micro services architecture (FrosCon2014)
smancke
 
PDF
Terraform -- Infrastructure as Code
Martin Schütte
 
PDF
Jenkins를 활용한 Openshift CI/CD 구성
rockplace
 
PPTX
Exposing services with Azure API Management
Callon Campbell
 
Azure container instances
Karthikeyan VK
 
Introduction to DevOps slides.pdf
BoreVishnusai
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Aws Architecture Fundamentals
2nd Watch
 
Kubernetes
erialc_w
 
Containerd + buildkit breakout
Docker, Inc.
 
Intro to containerization
Balint Pato
 
DevOps introduction
Mettje Heegstra
 
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
Edureka!
 
Multi cluster management with rancher
Kyohei Mizumoto
 
Microservice Architecture
Nguyen Tung
 
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
Prateek Mishra
 
Drive business outcomes using Azure Devops
Belatrix Software
 
Azure role based access control (rbac)
Srikanth Kappagantula
 
Introduction to Microservices
Roger van de Kimmenade
 
micro services architecture (FrosCon2014)
smancke
 
Terraform -- Infrastructure as Code
Martin Schütte
 
Jenkins를 활용한 Openshift CI/CD 구성
rockplace
 
Exposing services with Azure API Management
Callon Campbell
 
Ad

Similar to ContinuousSecurity, Beyond Automation.pdf (20)

PPTX
You think your WiFi is safe?
Rob Gillen
 
PPTX
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
PDF
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
Docker, Inc.
 
PDF
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
DOCX
Gaurav security profile_5_years_experience
gaurav sharma
 
PDF
Security as Code: DOES15
Ed Bellis
 
PDF
Tech t18
SelectedPresentations
 
KEY
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
PDF
Security Essentials for Azure PaaS Lovers.pdf
Karim Vaes
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
PDF
Problems with parameters b sides-msp
Mike Saunders
 
DOCX
Vinoth babu b new
Vinoth Babu B CEH,CCDA,CCNA,CXFS
 
DOCX
Vinoth babu b new
Vinoth Babu B CEH,CCDA,CCNA,CXFS
 
DOCX
Vinoth Babu B-New
Vinoth Babu B CEH,CCDA,CCNA,CXFS
 
PPTX
SeattleFall1
Victor Angelbeat
 
DOC
Ashwin Resume
Ashwin Vijay
 
PDF
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
PDF
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
PPTX
Cloud vs. On-Premises Security: Can you afford not to switch?
Zscaler
 
You think your WiFi is safe?
Rob Gillen
 
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
DCSF 19 Zero Trust Networks Come to Enterprise Kubernetes
Docker, Inc.
 
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Gaurav security profile_5_years_experience
gaurav sharma
 
Security as Code: DOES15
Ed Bellis
 
Tech t18
SelectedPresentations
 
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
Security Essentials for Azure PaaS Lovers.pdf
Karim Vaes
 
Introduction to DevSecOps
Setu Parimi
 
Alternatives to Certificate Authorities for a Secure Web
CASCouncil
 
Problems with parameters b sides-msp
Mike Saunders
 
Vinoth babu b new
Vinoth Babu B CEH,CCDA,CCNA,CXFS
 
Vinoth babu b new
Vinoth Babu B CEH,CCDA,CCNA,CXFS
 
Vinoth Babu B-New
Vinoth Babu B CEH,CCDA,CCNA,CXFS
 
SeattleFall1
Victor Angelbeat
 
Ashwin Resume
Ashwin Vijay
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Cloud vs. On-Premises Security: Can you afford not to switch?
Zscaler
 
Ad

More from Neelu Tripathy (7)

PDF
Security Testing ModernApps_v1.0
Neelu Tripathy
 
PDF
Mobile Security Risks & Mitigations
Neelu Tripathy
 
PDF
Pentesting GraphQL Applications
Neelu Tripathy
 
PPTX
Burp Suite Extensions
Neelu Tripathy
 
PPTX
PHP Mailer Remote Code Execution
Neelu Tripathy
 
PDF
Understanding Burp Replicator
Neelu Tripathy
 
PPTX
Social Engineering Techniques
Neelu Tripathy
 
Security Testing ModernApps_v1.0
Neelu Tripathy
 
Mobile Security Risks & Mitigations
Neelu Tripathy
 
Pentesting GraphQL Applications
Neelu Tripathy
 
Burp Suite Extensions
Neelu Tripathy
 
PHP Mailer Remote Code Execution
Neelu Tripathy
 
Understanding Burp Replicator
Neelu Tripathy
 
Social Engineering Techniques
Neelu Tripathy
 

Recently uploaded (20)

PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
A Day in the Life of Location Data - Turning Where into How.pdf
Precisely
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 

ContinuousSecurity, Beyond Automation.pdf