More Related Content
Similar to Application Security in a DevOps World (20)
More from CA Technologies (20)
Application Security in a DevOps World
- 2. 2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of This Presentation
- 3. 3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Who am I?
• 25+ Years Software Development Experience
• 11+ Years Application Security Experience
• Certified Agile Product Owner and Scrum Master
• At Veracode since 2006
• From Waterfall to Agile to DevOps
• From Monolith to MicroService
• Consultant on DevSecOps best practices
• Fun Fact: I love whiskey!
• Tell me where to drink local whiskey
@PeteChestna
- 4. 4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Goals
Why is AppSec important?
How is DevOps changing application development?
How is AppSec traditionally done?
What needs to change?
– What to build
– What to measure
– How to help
- 5. 5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Applications Are as Risky as Ever
of all applications used some kind of hard-coded password
of all applications use broken or risky cryptographic algorithms
of all applications were vulnerable to open redirect attacks
of all applications mix trusted and untrusted data in the same
data structure or message
39%
35%
28%
16%
- 6. 6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Lack of App Security is Damaging Companies
- 7. 7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
High Profile Breaches Through the App Layer
How: Vulnerability on
website built and
maintained by third-party
vendor in support of a
charity.
Result: Usernames and
passwords for 76 million
households and 7 million
business were stolen.
Financial
Institution
How: Hackers exploited a
known vulnerability in an
open source component
Result: Social Security
Numbers and personal data
for more than 143 million
Americans stolen. Three
executives lose their jobs.
Financial
Institution
How: Targeted a flaw in
OpenSSL, CVE-2014-0160,
better known as Heartbleed
Result: The theft of Social
Security Numbers and other
personal data belonging to
4.5 million patients
Healthcare
Provider
How: Sophisticated kill
chain including exploitation
of vulnerable web
application
Result: Hackers stole
names, mailing addresses,
phone numbers and email
addresses for more than 70
million shoppers
Retailer
- 8. 8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Business Mandate
- 9. 9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Compressed Timelines & Smaller Teams
Waterfall Agile DevOps
1-4 Releases
Per Year
12-24 Releases
Per Year
100+ Releases
Per Year
50+ people 6-12 people 6-12 people
- 10. 10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Waterfall
Technology
Agile
DevOps
- 11. 11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Definition of DevOps
- 12. 12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
What’s a DevOps Team?
DevOps Team
- 13. 13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevOps – Process: Where is security?
Security
- 14. 14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Agile – Process for DevOps
Copyright 2005, Mountain Goat Software
- 15. 15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Is this your current AppSec program?
- 16. 16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
They/We know it’s coming…
- 17. 17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Which outcome do you see?
@PeteChestna
- 18. 18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy
Relationship & Accountability
Integration & Automation
Training & Remediation
Coaching
Security Champions
- 19. 19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy - Relationships
Who is your peer in
development/security?
Do you meet with them?
Do you understand each
others goals?
Are you sympathetic to
each others struggles?
- 20. 20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy – Accountability
Shared between
development and security
Part of annual goals
for both teams
Measured and
reported regularly
- 21. 21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CI
CD
1
Develop
4
Check in
Static
Analysis
3
Build
& Test
2
Backlog
Strategy – Integration & Automation
Pass?
7
Synchronize
No Yes
7
Deploy to
QA/Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Stage
then
Prod
Per
Check-in
5
Build
CI/CD
Pipeline
3a
Manual
Testing*
- 22. 22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy – Training
Security teams can help developers by providing training, either through eLearning or
in-person instructor-led training
Think about targeted training based on policy violations
CA Veracode State of Software Security 2017
- 23. 23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy - Training
- 24. 24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy – Remediation Coaching
@PeteChestna
CA Veracode State of Software Security 2017
- 25. 25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Strategy – Security Champions
Eyes and ears of security
Specialized training
– Basic security concepts
– Threat modeling
– Grooming guidelines
– Secure code review training
– Security controls
– CTF Exercises
Escalate when necessary
- 26. 26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation Guidance
Secure Code Reviews
Manual Penetration Testing
Red Team Activities
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat Modeling
Security Grooming
Secure Design
Strategy - DevOps (Shift Left & Monitor)
Runtime Application Self Protection
Training (eLearning, instructor led, metadata driven)
- 27. 27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Bridge the Gap Between Development and Security
1. Scan early & often
2. Integrate & automate
3. Take Training
4. Request Remediation
Guidance
5. Be a security champion
Development Security
1. Be involved in all phases
2. Define & explain policy
3. Provide Targeted Training
4. Provide Remediation
Guidance
5. Recruit & train champions
- 28. 28 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Recommended Sessions
SESSION # TITLE DATE/TIME
DST43T
The CA Technologies Veracode Platform: 360
Degree View of Your Application’s Security
11/15/2017 at 12:45 pm
DST50T How Components Increase Speed & Risk 11/15/2017 at 1:45 pm
DST40T
Scale Your Application Security Program Effectively
with the Right Program Management Model
11/15/2017 at 3:30 pm
DST41T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
- 29. 29 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Must See Demos
Securing
Apps from Dev
to Production CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
Manage
Your
Software Risk
Open Sourced Component
Scanning
Developer Training on Secure
Coding
Integrations into Your Dev Tools
301 Manage
Your
Software Risk
CA Veracode Static Analysis
CA Veracode Web Application
Scanning
CA Veracode Greenlight
CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
506P 509P
DevOps-CD SecuritySecurity
- 30. 30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at https://community.veracode.com
Thank you.
- 31. 31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps
For more information on DevSecOps,
please visit: http://cainc.to/CAW17-DevSecOps