USENIX Enigma 2017 — Test Driven Security in Continuous Integration
Julien Vehent, Firefox Services Security Lead at Mozilla
Mozilla runs services for millions of Firefox users that must be operated at reasonable cost while sustaining a fast innovation pace. Development and operation teams have long adopted DevOps’ Continuous Integration (CI) and Continuous Delivery (CD) principles, allowing applications to go from a patch submission to production deployment in minutes. These fast cycles have left security controls designed for slow deployment cycles lagging behind. In this talk, we describe how the Mozilla CloudSec team has redesigned security into the DevOps pipelines to accelerate the discovery and mitigation of security issues using a technique called “Test Driven Security” (TDS).
Similar to Test Driven Development, TDS puts the security tests that represent the desired behavior first, then runs these tests continuously against the code. Compared to a traditional approach where controls implementation is done outside of CI/CD, TDS can run in the DevOps pipeline automatically and continuously assert security of a web application.
In this presentation, we show how Mozilla uses Open Source tools to implement TDS and reduce the number of security vulnerabilities and regressions that reach production environments.
Sign up to find out more about Enigma conferences: https://www.usenix.org/conference/enigma2017#signup
Watch all Enigma 2017 videos at: http://enigma.usenix.org/youtube
via YouTube https://youtu.be/e2axToBYD68