Continuous SecurityEMPIREJS

adam_baldwinevilpacket

Node Security Project

http://cdn.arstechnica.net/wp-content/uploads/2013/09/amber6-640x557.jpg

http://clubhousenews.com/wp-content/uploads/2013/10/Jurassic-Park-dinosaurs.jpg

http://cdn1.theodysseyonline.com/files/2015/06/22/635705781371326638658929602_Jurassic%20World%201.png

http://vignette2.wikia.nocookie.net/jurassicpark/images/3/39/JPTRexPaddock.png/revision/latest?cb=20111103234347

"We took your security very seriously"

What is Continuous Security?

-Keep Vulnerabilities out of Production

-Production Code

-Security Culture

Keep Vulnerabilities out of Production

productiondevelopment risk

Design / Threat ModelingTHREAT PROPERTY VIOLATED REMEDIATION?

Spoofing Authentication

Tampering Integrity

Repudiation Non-Repudiation

Info Disclosure Confidentiality

Denial of Service Availability

Elevation of Privilege Authorization

Threat Modeling -Designing for Security, 2014

The 100% Test Coverage Myth

Pull Request Reviews- What sources & sinks were added - What new dependencies - What new technologies were added - What new behaviors are introduced / change

AutomationCI - GREENKEEPER - NSP

npm i nsp -g cd your-fantastic-project nsp check(+) 1 vulnerability found ┌───────────────┬───────────────────────────────────────────────────────────────────────────┐ │ │ SQL Injection due to unescaped object keys │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Name │ mysql │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Installed │ 2.0.0-alpha3 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Vulnerable │ <=v2.0.0-alpha7 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Patched │ >=v2.0.0-alpha8 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ Path │ demo@1.0.0 > core@1.0.11 > mysql@2.0.0-alpha3 │ ├───────────────┼───────────────────────────────────────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/66 │ └───────────────┴───────────────────────────────────────────────────────────────────────────┘

Stay in your workflow

Production Code

Actively engage production code

Monitoring

Tools.

http://pre14.deviantart.net/4b02/th/pre/i/2013/352/6/4/shaving_cream_from_jurassic_park_by_aleg8r-d6yfj5i.png

SSL Labs

securityheaders.io

Internal Bug Hunts

Penetration Test

Shifting Security Culture

It has to happen from within *

It has to have

support from the

right people

It does not happen all at once over over night.

Top down security

accountability, trust & enforcement

</presentation>adam_baldwinevilpacket