Reverse Engineer, Incident Responder, Opensource Developer and Contributor
CTF player, trainer, conferences regular speaker at DEFCON, Insomni’hack, Nullcon
Security activities can not be left until end of development
Promotes security as a responsibility shared by all teams involved in software development.
Focusing on answering and resolving between:
Speed vs Security
Skill vs Mindset
Lack vs Positive Communication
Promotes security as a responsibility shared by all teams involved in software development.
Focusing on answering and resolving between:
Speed vs Security
Skill vs Mindset
Lack vs Positive Communication
Addressing SSL
Vulnerabilities lead to increase in cost and time
Increased in complexity in recent software. Largerly “assembled”
Protecting sensitive data. Mitigating insider threats and solid regulation compliance
Insecure designing can lead to deadlocks. Impossible to fix bugs
Dev and security teams need to collaborate regularly
Lack security skills/knowledge during all stages of development
Security activities are usually not adapted in agile methodologies
Addressing SSL
Security activities can not be left until end of development
Vulnerabilities lead to increase in cost and time
Increased in complexity in recent software. Largerly “assembled”
Protecting sensitive data. Mitigating insider threats and solid regulation compliance
Insecure designing can lead to deadlocks. Impossible to fix bugs
Dev and security teams need to collaborate regularly
Lack security skills/knowledge during all stages of development
Security activities are usually not adapted in agile methodologies
Addressing SSL – Why?
Let’s take a step back
Failing to firmly prioritize software security can lead to serious consequences
Lack of understanding
Cost
Time constraint
Prioritization of features over security
Perception of invincibility
That’s when DevSecOps methodology came to light
Addressing SSL – Why?
Let’s take a step back
Failing to firmly prioritize software security can lead to serious consequences
Lack of understanding
Cost
Time constraint
Prioritization of features over security
Perception of invincibility
That’s when DevSecOps methodology came to light
DevSecOps
The ”Sec” process wraps the well-known DevOps framework which is already in place for most organizations that build software.
DevSecOps
The ”Sec” process wraps the well-known DevOps framework which is already in place for most organizations that build software.
Pillars of DevSecOps
Rapid, cost-effective software delivery
In a non-DevSecOps envirnoments security issues can easily be both time and cost consuming.
Improved, proactive security
Cybersecurity issues are address as soon as they are identified. In all SDLC/stages. Before aditional dependencies are used, placed, or coded.
Accelerated security vulnerability patching
The ability to identify and patch common vulnerabilities and exposures Common Vulnerabilities Exposures. (CVE) is diminished.
Automation compatible with modern development
Can be integrated into an automated test suite for operations teams if an organization uses a CI/CD pipeline to ship their software.
A repeatable and adaptive process
A mature implementation of DevSecOps ensures consistent security across changing environments and requirements. Resulting in a solid automation, configuration management, orchestration, containers, immutable infrastructure, and even serverless compute environments.
Pillars of DevSecOps
Rapid, cost-effective software delivery
In a non-DevSecOps envirnoments security issues can easily be both time and cost consuming.
Improved, proactive security
Cybersecurity issues are address as soon as they are identified. In all SDLC/stages. Before aditional dependencies are used, placed, or coded.
Accelerated security vulnerability patching
The ability to identify and patch common vulnerabilities and exposures Common Vulnerabilities Exposures. (CVE) is diminished.
Automation compatible with modern development
Can be integrated into an automated test suite for operations teams if an organization uses a CI/CD pipeline to ship their software.
