Security DevOps - Staying Secure in Agile Projects

Explore security DevOps strategies for maintaining security in agile projects through this conference talk from AppSecEU 2015. Dive into four different axes of security implementation, including dynamic depth, static depth, intensity, and consolidation. Learn how to integrate tools like ZAP, Jenkins, BDD-Security, and Gauntlt into your CI/CD pipeline. Discover techniques for guiding security tools into post-authentication scenarios, conducting backend scans, and handling special workflows. Examine methods for consolidating security reports, flagging builds, and incorporating code coverage analysis. Gain insights on balancing security measures with agile development practices to ensure robust application security throughout the development lifecycle.

Intro
Why Security DevOps?
Four different axes
Let's explore these axes
Axis of "Dynamic Depth"
Axis "Dynamic Depth": Level 1
ZAP in SecDevOps?
ZAP + Jenkins = SecDevOps?
BDD-Security in SecDevOps?
Gauntlt in SecDevOps?
Axis "Dynamic Depth": Level 2
Guide ZAP into Post-Auth in CI
Guide Arachni into Post-Auth
Guide BDD-Security into Post-Auth
Axis "Dynamic Depth": Level 3
Backend scans with ZAP
Backend scans with Arachni
Axis "Dynamic Depth": Level 4
ZAP with special workflows (2/3)
ZAP with special workflows (3/3)
BDD with special workflows
If no Selenium test code exists!
Axis of "Static Depth"
Axis of "Intensity"
Axis of "Consolidation"
Axis "Consolidation": Level 1
Axis "Consolidation": Level 2
Flagging builds from reports
Axis "Consolidation": Level 3
Axis "Consolidation": Level 4
Code coverage analysis