“Toward the automation of security analysis, design and assessment in the development process”
Modern software development methodologies like DevOps or Agile are very popular and widely used, especially for the development of cloud services and applications, as they dramatically reduce the time-to- market by means of continuous software delivery. Unfortunately, traditional DevOps processes do not include security design and risk management practices by default, and often take security into account only after the completion of the coding stage, with the risks that security flaws may be found too late and cause significant delays in the development process.
Recent SecDevOps methodologies aim at integrating security activities such as threat modeling, countermeasure selection, static and dynamic code analysis, security assessment and security testing into DevOps workflows. Since security operations typically require the engagement of (expensive) security teams and inevitably slow down the development process, automated security design and assessment techniques are needed to preserve DevOps productivity and reduce costs.
Despite the efforts that have been recently made to provide techniques and tools able to fully or partially automate security-related activities, security analysis and testing operations still heavily require the intervention of security experts, typically assisted by a plethora of tools whose adoption requires deep technological skills.
This talk aims to discuss possible strategies and techniques meant to reduce the complexity of security management in a development process, and to support developers from the early security analysis stages to post-development security testing by means of partly or fully-automated techniques for threat modeling, risk evaluation, countermeasure selection, static and dynamic assessment.