A repeatable and adaptive process
A mature implementation of DevSecOps ensures consistent security across changing environments and requirements. Resulting in a solid automation, configuration management, orchestration, containers, immutable infrastructure, and even serverless compute environments
SSL vs DevSecOps
Relationship lies in their shared goals
Speed vs Security
Skill vs Mindset
Lack vs Positive Communication
80%
Skills gap. 80% of organizations tell us they have a hard time finding and hiring security professionals and 71% say it’s impacting their ability to deliver security projects *Gartner’s Security and Risk Management Summit
*Gartner’s Security and Risk Management Summit
SSL vs DevSecOps
Relationship lies in their shared goals
Speed vs Security
Skill vs Mindset
Lack vs Positive Communication
80%
Skills gap. 80% of organizations tell us they have a hard time finding and hiring security professionals and 71% say it’s impacting their ability to deliver security projects *Gartner’s Security and Risk Management Summit
*Gartner’s Security and Risk Management Summit
SORINT.lab’s Tailored Journey
How we shift security to the left
Educational-level
Developers’ security self-assessment
Knowledge-level
AppSec design
Implementation-level
Security tools consultancy
Culture-level
Stakeholders’ security awareness
SORINT.lab’s Tailored Journey
How we shift security to the left
Educational-level
Developers’ security self-assessment
Knowledge-level
AppSec design
Implementation-level
Security tools consultancy
Culture-level
Stakeholders’ security awareness
Closer Look
Areas and field of focus
Developers security self-assessment
- Measure the overall development team knowledge about security related-topics.
- Indentify lack of common security principles/knowledge.
- Build a roadmap to plan the actual “Shift Left”.
Security tools consultancy
- Implement and configure SCA, SAST and DAST tools within the CI/CD pipeline.
- Experts advise best practices to properly configure these tools, and support developers to better understand the results.
- Suitable AST tools depending on projects.
AppSec design
- Evaluate/identify possible threats and how to address each of them.
- Deliver a threat model that is a conceptual represantation of the system and the threats that have been identified.
Developers security awareness
- Best practices for secure/defensive coding and how to avoid common mistakes.
- Support developers to build their own “security mindset”
- Customized trainings/workshops.
Closer Look
Areas and field of focus
Developers security self-assessment
- Measure the overall development team knowledge about security related-topics.
- Indentify lack of
common security principles/knowledge. - Build a roadmap to plan the actual
“Shift Left”.
Security tools consultancy
- Implement and configure SCA, SAST and DAST tools within the CI/CD pipeline.
- Experts advise best practices to properly configure these tools, and support developers to better understand the results.
- Suitable AST tools depending on projects.
AppSec design
- Evaluate/identify possible threats and how to address each of them.
- Deliver a threat model that is a conceptual represantation of the system and the threats that have been identified.
Developers security awareness
- Best practices for secure/defensive coding and how to avoid common mistakes.
- Support developers to build their own “security mindset”
- Customized trainings/workshops.
Experts involved
Luca Famà
Application Security Consultant
+7 years of experience in the security field. CTF player, bug hunter and cyber security enthusiast.
Prestigious Certificates
Other sircles and specialisation involved
Shift Security Left (SSL)
DevArch
SecOps
Leading to
Manifestation of success
Secure Design and Culture
Threat Modelling
Secure Implementation
Secure Verification
Production Security Monitoring
Incident Management
Leading to
Manifestation of success
Secure Design and Culture
Threat Modelling
Secure Implementation
Secure Verification
Production Security Monitoring
Incident Management
Success Stories
Delivered by: SORINTians
A Well Know Financial Institution
Introduce Shift Security Left
1) Challenge
Client is developing a critical software app. Requirements included:
- Compliance with industry standards and regulations.
- Regulate and intermediate the workflow and pipelines.
- Introduce and increase security awareness and practices.
- No security measures implemented. Low security awareness.
2) Goind forward
Intensive self-assessment sessions with security and development teams.
3) Accepting the challenge – Solution and Implementation
In a proposal form.
- A new workflow to remove obstacles between the teams.
- Workshop to introduce new tools and how to use/read the outputs: e.g.
- SAST(Static Analysis Security Testing) to find vulnerability patterns in source code.
- SCA (Software Composition Analysis) assessment done by third-party.
- Help development team choose the final pipeline tools.
Result & delivery (UTD)
- Discussed all the finding with both teams. (Security Development)
- Submitted multiple reports on the security level of the application.
- Agreed on a smooth and seamlessly automated workflow embraces security.
- Guide a solid security-aware culture throughout the company. Long-lasting anf will influence other software projects in the company.
Success Stories
Delivered by: SORINTians
A Well Know Financial Institution
Introduce Shift Security Left
1) Challenge
Client is developing a critical software app. Requirements included:
- Compliance with industry standards and regulations.
- Regulate and intermediate the workflow and pipelines.
- Introduce and increase security awareness and practices.
- No security measures implemented. Low security awareness.
2) Goind forward
Intensive self-assessment sessions with security and development teams.
