Agile is maturing in delivering incremental change. We innovate through data-driven experiments, enabled through continuous delivery and evolutionary architectures. Delivering small and fast means we are more frequently introducing new vulnerabilities. We are also facing new threats that come from increased integration through cloud computing and the internet of things. Traditional cycles of penetration tests and code reviews are not keeping up with the accelerated delivery pace unless these processes are also automated. DevSecOps focusses on integrating security in our processes and teams. Automate security first and fail fast will help build security in, but will also support the growth of awareness in the teams. Kim will show the lessons learned from her journey to Continuous security at ANVA, securing their open SaaS cloud platform for insurance software. Get an overview of the current continuous security landscape and the practical insights and pitfalls. And learn how security can be fun.
1. Continuous security
Kim van Wilgen
Schuberg Philis
@kimvanwilgen
nl.linkedin.com/kimvanwilgen
kimvanwilgen@gmail.com
www.kimvanwilgen.com
2. About me Kim van Wilgen
Customer director at Schuberg Philis
Former head of development at ANVA
Former head of IT at Klaverblad
Programming since 2018
@kimvanwilgen
nl.linkedin.com/kimvanwilgen
kimvanwilgen@gmail.com
www.kimvanwilgen.com
18. @kimvanwilgen | www.kimvanwilgen.comContinuous security
“I never once spoke with the security team
at Google. Not because they weren’t doing
their job, but exactly because they were
doing their job. They encoded their
expertise into self-service tools and
libraries, and we just used them ourselves”
Randy Shoup, WeWork
19. “When designing the software
architecture a security expert helps
to do a risk assessment early and
mitigate important risks by
design”
- Simon Brown -
20. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Continuous Delivery (CD) is a set of practices and principles
in software engineering aimed at building, testing and
releasing software faster and more frequently. They help
reduce the cost, time and risk of delivering changes, and
ultimately value, to customers by allowing for more
incremental changes to applications in production.
Wikipedia, 2017
21. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Continuous Security (CS) is a set of practices and principles
in software engineering aimed at building, testing and
releasing software faster and more frequently. They help
reduce the cost, time and risk of delivering changes, and
ultimately value, to customers by allowing for more
incremental changes to applications in production.
22. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Continuous Security (CS) is a set of practices and principles
in software engineering aimed at designing, developing,
testing and running software more securely. They help
reduce the cost, time and risk of delivering changes, and
ultimately value, to customers by allowing for more
incremental changes to applications in production.
23. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Continuous Security (CS) is a set of practices and principles
in software engineering aimed at designing, developing,
testing and running software more securely. They help
reduce the cost, time and risk of delivering integrity,
availability and data protection, and ultimately security, to
applications in production.
24. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Continuous Security (CS) is a set of practices and principles
in software engineering aimed at designing, developing,
testing and running software more securely. They help
reduce the cost, time and risk of delivering integrity,
availability and data protection, and ultimately security, to
applications in production. Continuous security is essential for
delivering Continuous Delivery.
28. Gartner DevSecOps Top 10
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Adapt your SAST, & DAST
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Treat security tests as source code
Train for the basics
37. @kimvanwilgen | www.kimvanwilgen.comContinuous security
SAST: sourcecode or binary code testing for security
vulnerabilities typically at the programming and/or
testing software life cycle (SLC) phases
Leaders: Checkmarx, Veracode, Appscan (IBM), fortify
(Microfocus), PT application inspector, covarity
(Synopsys)
+ Find problems early in lifecycle, detailed feedback,
- False positives & false negatives
SAST
Static Analyses Security Testing
38. @kimvanwilgen | www.kimvanwilgen.comContinuous security
DAST: running state security testing, simulates attacks
against an application or system (typically web-enabled
applications and services), analyzes results and, thus,
determines whether it is vulnerable.
Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7
+ Tests the application at runtime, realistic view
- More complex, harder to track, running instance (slow)
DAST
Dynamic Application Security Testing
41. @kimvanwilgen | www.kimvanwilgen.comContinuous security
I’ve added over a 100 security rules in
SonarQube and sent the top X screwups to the
team. They are more aware and will solve their
own issues.
Dominik, member of the ANVA security satellite team
42. @kimvanwilgen | www.kimvanwilgen.comContinuous security
I enabled the dependency check. We had
hundreds of vulnarabilities. We solved them
within a day with critical upgrades and the
removal of obsolete depencencies.
Dominik, member of the ANVA security satellite team
44. @kimvanwilgen | www.kimvanwilgen.comContinuous security
I’ve set up our internal learning platform with
webgoat. We can now practice attacks and grow
awareness and knowledge of defences.
Michiel, member of the ANVA security satellite team
48. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Evil user stories
As a Malicious Hacker, I want to gain
access to this web application’s Cloud
Hosting account so that I can lock out
the legitimate owners and delete the
servers and their backups, to destroy
their entire business.
52. @kimvanwilgen | www.kimvanwilgen.comContinuous security
Hack yourself first too
Chaos Engineering is the
discipline of experimenting on a
distributed system in order to
build confidence in the system’s
capability to withstand turbulent
conditions in production.
53. @kimvanwilgen | www.kimvanwilgen.comContinuous security
“Think as an offender will show the real
threats of your application and grow
awareness from finding out how easy it is.”
Troy Hunt, MVP for developer
security and creator of ‘Have I
been PWNED”
55. @kimvanwilgen | www.kimvanwilgen.comContinuous security
One of the benefits of using containers, especially in
microservices-based applications, is they make it
easier to secure applications via runtime
immutability—or never-changing—and applying least-
privilege principles that limit what a container can do.
Tsvi Korren - Chief Solutions Architect at Aqua Security
63. Gartner DevSecOps Top 10
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Adapt your SAST, & DAST
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Treat security tests as source code
Train for the basics
65. @kimvanwilgen | www.kimvanwilgen.comContinuous security
https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
https://cybersecurity.isaca.org/static-assets/documents/State-of-
Cybersecurity-part-2-infographic_res_eng_0517.pdf
https://www.sans.org/reading-room/whitepapers/critical/continuous-security-
implementing-critical-controls-devops-environment-36552
10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017,
IDG00341371
https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb
https://www.thoughtworks.com/radar/techniques
https://www.mmc.com/content/dam/mmc-web/Global-Risk-
Center/Files/MMC-Cyber-Handbook_2016-web-final.pdf
Sources