The technological Practices of Integrating Information Securtiy, Change Management and Compliance - Information Security as Everyone's Job, Every Day

21 important questions on The technological Practices of Integrating Information Securtiy, Change Management and Compliance - Information Security as Everyone's Job, Every Day

Name a few books about integrating InfoSec into DevOps.

Visible Ops Security by Gene Kim, Paul Love and George Spafford.
Rugged DevOps by James Wickett and Josh Corman
DevOpsSec by Dr. Tapabrate Pal

How can you make Information Security (InfoSec) everyone's job?

  • Integrate security into development iteration demonstrations
  • Integrate security into defect tracking and post-mortems
  • Integrate preventive security controls into shared source code repositories and shared services
  • Integrate security into our deploument pipeline
  • Ensure security of the application
  • Ensure security of our sogtware supply chain
  • Ensure security of the environment
  • Integrate information security into production telemetry
  • Creating security telemetry in our applications
  • Creating security telemetry in our environment
  • Protect the deployment pipeline.

What are the advantages if security is integrated into development iteration demonstrations?

  • InfoSec gain better understanding of Dev team goals.
  • Can early provide guidance and feedback which saves money
  • Higher grades + faster learning
  • Never study anything twice
  • 100% sure, 100% understanding
Discover Study Smart

What are the advantages if security is integrated into defect tracking and post-mortems?

  • The work is visible for the DevOps team and work can be prioritized
  • At a post-mortem the security knowledge is transferred to enginering teams.

Name a few security libraries which an application requires.

  • Authentication
  • Authorization
  • Password management
  • Data encryption

Name a few automated security testtools and what are the advantages of these tools?

Gauntl, Remarkably.
The tools use Gherkin syntax testscripts, which is already used by a lot developers for unit and functional testing.

What should be in our application to ensure security?

  • Static analysis
  • Dynamic analysis
  • Dependency scanning
  • Source code integrity and code signing

What is Static analysis testing and name tools for Static analysis testing.

Testing in non-runtime environment seeking for coding flaws, back door and potentially malicious code, ideally in the deployment pipeline (testing from the inside-out).
Brakeman and Code Climate.

What is Dynamic analysis testing and name tools for this kind of testing.

Security testing executed while a program is in operation such as system memory, functional behavior, response time and overall performance (testing from the outside in).
Arachni and OWASP ZAP and Nmap en Metasploit which include penetration testing.

What is Dependency scanning?

A kind of static testing performed at build time to check for vulnerabilities or malicious binaries in dependencies.

How can check for Source code integrity?

By using PGP key by every developer. So there's a signature for every change in code or deployment process which is logged for audit purposes.

What information can be found in the OWASP Cheat Sheet series?

  • How to store passwords
  • How to handle forgotten passwords
  • How to handle logging
  • How to prevent cross-site scripting (XSS) vulnerabilities.
For other Cheat sheets see: https://cheatsheetseries.owasp.org/

What's the problem with (open source) software used for making your own applications?

These open source contain security vulnerabilities (known or unknown) that you in this way include in your application.

Name two reports which give information about security vulnerabilities of used software.
What did they conclude?

  • DBIR (PCI Data Breach investigation Report); 10 vulnerabilities accounted for 97% of the exploits for credit card data breaches and eight of the vulnerabilities where 10 years old.
  • 2015 Sonatype State of the Software Supply Chain Report: A typical organization uses over 7600 build artifacts and more than 18.000 versions and of those components 7.5% had known vulnerabilities which of 66% are more then two years old.
  • National Vulnerability database, 41% is only fixed with an average of 390 days and with the highest score it requirws 224 days..

Which aspects are part of security of the environment?

Configuration hardening, database security settings, key lengths.

Name s few tools which can help with security correctness testing including automed configuration management systems.

Puppet, Chef, Ansible, Salt, ServerSpec and Simian Army.

Which tool can be used to test if the environment is hardened against SQL injection attacks?

Metasploit.

What can you tell about telemetry and Information security

That information security telemetry should be part of production so we can detect problems for ourselves as soon as possible in stead of hearing them from partners or clients.

What kind of telemetry can we use for to detect problematic user behavior in our application?

  • Succesfull and unsuccesfull user logins
  • User passwords resets
  • User e-mail address resets
  • User credit card changes

What kind of telemetry can we use for to detect unauthorized access in our environment?

  • OS changes
  • Security group changes
  • Changes to configurations
  • Cloud infrastructure changes
  • XSS attempts
  • SQLi attempts
  • Web server errors.

What security measures should be taken for the deployment pipeline?

  • That's impossible to compromise the servers running the deployment so the code can not be stolen or injected with malicious changes
  • Reviewing all changes introduced into version control, either through pair programming or code review.
  • Instrumenting our repository to detect syspicious API calls.
  • Ensuring every CI process runt its own isolated container or VM
  • Ensuring the version controle creditentials used by the CI system are read-only.

The question on the page originate from the summary of the following study material:

  • A unique study and practice tool
  • Never study anything twice again
  • Get the grades you hope for
  • 100% sure, 100% understanding
Remember faster, study better. Scientifically proven.
Trustpilot Logo