2. Speakers
Shuchita Gupta
Senior Software Client
Architect & Leader
IBM
Sona Srinivasan
Senior IT Architect, Global
Architecture and Technology
Services IT
CISCO Systems, Inc.
Alan Shimel
Moderator, Editor-in-Chief
DevOps.com
2
3. State of Application Security
Average time to
detect APT
256 days
Average cost of a
U.S. data breach
$6.5M
Percentage of breaches
due to Web attacks
40%
Sources:
IBM X-Force Threat Intelligence 2015; 2016 Verizon Data Breach Investigations Report; 2016 Cost of Data Breach Study: Global Analysis
Average size of a U.S.
data breach
30K records
3
4. Conversations & Challenges
How often should you think about
security in the SDLC? Are
automated DAST scans enough?
Should I stop my release in a
continuous delivery pipeline if my
critical vulnerabilities aren't fixed?
Can running SAST scans on each
build reduce my need to run DAST
scans?
Should my user stories for security be
incorporated in a sprint, or be a part of
my design?
Key:
SAST – Static Application Security Testing
DAST – Dynamic Application Security Testing
4
6. The Sec Ops Journey
Conversations that launched
with Agile
The Steps to
Cognitive Security
Examples of
Continuous Security
Continuous Security
at Cisco
Adapting to
Threats & Attacks
Together
6
6
7. Continuous Security Example #1
Architecture & Security Requirements
• Threat Modeling By Feature & Design - For
every major application re-design or major
feature change, Threat Models must be built
based on the application’s design changes
• Security assessments and User Stories Tie
in, where security assessments answer the
Who, Why and What of the feature and
application. Documented Security Design
Revisit of the data classification for data at
Rest, and Transit
• E.g.: Employee data on Company System
becomes Customer Data on Insurance System,
data changes classification from system to
system, depending on the consuming
application
• Application Profiling at the time of
Provisioning for baselining
7
8. Continuous Security Example #2
Running static security scans on GIT repo branches
is considered continuous security with:
• Code Tagging (E.g.: deployed code tags needs to have meta
data about the code) with insights into code patterns (E.g.:
Singleton Usages, Factory patterns etc. tied to security insights)
• Developer Behaviors (E.g.: Developers who code in JAVA
might need training in SQL Injections etc., novice developers
might need training in XSS)
• Code-branch Patterns (E.g.: Code reposes with fewer
branches might have more to catch as branched code might be
more modularized and secure)
• Vulnerability Trends (E.g.: HR apps have SQL Injections, while
Service X might have the most vulnerable code)
• Types of Languages used tied to type of data classification
(E.g.: Cisco is a big JAVA and PL/SQL Shop with movement
towards Apex and Angular etc.…)
8
9. Continuous Security Example #3
Automated DAST is seen as continuous security with security benchmarking
• Quality Pre-requisites for DAST – Can Deployment workflows check for Quality & Load Tests
before running DAST scans? (Have QA bugs been fixed so DAST is spending more time on the
security threat classes?)
• Are the DAST Test environments close to Production and stable enough for graceful recovery
from the DAST attacks (DMZ, Core Zone, Data Center, PaaS profile), especially in a continuous
environment? Example - Network latency of the source call of the DAST scan to the Application
Destination environment (Eg: India to Richardson)
9
10. Continuous Security Example #4
Management of Incident Response data
and mapping to application attacks,
environment attacks with:
• Pre-Deployment Security Posture and:
• SAST
• DAST
• Open Source Scanning
• App Profiling (Cloud native, hybrid, on premise etc.)
• Penetration Test Results
• Post-Deployment Security Posture of:
• Applications
• Data
• Environment
10
15. Continuous Security at Cisco
People &
Skillset
Technology &
Automation
Governance
& Audits
1. Continuous Education on
Process & Technology
2. In-Context Training as
opposed to On-Demand
3. Federated Security Personnel
in the functions
1. Watch the Market &
Developer world
2. Our eyes are on PaaS
changes and Developer
Tools & Technology
Changes
1. Bringing The Policy to the user
2. Moving Governance into the
Life Cycle – Start Right, rather
than shift left
3. Multi-Check Points
15
16. Journey to COGNITIVE
•Good
Domain
Knowledge
• Developer
Skill-Set will
range from
beginner to
seasoned
Simplify
• Process is
simple and
mature for
automation
•Intermediate
Skill-Set of
the
Developer
Automate
• Go from
multiple
sub-
systems to
digital
components
in streams
• Expert
Developer
Digitize
• Developer is
knowledgeable
enough on when
to apply machine
learning to enable
speed
• Adding Specific
Bots to address
bottlenecks is a
great way to ease
the experience
problem for
security tools &
their complexity
Machine
Learning
• Developer is
a Highly
Seasoned
with domain
expertise and
data
architectures
which then
leverage
cognitive
APIs for
Proactive
Security
Guidance
Cognitive
Process Complexity
Developer Skillset
16
17. Managing Risk Holistically
Comprehensive
attack surface
minimization
through insights
Bottoms up &
Top down
Vulnerability
management
Technology
ecosystem –
with Vendors
Always
remember the
application is
the front door -
Trained Ninjas
17
18. Key Resources to Learn More
18
• Forrester Report “Secure Applications at the Speed of DevOps”
• Gartner 2017 Magic Quadrant for Application Security Testing
• Forrester Total Economic Impact (TEI) Study
• E-Guide: 5 Steps to Achieve Risk-Based Application Security Management