Test Driven Security in Continuous Integration

Monday, January 30, 2017 - 3:30pm4:30pm

Julien Vehent, Firefox Services Security Lead at Mozilla


Mozilla runs services for millions of Firefox users that must be operated at reasonable cost while sustaining a fast innovation pace. Development and operation teams have long adopted DevOps' Continuous Integration (CI) and Continuous Delivery (CD) principles, allowing applications to go from a patch submission to production deployment in minutes. These fast cycles have left security controls designed for slow deployment cycles lagging behind. In this talk, we describe how the Mozilla CloudSec team has redesigned security into the DevOps pipelines to accelerate the discovery and mitigation of security issues using a technique called "Test Driven Security" (TDS).

Similar to Test Driven Development, TDS puts the security tests that represent the desired behavior first, then runs these tests continuously against the code. Compared to a traditional approach where controls implementation is done outside of CI/CD, TDS can run in the DevOps pipeline automatically and continuously assert security of a web application.

In this presentation, we show how Mozilla uses Open Source tools to implement TDS and reduce the number of security vulnerabilities and regressions that reach production environments.

Julien Vehent, Firefox Services Security Lead at Mozilla

Julien Vehent leads security architecture for Mozilla Firefox Services. He is responsible for defining, implementing and operating the security of web services that millions of Firefox users interact with daily. Julien's background is in background in web applications security, services architecture, cryptography and risk management. Julien is the author of Securing DevOps (Manning Ed.).

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {202483,
author = {Julien Vehent},
title = {Test Driven Security in Continuous Integration},
year = {2017},
address = {Oakland, CA},
publisher = {USENIX Association},
month = jan

Presentation Video