1 00:00:06,610 --> 00:00:08,950 - Dev SecOps is actually a concept used 2 00:00:08,950 --> 00:00:13,341 in recent years to describe how to move security activities 3 00:00:13,341 --> 00:00:16,810 to the start of the development life cycle. 4 00:00:16,810 --> 00:00:19,832 Right. And basically you also have built-in 5 00:00:19,832 --> 00:00:23,860 security practices within the environments 6 00:00:23,860 --> 00:00:25,600 like I was actually mentioning to you before 7 00:00:25,600 --> 00:00:28,838 like C I C D pipelines and many others. 8 00:00:28,838 --> 00:00:30,260 Now there's also a concept 9 00:00:30,260 --> 00:00:33,310 of a secure development life cycle. 10 00:00:33,310 --> 00:00:36,200 Also referred to as SDLC 11 00:00:36,200 --> 00:00:38,260 and many organizations actually use SDLC 12 00:00:38,260 --> 00:00:39,840 for software development life cycle. 13 00:00:39,840 --> 00:00:41,770 Some, you know, will refer 14 00:00:41,770 --> 00:00:44,060 to it as secure development life cycle. 15 00:00:44,060 --> 00:00:46,630 But if I actually mention SDLC here is 16 00:00:46,630 --> 00:00:50,980 with the concept of secure development life cycle. 17 00:00:50,980 --> 00:00:55,720 The SDLC and Dev Sec Ops programs basically are implemented 18 00:00:55,720 --> 00:00:58,760 in many modern organizations and especially in 19 00:00:58,760 --> 00:01:01,083 among organizations that are adopting the cloud 20 00:01:01,083 --> 00:01:02,893 and are adopting things 21 00:01:02,893 --> 00:01:05,512 like DevOps and the continuous integration 22 00:01:05,512 --> 00:01:07,820 and continuous delivery pipelines. 23 00:01:07,820 --> 00:01:11,803 Right now there's a project called the dev secs ops project. 24 00:01:11,803 --> 00:01:15,643 And it's actually in GitHub at devsecops.GitHub.IO 25 00:01:15,643 --> 00:01:18,765 which actually includes a set of tools 26 00:01:18,765 --> 00:01:23,765 and tutorials about dev and underlying practices. 27 00:01:24,070 --> 00:01:28,272 Now the OWASSP organization has a project called the 28 00:01:28,272 --> 00:01:32,320 OWASP proactive controls, and it basically it's a collection 29 00:01:32,320 --> 00:01:37,320 of secure developing practices and guidelines that 30 00:01:37,930 --> 00:01:42,610 any developer should follow to build secure applications. 31 00:01:42,610 --> 00:01:44,500 These practices will actually help you to 32 00:01:44,500 --> 00:01:47,793 shift security earlier into the design 33 00:01:47,793 --> 00:01:50,140 the coding and the testing. 34 00:01:50,140 --> 00:01:54,504 And these are the top 10 proactive controls by OWASP. 35 00:01:54,504 --> 00:01:57,230 And it starts with defining security requirements. 36 00:01:57,230 --> 00:01:59,273 That's actually, you know, pretty self explanatory, 37 00:01:59,273 --> 00:02:04,273 also goes over leveraging security, frameworks and libraries 38 00:02:04,410 --> 00:02:07,310 and basically at the end of the day, not reinvent the wheel 39 00:02:07,310 --> 00:02:09,330 and take advantage of actually several frameworks 40 00:02:09,330 --> 00:02:12,600 and libraries that have been adopted by the industry 41 00:02:12,600 --> 00:02:14,913 secure data database access 42 00:02:14,913 --> 00:02:19,476 encode and escaped data cap, data validate all inputs. 43 00:02:19,476 --> 00:02:20,650 And of course 44 00:02:20,650 --> 00:02:24,380 input validation is a huge problem still nowadays. 45 00:02:24,380 --> 00:02:27,180 And then also implementing digital identity 46 00:02:27,180 --> 00:02:30,640 enforcing access control, protecting data, you know 47 00:02:30,640 --> 00:02:32,730 wherever it resides, whether it's in the cloud 48 00:02:32,730 --> 00:02:36,760 or on premise, and then implementing security login 49 00:02:36,760 --> 00:02:39,650 and monitoring and handling all errors 50 00:02:39,650 --> 00:02:41,723 and exception in an appropriate manner. 51 00:02:42,660 --> 00:02:45,324 Now you should also use software assurance tools 52 00:02:45,324 --> 00:02:48,207 and methods, including fuzzing, 53 00:02:48,207 --> 00:02:51,436 static application security testing, or SAST 54 00:02:51,436 --> 00:02:54,300 also dynamic application security testing 55 00:02:54,300 --> 00:02:56,220 otherwise known as DAST. 56 00:02:56,220 --> 00:02:59,010 Now I mentioned fast testing or fuzzing 57 00:02:59,010 --> 00:03:01,150 And it's basically a technique that can be used to 58 00:03:01,150 --> 00:03:04,110 find software errors or bugs, at the end 59 00:03:04,110 --> 00:03:06,690 of the day security one, everybody are bugs, whether it's 60 00:03:06,690 --> 00:03:10,940 in applications, operating systems, infrastructure devices 61 00:03:10,940 --> 00:03:13,350 or even IOT devices right, now 62 00:03:13,350 --> 00:03:18,350 fuzzing involves sending random data or crafted messages 63 00:03:18,770 --> 00:03:20,836 to the unit that you're actually testing. 64 00:03:20,836 --> 00:03:22,850 And you're sending this 65 00:03:22,850 --> 00:03:25,516 in order to find input validation issues, 66 00:03:25,516 --> 00:03:30,390 program failures, buffer overflows, and many other flaws. 67 00:03:30,390 --> 00:03:34,130 The tools that are used to perform fuzzing are referred 68 00:03:34,130 --> 00:03:36,036 to as fuzzers and examples 69 00:03:36,036 --> 00:03:39,076 of very popular fuzzers are peach, munity 70 00:03:39,076 --> 00:03:42,546 American Fuzzy Lop, the synopsis defensics 71 00:03:42,546 --> 00:03:47,546 and a mutational fuzzing frameworks like radamsa. 72 00:03:47,740 --> 00:03:48,620 And by the way 73 00:03:48,620 --> 00:03:51,720 the immunity fuzzing framework is an open source 74 00:03:51,720 --> 00:03:54,170 fuzzer that was actually created by Cisco. 75 00:03:54,170 --> 00:03:56,880 And it works by replaying packet capture files 76 00:03:56,880 --> 00:03:59,522 or pick up through a mutational fuzzer. 77 00:03:59,522 --> 00:04:02,140 And you can actually download more information 78 00:04:02,140 --> 00:04:03,653 about that fuzzing framework 79 00:04:03,653 --> 00:04:07,173 at the GitHub that I'm showing in the screen.