diniscruz / book_secdevops_risk_workflow Goto Github PK
View Code? Open in Web Editor NEWContent for 'JIRA Risk Project' book published at LeanPub
License: Apache License 2.0
Content for 'JIRA Risk Project' book published at LeanPub
License: Apache License 2.0
While doing the review sessions and adding my comments I can't help to notice that the contents are more about 'how to set up a SecDevOps' organisation and not only about 'Jira Risk Flow'.
Should we consider this a scope creep and refocus or do you want this to be the natural flow of the book and maybe change the title to be more in line?
"SecDDev - Security Driven Development" http://blog.diniscruz.com/2012/10/secddev-security-driven-development.html
from Paul Santapau
include the Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd training platform for the Security Champions chapter. I was using it on the last company I was working for with very good results.
You can even organise a private Capture The Flag (CTF) contest to reward the top 10 players with some; 1- recognition, 2- reward (going a conf or similar).
from #59
see https://twitter.com/Dave_von_S/status/786062211231940608 for context
CTO/CISO to identify skills for AppSec team (may change in next phase)
(to do)
(to do)
(to do)
(to do)
from https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/pull/57/files
Andre Gironda asked:
_I liked the parts about making Risk a separate project but what if appsec requirements/documentation are listed in its own Epic instead? _
My answer:
That can work, the prob is that it is easy for those Epics to fall into the 'backlog pit of despair' and start to be ignored (i.e. unless you have that 'Risk Accepted' button, it is 'cheap and easy' to just keep prioritising other 'really important' features required by the business/users).
Another issue is that I like to use the JIRA Risk project to describe 'reality' (i.e. the Risks/Issues/features that exists or will exist soon) and then let the dev's use their JIRA project (or whatever bug tracking system they use) to describe what needs to be done (i.e. how they would address those RISK issues)
For example a RISK issue (in the separate RISK or APPSEC Jira project) would be "Xyz app - There is no Authentication on exposed Web Service's methods" , who would (when in the 'Allocated for Fix' stage) be linked into another ticket (or multiple tickets) in the application's JIRA project that would be called "Use Spring Security to authenticate users of service"
I think a number of readers will be interested in my current workflow and CI.
Here are the tools/technologies used:
here is my workflow to push some content changes:
./commit_and_build.sh
script from command linefor example this workflow:
from http://blog.diniscruz.com/2016/06/using-jira-to-manage-risks-v10-owasp.html
on https://github.com/DinisCruz/Book_Jira_Risk_Workflow/pull/7/files#diff-d81580da3b8096a9abb99b1e6e1c6ef2R48 @davevs asks:
I thinks this is too restrictive. Yes, understanding code is critical, but I believe you can be a (valuable) AppSec specialist without actually being able to code. More important qualities are: understanding modern development, being able to explain and discuss issues with developers, being able to explain, configure, and use tools, etc.
Why should a developer care about security training? http://blog.diniscruz.com/2012/04/why-should-developer-care-about.html
"Absolutely, DevOps is full of code (most don't realise it). Every script/config exists in git and needs SDL"
as per this thread https://twitter.com/koehntopp/status/788346842111246336
Add content to https://github.com/DinisCruz/Book_SecDevOps_Risk_Workflow/tree/master/content/2.Risk-workflow/Security-champions
Ideas to cover:
Mario Robles mentioned:
it’s very nice to see your Jira workflow very similar to the one I’ve been working on, one thing that I would suggest is including custom “resolutions” consistent to the status in the kanban so you can add the Resolution field in the Screen used for closing the issues:
Here are the Resolutions I have configured in the JIRA RISK Workflow:
See
here is a description from the https://jscrambler.com tool (which is a lead player in this field)
JavaScript protection. Jscrambler is all about JavaScript enabled environments protection. With Jscrambler's first layer of protection, using Obfuscation techniques, we provide you polymorphic JavaScript: each time you request a protection, you will get a different source code.
You can go even further applying Control Flow Flattening which will create also different application flows. Just with this layer you will prevent any attacker to keep knowledge of your application internals.
On top of this first layer you can get RASP (Runtime Application Self-defending Protection) features which right now only applies to JavaScript, but soon will also enable you to get notified about DOM tampering and JavaScript poisoning (browser global objects and event handlers) or even remove DOM injections on client-side.
http://blog.diniscruz.com/2013/12/trying-to-add-evil-bit-to.html (find more up-to-date content)
As a great example of the kind of 'advanced research' that should be done by AppSec teams + Security Champions (across multiple companies)
This quote is a good representation of the position of the book
so good to see security issues represented a) in plain language and b) as feature which is non-confrontational!
@ElizabethLawler
(from https://twitter.com/ElizabethLawler/status/789495925861384192)
A variation of this
Not 100% about the titles of the 4 circles (maybe add JIRA workflow or secure code to it )
Image found at https://www.linkedin.com/pulse/devsecops-secdevops-difference-kumar-mba-msc-cissp-mbcs-citp
Book cover to be designed at https://www.canva.com/
from #58
Mr Security Consultant: 'Are You Doing A Good Job' for your clients? http://blog.diniscruz.com/2009/11/mr-security-consultant-are-you-doing.html
from #17 (comment)
"Continuous Application Risk Management" - And how to foster security as part of a DevOps culture.
This would allow setting the stage by talking about the history of Agile, DevOps and how traditional security approaches are not working in environments where software is released frequently. Then introduces the concept of embedding security into an Agile + DevOps environment and what the key aspects are in terms of culture and responsibilities. Which then leads to the main topic of the book which is how application risk can be managed seamlessly in an ongoing and integrated fashion.
This deserves a good set of chapters and maybe event its own section
Need to talk about why developers avoid appsec people
Pull Request #72
A few questions on meaning:
On line 9:
On line 19, I just want to be sure I have made sense of the text. If you want me to make further changes let me know.
related to 'Expand on 'The 5÷ of code that needs to be secure' #188
"ability to write Tests in TTD (with CI workflow) is more important than the language"
see thread https://twitter.com/zeroXten/status/786356626060087296
James just asked me this
Add more detail on where to start
When we say
It is really time for application developers to stop believing that they are protected by perimeter defenses and fix the real issue, which is “Stop writing broken code”
is this really fair of developers?
I don't think developers want to write broken code (i.e. code with security issues). I think the problem is more to do with the developer's workflow than with a desire to write vulnerabilities.
related posts:
(related to #53)
Following from @davevs question on scope creep? , rename book to 'SecDevOps Risk Workflow'
Specially for the Fix state since it is based on kanban
Looks like an interesting product http://riskgap.com
Anybody has experience using it?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.