3) Accepting the challenge – Solution and Implementation
In a proposal form.
- A new workflow to remove obstacles between the teams.
- Workshop to introduce new tools and how to use/read the outputs: e.g.
- SAST(Static Analysis Security Testing) to find vulnerability patterns in source code.
- SCA (Software Composition Analysis) assessment done by third-party.
- Help development team choose the final pipeline tools.
Result & delivery (UTD)
- Discussed all the finding with both teams. (Security Development)
- Submitted multiple reports on the security level of the application.
- Agreed on a smooth and seamlessly automated workflow embraces security.
- Guide a solid security-aware culture throughout the company. Long-lasting anf will influence other software projects in the company.
Well know Italian Retail – Store Chain
Enhance the CI/CD Practice
1) Challenge
Issues in DevOps practices.
Client’s requirement included:
- Fix legacy CI/CD pipeline.
- Overhaul and refactor CI/CD processes.
- Implement a maintainable workflow. In terms of tech and culture.
2) Goind forward
Intensive requirement gather sessions, software assessment
and product selection.
3) Accepting the challenge – Solution and Implementation
In a proposal form. A re-architected CI/CD solution. That included:
- Introduce several new software and use already effectively installed.
- Introduce GitOps principles:
- Separate build code from deployment code.
- IReplace imperative pipeline with declarative one.
- Versioning deployment code.
- Code review for deployment changes.
- Influence client’s team and create a dynamic workflow.
Result & delivery (UTD)
- Delivered in several phases. Main phase in 1-2 month.
- Solution was executed 100% effectively.
- Implemented generic Jenkins CI pipeline to build and publish application containers.
- Declarative management of Jenkins Jobs (both CI and CD).
- Drastic changes in culture approach. Lead to a positive workflow.
- Documentation, required alignments.
- Took the learnings and closed the challenge.
Research and Intelligence Services
Migration and major changes in the CI/CD tools
1) Challenge
Client’s requirement included:
- Migrate from Docker Swarm to K8S.
- Substitute BitBucket/Bamboo to OpenSource alternatives.
- Implement CI/CD with new infrastructure (different VCS and target system)./li>
2) Goind forward
Understanding the environment through round tables.
3) Accepting the challenge – Solution and Implementation
In a proposal form. An executable timeline for:
- Software selection (Rancher as cluster management tool, GitLab as VCS, Tekton as CI/CD tool).
- Installation and configuration of Rancher and K8s clusters.
- Migrate VCS tool (from BitBucket to Gitlab).
- Introducing GitOps principles.
Result & delivery (UTD)
- Delivered in several phases. Main phase in 1-2 month.
- Solution was executed 100% effectively.
- Implemented generic Jenkins CI pipeline to build and publish application containers.
- Declarative management of Jenkins Jobs (both CI and CD).
- Drastic changes in culture approach. Lead to a positive workflow.
- Documentation, required alignments.
- Took the learnings and closed the challenge.
Related Solutions and Tools by SORINTians
Open-source software product
Agola is a CI/CD system with a lot of great features like advanced and reproducible workflows (runs), containerized tasks, fully distributed, high-available and much more. Featured on Cloud Native Landscape.
Business Unit
SORINT.SEC is the Cybersecurity Company of SORINT.lab Group that operates exclusively and continuously on issues related to Information Security.
Digital Technology Services
Advanced set of practices, tools, and technologies that power automation throughout the development, testing, and deployment phases.
Open-source software product
Emulate and Dissect MSF and *other* attacks. Rew-sploit helps you analyze Windows shellcode or attacks coming from Metasploit Framework, Cobalt Strike, or other malicious or obfuscated code.
Security blog
A port bar on Ceres Station in “The Expanse”. This aims to be a place where people can chat (like in a bar) about topics related to security and more.
Related Solutions and Tools by SORINTians
We are all ears!
Welisten
24x7x365
Whether you have any doubts, interested to know more about our offerings, want more relevant case studies, would like to arrange a consultation, or don’t see what you are looking for here, we’d love to hear from you.
We are all ears!
Welisten
24x7x365
Whether you have any doubts, interested to know more about our offerings, want more relevant case studies, would like to arrange a consultation, or don’t see what you are looking for here, we’d love to hear from you.