Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

3

Share

Download to read offline

Continuous security

Download to read offline

Agile is maturing in delivering incremental change. We innovate through data-driven experiments, enabled through continuous delivery and evolutionary architectures. Delivering small and fast means we are more frequently introducing new vulnerabilities. We are also facing new threats that come from increased integration through cloud computing and the internet of things. Traditional cycles of penetration tests and code reviews are not keeping up with the accelerated delivery pace unless these processes are also automated. DevSecOps focusses on integrating security in our processes and teams. Automate security first and fail fast will help build security in, but will also support the growth of awareness in the teams. Kim will show the lessons learned from her journey to Continuous security at ANVA, securing their open SaaS cloud platform for insurance software. Get an overview of the current continuous security landscape and the practical insights and pitfalls. And learn how security can be fun.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Continuous security

  1. 1. Continuous security Kim van Wilgen Schuberg Philis @kimvanwilgen nl.linkedin.com/kimvanwilgen kimvanwilgen@gmail.com www.kimvanwilgen.com
  2. 2. About me Kim van Wilgen Customer director at Schuberg Philis Former head of development at ANVA Former head of IT at Klaverblad Programming since 2018 @kimvanwilgen nl.linkedin.com/kimvanwilgen kimvanwilgen@gmail.com www.kimvanwilgen.com
  3. 3. A 100% STORY 100% CUSTOMER SATISFACTION
  4. 4. Why focus on security?
  5. 5. Boring, draining, hygiene
  6. 6. With the hypes of agile and continuous delivery focus shifted to speed…and nothing else
  7. 7. Shifting panels - Cloud computing - Microservices architectures - IAAS, immutability, serverless - IoT, AI, machine learning
  8. 8. Autonomous teams and T, Pi and Key shaped people
  9. 9. Why is it boring? Security roleplay or responsibility
  10. 10. Security is not a core competence of developers
  11. 11. @kimvanwilgen | www.kimvanwilgen.comContinuous security Regulations
  12. 12. Increasing threath levels
  13. 13. @kimvanwilgen | www.kimvanwilgen.comContinuous security The fourth industrial revolution? Terrorism Competetive advantage Business continuity
  14. 14. @kimvanwilgen | www.kimvanwilgen.comContinuous security Security all-in
  15. 15. Shift left on security
  16. 16. @kimvanwilgen | www.kimvanwilgen.comContinuous security DevSecOps
  17. 17. @kimvanwilgen | www.kimvanwilgen.comContinuous security “I never once spoke with the security team at Google. Not because they weren’t doing their job, but exactly because they were doing their job. They encoded their expertise into self-service tools and libraries, and we just used them ourselves” Randy Shoup, WeWork
  18. 18. “When designing the software architecture a security expert helps to do a risk assessment early and mitigate important risks by design” - Simon Brown -
  19. 19. @kimvanwilgen | www.kimvanwilgen.comContinuous security Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production. Wikipedia, 2017
  20. 20. @kimvanwilgen | www.kimvanwilgen.comContinuous security Continuous Security (CS) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
  21. 21. @kimvanwilgen | www.kimvanwilgen.comContinuous security Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
  22. 22. @kimvanwilgen | www.kimvanwilgen.comContinuous security Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production.
  23. 23. @kimvanwilgen | www.kimvanwilgen.comContinuous security Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production. Continuous security is essential for delivering Continuous Delivery.
  24. 24. DevSecOps 2018 DevSecOps 2021
  25. 25. Practical steps to start
  26. 26. Let’s play!
  27. 27. Gartner DevSecOps Top 10 Have security champions Don’t eliminate all risk Driven by DevOps teams Identify and remove first Adapt your SAST, & DAST Eliminate known vulnerabilities Immutable infrastructure Detection of changes Treat security tests as source code Train for the basics
  28. 28. #1: Have security champions
  29. 29. @kimvanwilgen | www.kimvanwilgen.comContinuous security Security Satellite team 5 dev (1 architect 2 devs 2 testers) 3 ops
  30. 30. @kimvanwilgen | www.kimvanwilgen.comContinuous security Security board
  31. 31. #2: Don’t eliminate all risk
  32. 32. @kimvanwilgen | www.kimvanwilgen.comContinuous security Risk and cost based security Small tests and risk based
  33. 33. Alignment of security and business value by taking it to the teams
  34. 34. Integration in the pipeline #3:DevOps driven
  35. 35. @kimvanwilgen | www.kimvanwilgen.comContinuous security Automate first • SAST • DAST • Proxy tools • Dependency checks • Custom scripts Integration in the pipelines
  36. 36. @kimvanwilgen | www.kimvanwilgen.comContinuous security SAST: sourcecode or binary code testing for security vulnerabilities typically at the programming and/or testing software life cycle (SLC) phases Leaders: Checkmarx, Veracode, Appscan (IBM), fortify (Microfocus), PT application inspector, covarity (Synopsys) + Find problems early in lifecycle, detailed feedback, - False positives & false negatives SAST Static Analyses Security Testing
  37. 37. @kimvanwilgen | www.kimvanwilgen.comContinuous security DAST: running state security testing, simulates attacks against an application or system (typically web-enabled applications and services), analyzes results and, thus, determines whether it is vulnerable. Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7 + Tests the application at runtime, realistic view - More complex, harder to track, running instance (slow) DAST Dynamic Application Security Testing
