Test Driven Security in the DevOps Pipeline

Explore Test Driven Security in the DevOps pipeline through this 42-minute conference talk from AppSecUSA 2017. Learn how to implement a baseline of security controls and test them continuously within the deployment process. Discover the benefits of writing security tests first, including clarified expectations, specific and testable controls, high reusability, and real-time detection of security regressions. Gain insights into practical examples such as implementing Content Security Policy, CSRF token requirements, and SSH root login restrictions. Understand how this approach, similar to Test Driven Development, can help catch vulnerabilities early and improve overall security posture. Follow along as the speaker, Julien Vehent, Firefox Operations Security Lead at Mozilla, shares his expertise in web application security and services architecture.

Intro
Julien Vehent
Vulnerabilities by type
Bug Bounty payouts
A DevOps pipeline
Test Driven Security
Define a Security baseline
1. Writing a Security checklist
Test the baseline
2.1 ZAP Baseline scanning
2.2 Static code analysis
2.3 Security group testing
2.3 Security testing
2.4 TLS Quality
Gating prod deploys
Does it work?