Automated Security Reviews in a Continuous Integration Environment

Automated Security Reviews in a Continuous Integration Environment

In today’s fast paced development world where code is being delivered to enhance business capability the job of application security developers has become even more difficult. It is beholden on us as security professionals to give them the tools they need to not only deliver software quickly but also that this software is robust from a security perspective without disrupting the development flow.

There are a plethora of application security analysis solutions available and it can be very difficult to understand the differences between them, each vendor has their own elevator pitch and those pitches are highly compelling. You must understand which solution is appropriate for your own organisation and the way to do that is to break each solution down into its fundamental approaches and perceived benefits.

We have to weigh up both the capital costs and the operating costs which the security department will eventually have to pass on to the business. You also have to consider the suitability of each approach to your own organisations – in our case will it fit with Agile, does it integrate with our existing Continuous Integration Development processes.

Most importantly we have to consider usability from both an organisational perspective and from an individual user perspective. Using a tool that sits on a developers shoulder correcting mistakes can be quite invasive so it must be accurate, clear and simple to use, however it must also suit the development model and risk appetite of the organisation .

We must also consider very carefully a number of factors including false positives and false negatives, too much noise like this will result in such technology being switched off and ignored. Each flavour of solution that we will discuss in this talk will have different profiles in terms of usability, noise, costs and suitability for environment types.

Ultimately we will discuss how we selected the right technology for our environment.

When you leave this session you will…

1. Understand the different types of code validation strategy
2. Understand how to justify code validation technology with ROI
3. See which environments each approach is suitable for
4. Understand how to define a selection process
5. See the outcome of a stringent selection process

I am looking forward to the event to once again meet up with the many friends and ex-colleagues I have made over the past 16 years of coming to the event and to see what innovations in technology are coming out of the independent security companies.

Automated Security Reviews in a Continuous Integration Environment

Richard Fry, Infomation Security Manager, Swinton Insurance, 03 Jun 2015, 12:40 – 13:05

Not registered for Infosecurity Europe 2015 yet?

Register to attend Infosecurity Europe

Richard is a highly experienced Security Professional with over IT experience spanning over 3 decades, the last 16 working in Risk and Security across multiple industry sectors. Experienced in understanding the business needs and bringing best in class security solutions into full operation. Originally from the south coast of England Richard now lives in Yorkshire and works in Manchester (where it is not always raining!) ISEB Certificate in Information Security Management Practices (CISM) Distinction ISEB Certificate in Information Risk Management (CIRMP). EC-Council Certified Ethical Hacker

Leave a Comment

Your email address will not be published. Required fields are marked *