Table of contents

1. Overview
2. Participants
3. Outcomes
4. Quick References
5. OWASP Cheat Sheets

Overview

Continuous security is a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and other cyber threats to support organizational risk management decisions. To implement continuous security following steps needs to be considered

1. Implement Threat Modeling during the solution and design phase of the project. A threat model is a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through the lens of security.

2. Implement automated security tests using tools as part of delivwery pipeline to understand the security posture and risks with the software release candidate and address gaps as early as possible.

3. Implement automated scanning of application and infrastructure at runtime to identify security vulnerabilities and threats and respond with immediate actions in case of any issues.

Following are the common tests that could be considered to be built as part of delivery pipeline to find issues like out-of-date libraries, OWASP top 10 vulnerabilities such as XSS, SQL Injection, CSRF, etc. that can be easily addressed during development

• Dependency Checking & Tracking
• Static Application Security Testing (SonarQube, PyLint, Visual Studio, etc.)
• Dynamic Application Security Testing (OWASP ZAP)
• Container Vulnerability (trivy)

Participants

1. Solution/Security Architects
2. Developers
3. Security Engineers
4. DevOps Engineers

Outcomes

• Delivery Pipeline with automated security testing.
• Faster feedback to the developers regarding out of date libraries, vulnerabilities.
• Real time reporting of risks by executing automated security testing & scaning.
• Accelerated remedial and Patching of issues detected.
• Minimizes the risks associated with security.

Quick References

• Secure Coding Practices Quick Reference
• Web Application Security Quick Reference
• Security Mindset/Creating a Security Program Quick Start

OWASP Cheat Sheets

Note: OWASP is considered to be the gold-standard in computer security information. OWASP maintains an extensive series of cheat sheets which cover all the OWASP Top 10 and more. Below, many of the more relevant cheat sheets have been summarized. To view all the cheat sheets, check out their Cheat Sheet Index.

• Access Control Basics
• Attack Surface Analysis
• Content Security Policy (CSP)
• Cross-Site Request Forgery (CSRF) Prevention
• Cross-Site Scripting (XSS) Prevention
• Cryptographic Storage
• Deserialization
• Docker/Kubernetes (k8s) Security
• Input Validation
• Key Management
• OS Command Injection Defense
• Query Parameterization Examples
• Server-Side Request Forgery Prevention
• SQL Injection Prevention
• Unvalidated Redirects and Forwards
• Web Service Security
• XML Security

---