USENIX Enigma 2017 — Test Driven Security in Continuous Integration

USENIX Enigma 2017 — Test Driven Security in Continuous Integration

Julien Vehent, Firefox Services Security Lead at Mozilla

Mozilla runs services for millions of Firefox users that must be operated at reasonable cost while sustaining a fast innovation pace. Development and operation teams have long adopted DevOps’ Continuous Integration (CI) and Continuous Delivery (CD) principles, allowing applications to go from a patch submission to production deployment in minutes. These fast cycles have left security controls designed for slow deployment cycles lagging behind. In this talk, we describe how the Mozilla CloudSec team has redesigned security into the DevOps pipelines to accelerate the discovery and mitigation of security issues using a technique called “Test Driven Security” (TDS).

Similar to Test Driven Development, TDS puts the security tests that represent the desired behavior first, then runs these tests continuously against the code. Compared to a traditional approach where controls implementation is done outside of CI/CD, TDS can run in the DevOps pipeline automatically and continuously assert security of a web application.

In this presentation, we show how Mozilla uses Open Source tools to implement TDS and reduce the number of security vulnerabilities and regressions that reach production environments.

Sign up to find out more about Enigma conferences:

Watch all Enigma 2017 videos at:

via YouTube


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s