  38. 38. @kimvanwilgen | www.kimvanwilgen.comContinuous security DAST: Zed attack proxy (ZAP)
  39. 39. #4: Identify and remove: start small
  40. 40. @kimvanwilgen | www.kimvanwilgen.comContinuous security I’ve added over a 100 security rules in SonarQube and sent the top X screwups to the team. They are more aware and will solve their own issues. Dominik, member of the ANVA security satellite team
  41. 41. @kimvanwilgen | www.kimvanwilgen.comContinuous security I enabled the dependency check. We had hundreds of vulnarabilities. We solved them within a day with critical upgrades and the removal of obsolete depencencies. Dominik, member of the ANVA security satellite team
  42. 42. @kimvanwilgen | www.kimvanwilgen.comContinuous security I ran Docker Bench. We found privileges were too high and corrected them. Dominik, member of the ANVA security satellite team
  43. 43. @kimvanwilgen | www.kimvanwilgen.comContinuous security I’ve set up our internal learning platform with webgoat. We can now practice attacks and grow awareness and knowledge of defences. Michiel, member of the ANVA security satellite team
  44. 44. #5: Adapt your SAST, DAST and security tests
  45. 45. Learn and adapt first before you break the build
  46. 46. @kimvanwilgen | www.kimvanwilgen.comContinuous security Application Security Verification Standard Unrelevant / Sast / Dast / RAST / other Train for risks we can’t automate
  47. 47. @kimvanwilgen | www.kimvanwilgen.comContinuous security Evil user stories As a Malicious Hacker, I want to gain access to this web application’s Cloud Hosting account so that I can lock out the legitimate owners and delete the servers and their backups, to destroy their entire business.
  48. 48. #6: Fix your vulnerabilities
  49. 49. @kimvanwilgen | www.kimvanwilgen.comContinuous security Owasp dependency check Eliminate known vulnerabilities 58 550 vulnerabilities
  50. 50. @kimvanwilgen | www.kimvanwilgen.comContinuous security Hack yourself first too Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s capability to withstand turbulent conditions in production.
  51. 51. @kimvanwilgen | www.kimvanwilgen.comContinuous security “Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.” Troy Hunt, MVP for developer security and creator of ‘Have I been PWNED”
  52. 52. #7: Immutable infrastructure
  53. 53. @kimvanwilgen | www.kimvanwilgen.comContinuous security One of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability—or never-changing—and applying least- privilege principles that limit what a container can do. Tsvi Korren - Chief Solutions Architect at Aqua Security
  54. 54. #8: Detection of changes
  55. 55. #9: Treat security tests as source code
  56. 56. #10: Train for the basics
  57. 57. Automate security features and scan against bugs and vulnerabilities Check for logical flaws manually, educate and automate them
  58. 58. @kimvanwilgen | www.kimvanwilgen.comContinuous security Academy sessions
  59. 59. OWASP WebGoat project
  60. 60. @kimvanwilgen | www.kimvanwilgen.comContinuous security Overview Continuous Security Automation SAST DAST Proxytools Customscripts Depen-dency checks Knowledge Training Feedbackfrom detection Detection Hackyourself first External pentesting Defence Immutable infrastructure Detectchanges
  61. 61. Gartner DevSecOps Top 10 Have security champions Don’t eliminate all risk Driven by DevOps teams Identify and remove first Adapt your SAST, & DAST Eliminate known vulnerabilities Immutable infrastructure Detection of changes Treat security tests as source code Train for the basics
  62. 62. @kimvanwilgen | www.kimvanwilgen.comContinuous security @kimvanwilgen | www.kimvanwilgen.com References and questions www.kimvanwilgen.com @kimvanwilgen kimvanwilgen@gmail.com
  63. 63. @kimvanwilgen | www.kimvanwilgen.comContinuous security https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/ https://cybersecurity.isaca.org/static-assets/documents/State-of- Cybersecurity-part-2-infographic_res_eng_0517.pdf https://www.sans.org/reading-room/whitepapers/critical/continuous-security- implementing-critical-controls-devops-environment-36552 10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371 https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb https://www.thoughtworks.com/radar/techniques https://www.mmc.com/content/dam/mmc-web/Global-Risk- Center/Files/MMC-Cyber-Handbook_2016-web-final.pdf Sources
  • visual2me

    May. 12, 2019
  • HendrikSchultze2

    Sep. 13, 2018
  • ManojPonnusamy1

    Sep. 12, 2018

Agile is maturing in delivering incremental change. We innovate through data-driven experiments, enabled through continuous delivery and evolutionary architectures. Delivering small and fast means we are more frequently introducing new vulnerabilities. We are also facing new threats that come from increased integration through cloud computing and the internet of things. Traditional cycles of penetration tests and code reviews are not keeping up with the accelerated delivery pace unless these processes are also automated. DevSecOps focusses on integrating security in our processes and teams. Automate security first and fail fast will help build security in, but will also support the growth of awareness in the teams. Kim will show the lessons learned from her journey to Continuous security at ANVA, securing their open SaaS cloud platform for insurance software. Get an overview of the current continuous security landscape and the practical insights and pitfalls. And learn how security can be fun.

Views

Total views

285

On Slideshare

0

From embeds

0

Number of embeds

7

Actions

Downloads

8

Shares

0

Comments

0

Likes

3

×