SlideShare a Scribd company logo

Static Analysis For Security and DevOps Happiness w/ Justin Collins

Sonatype
Sonatype

The document discusses the integration of static analysis security tools, specifically Brakeman, within the DevSecOps framework to enhance code security during development. It emphasizes the need for developers to take responsibility for secure coding practices and provides insights on the automation of security tools for early feedback. Various strategies for incorporating security measures into the development workflow are outlined, highlighting the benefits of source code analysis for continuous integration and deployment processes.

Software
1 of 49
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Me @MakotoTheCat
@presidentbeef Obligatory “About Me” 6 years of application security (AT&T Interactive, Twitter, SurveyMonkey) 6 years working on Brakeman OSS (Static analysis security tool for Rails) 2.5 years working on (More pro static analysis security tool for Rails)
@presidentbeef The Ratio of Doom 100 : 10 : 1 Dev Ops Sec Shannon Lietz http://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops
@presidentbeef The Ratio of Doom 100 developers - experts on their slice of the code 1 security person - responsible for ALL code + systems
@presidentbeef Not Sustainable nor Scalable
Static Analysis For Security and DevOps Happiness w/ Justin Collins
@presidentbeef DevOps Developers as responsible for stable code as ops team is DevSecOps Developers as responsible for secure code as security team is
@presidentbeef Security Team’s Role Expertise Guidance Training Tools
@presidentbeef Security Tools in DevOps Land Automation friendly Fast Consistent Provide early feedback for developers
Static Analysis For Security and DevOps Happiness w/ Justin Collins
@presidentbeef Static Analysis
@presidentbeef Static Source Code Analysis
Static Analysis For Security and DevOps Happiness w/ Justin Collins
@presidentbeef Automation Friendly Input: Source Code Output: Report
@presidentbeef
@presidentbeef
@presidentbeef Fast (Especially in comparison to “web scanners”)
@presidentbeef Project Controllers Models Templates Scan Time Diaspora 48 54 44 5s Discourse 78 162 57 15s Redmine 50 86 342 24s GitlabHQ 150 123 707 61s Canvas LMS 176 384 455 161s Brakeman Scan Times Brakeman 3.4.1, Ruby 2.3.1p112
@presidentbeef Consistent (Especially in comparison to “web scanners”)
@presidentbeef Consistent Baseline scan -> Incremental results
@presidentbeef brakeman --compare report.json
@presidentbeef Early Feedback (for Developers) “Amplify feedback loops”
@presidentbeef “Shift Left” Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security?
@presidentbeef “Shift Left” Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security!
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! Kind of Late but Possible
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! Deployment Gate
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! QA? Why not?
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! Manual Scans
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! New Warnings Fail Build
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! Commit Hooks
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! Run in Tests
@presidentbeef Source Code Analysis Write Code Unit Tests Commit Code Push to CI Code Review QA Tests Deploy!Plan / Reqs In Production Security! Run in IDE / On Save
@presidentbeef Early Feedback Few dependencies makes integration easy Fast tools can be “in line” with workflow Incremental results relevant to changes
@presidentbeef Automation Strategies
@presidentbeef Continuous Integration https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/ Brakeman plugin
@presidentbeef Code Review Brakeman engine
@presidentbeef Deployment Gate
@presidentbeef Tweetable Incremental Scan
@presidentbeef Separate Process
@presidentbeef Local Tests/Git Hook guard-brakeman
@presidentbeef require "brakeman/test/minitest" class TestBrakemanWarnings < Minitest::Test def test_no_brakeman_warnings assert_no_brakeman_warnings end end (Brakeman Pro only)
@presidentbeef Types of Static Analysis Tools Security - Vulnerabilities Composition - Old/vulnerable dependencies Quality - Complexity Style
@presidentbeef Finding Tools
@presidentbeef Building Tools
@presidentbeef In Conclusion Source code analysis fits well with DevOps Enables security review inside workflow Provides feedback early in development Multiple options for integration points
@presidentbeef Thank You @presidentbeef / presidentbeef.com

More Related Content

What's hot (20)

PDF
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PDF
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
PPTX
Matt carroll - "Security patching system packages is fun" said no-one ever
DevSecCon
 
PDF
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
PPTX
Automating security tests for Continuous Integration
Stephen de Vries
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
PDF
Dev seccon london 2016 intelliment security
DevSecCon
 
PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
PPT
Owasp Code Crawler Presentation
alessiomarziali
 
PDF
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon
 
PPTX
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PDF
Owasp lapse
n|u - The Open Security Community
 
PPTX
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
ODP
Making security-agile matt-tesauro
Matt Tesauro
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PPTX
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
Matt carroll - "Security patching system packages is fun" said no-one ever
DevSecCon
 
Merging Security with DevOps - An AppSec Perspective
Abhay Bhargav
 
Automating security tests for Continuous Integration
Stephen de Vries
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
Dev seccon london 2016 intelliment security
DevSecCon
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Owasp Code Crawler Presentation
alessiomarziali
 
DevSecCon Tel Aviv 2018 - Value driven threat modeling by Avi Douglen
DevSecCon
 
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Owasp lapse
n|u - The Open Security Community
 
DevSecCon Tel Aviv 2018 - Integrated Security Testing by Morgan Roman
DevSecCon
 
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
DevSecCon Tel Aviv 2018 - Security Testing for Containerised Apps by Omer Levi
DevSecCon
 

