Securing Web Apps in a DevOps World (Notes From Black Hat 2017)

Zane Lackey of Signal Sciences spoke at Black Hat 2017 on a topic near and dear to my heart: Practical Tips for Defending Web Applications in the Age of DevOps. DevOps — and really, any Agile or Agile-like rapid software development approach — is a huge enabler for business. Changes to software are envisioned, implemented, tested, and deployed incredibly fast. Deployments can happen multiple times per day. The agility this offers an organization is outstanding. But DevOps is also a thorn in the side of traditional application security programs. The “gates” that most such programs rely on no longer exist. There are far fewer obvious places for a security team to hook into the development process. And that means there are more security bugs that escape to production. It’s not all gloom, though: the rapid lifecycle also means that production security bugs, once discovered, can be fixed very quickly. As Lackey points out, DevOps models give us a chance to outpace attackers, potentially closing holes before they have a chance to be meaningfully exploited. In fact, he shared...
Read more