Viewers also liked (20)

PDF
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
PDF
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Ilya Sergey
 
PPTX
Poster Analysis Source Code
kirstysals
 
PDF
Continuous Integration and Orchestration: Putting the AppDev in DevOps
CA Technologies
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PDF
RIPS - static code analyzer for vulnerabilities in PHP
Sorina Chirilă
 
PPTX
Hp fortify source code analyzer(sca)
Nagaraju Repala
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PDF
Static Code Analysis
Annyce Davis
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PDF
Simplified Security Code Review Process
Sherif Koussa
 
PDF
Java Source Code Analysis using SonarQube
Angelin R
 
PDF
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
PDF
The Retail Enterprise - And the rise of the omni-present consumer Part 2
Zensar Technologies Ltd.
 
PDF
Devops security
Logicaltrust pl
 
PDF
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
PDF
Application Secret Management with KMS
Sonatype
 
PDF
Devops/Sysops security
Logicaltrust pl
 
PPTX
My Little Webap - DevOpsSec is Magic
Apollo Clark
 
PPTX
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Marc Servaes (06-47841367)
 
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Static Analysis and Code Optimizations in Glasgow Haskell Compiler
Ilya Sergey
 
Poster Analysis Source Code
kirstysals
 
Continuous Integration and Orchestration: Putting the AppDev in DevOps
CA Technologies
 
Source Code Analysis with SAST
Blueinfy Solutions
 
RIPS - static code analyzer for vulnerabilities in PHP
Sorina Chirilă
 
Hp fortify source code analyzer(sca)
Nagaraju Repala
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Static Code Analysis
Annyce Davis
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Simplified Security Code Review Process
Sherif Koussa
 
Java Source Code Analysis using SonarQube
Angelin R
 
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
The Retail Enterprise - And the rise of the omni-present consumer Part 2
Zensar Technologies Ltd.
 
Devops security
Logicaltrust pl
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Application Secret Management with KMS
Sonatype
 
Devops/Sysops security
Logicaltrust pl
 
My Little Webap - DevOpsSec is Magic
Apollo Clark
 
Beschikbaar jr. HBO Netwerk/Security/DevOps Engineer
Marc Servaes (06-47841367)
 
Ad

Similar to Static Analysis For Security and DevOps Happiness w/ Justin Collins (20)

PDF
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Tom Stiehm
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
PPTX
Securing the continuous integration
Irene Michlin
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
PDF
Security at the Speed of Software Development
DevOps.com
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
PDF
Add Security Testing Tools to Your Delivery Pipeline
TechWell
 
PPTX
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
PPT
Putting to your Robots to Work V1.1
Neil Matatall
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
PPTX
Shifting Security Left from the Lean+Agile 2019 Conference
Tom Stiehm
 
PPTX
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 
PDF
Integrating DevOps and Security
Stijn Muylle
 
KEY
2012: Putting your robots to work: security automation at Twitter
Neil Matatall
 
PDF
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
.NET Conf UY
 
PDF
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
PPTX
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Tom Stiehm
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
Matt Tesauro
 
Securing the continuous integration
Irene Michlin
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Security at the Speed of Software Development
DevOps.com
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Add Security Testing Tools to Your Delivery Pipeline
TechWell
 
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Putting to your Robots to Work V1.1
Neil Matatall
 
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
Shifting Security Left from the Lean+Agile 2019 Conference
Tom Stiehm
 
Add Security Testing Tools to Your Delivery Pipeline
Gene Gotimer
 
Integrating DevOps and Security
Stijn Muylle
 
2012: Putting your robots to work: security automation at Twitter
Neil Matatall
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
.NET Conf UY
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon
 
BUSTED! How to Find Security Bugs Fast!
Parasoft
 
Ad

More from Sonatype (20)

PPTX
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
PDF
2017 DevSecOps Survey
Sonatype
 
PPTX
Starting and Scaling DevOps In the Enterprise
Sonatype
 
PPTX
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
PDF
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
PDF
Serverless and the Way Forward
Sonatype
 
PDF
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
PDF
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
PDF
System Hardening Using Ansible
Sonatype
 
PDF
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
PDF
Getting out of the Job Jungle with Jenkins
Sonatype
 
PDF
Modern Infrastructure Automation
Sonatype
 
PDF
Continuous Everyone: Engaging People Across the Continuous Pipeline
Sonatype
 
PDF
The Road to Continuous Deployment
Sonatype
 
PDF
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Sonatype
 
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Sonatype
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Sonatype
 
The Road to Continuous Deployment
Sonatype
 
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Sonatype
 

Recently uploaded (20)

PDF
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
PDF
MiniTool Power Data Recovery 8.8 With Crack New Latest 2025
bashirkhan333g
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PDF
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PPTX
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
PDF
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PPTX
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
PDF
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
PDF
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
PDF
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
MiniTool Power Data Recovery 8.8 With Crack New Latest 2025
bashirkhan333g
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
iTop VPN With Crack Lifetime Activation Key-CODE
utfefguu
 
4K Video Downloader Plus Pro Crack for MacOS New Download 2025
bashirkhan333g
 
Empower Your Tech Vision- Why Businesses Prefer to Hire Remote Developers fro...
logixshapers59
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 

Static Analysis For Security and DevOps Happiness w/ Justin Collins