4. DevOps is fertile ground for the concepts
driving the DHS-sponsored Build-Security-In portal
that Noopur Davis, Gary McGraw, and I launched a decade ago
DevOps = opportunity for security
5. As DevOps exponentially speeds
up the pace of development
Bolt-on security by security
specialists wonāt scale
ā¦ so security MUST be a primary
concern of the development team
7. LinkedIn.com/in/LarryMaccherone
What is DevOps?
ā¢ A new role?
ā¢ Partnership/communication/empathy between Dev and Ops?
ā¢ CI/CD tools?
ā¢ Automation?
ā¢ Self-service?
ā¢ Techniques like feature flags or traffic shaping?
ā¢ āMove fast and break thingsā?
ā¢ Culture change (systems thinking, continuous improvement, etc.)?
10. LinkedIn.com/in/LarryMaccherone
āI donāt always test
but when I do, itās
in productionā
Mature DevOps practices
1. Develop in trunk
ā¢ No long-lived branches
ā¢ Short branches for code review, build-
checking, time-intensive test suites,
security scanning, etc.
ā¢ Dead-end release branches OK
2. Partial/unvalidated features
behind toggles/flags and/or
traffic shaping
3. Automated validation ļ
automated push to prod
11. LinkedIn.com/in/LarryMaccherone
Feature toggles & traffic shaping
ā¢ Run-time switchable
ā¢ Database backed
ā¢ Also for safe-to-fail feature experiments
ā¢ Build/deploy time
ā¢ Common for micro-services & APIs
ā¢ Traffic shaping
ā¢ Rules engine + database backed
XRE Guideās
Application Discovery Service (ADS)
XRE Guideās
Redirector Traffic Shaping Router
15. LinkedIn.com/in/LarryMaccherone
Dev[Sec]Ops Results
ā¢ Dramatically faster time to market ļ
happier customers ļ more revenue
ā¢ 5x lower rate of failures caused by changes1
ā¢ 96x faster recovery from downtime failures1
Itās scary to QA and Security, but āmoving fast and breaking
thingsā leads to dramatically lower rates of customer
experienced defects and vulnerabilities
1Puppetās 2017 State of DevOps Report
16. Build security in
more than bolt it on
Rely on empowered engineering teams
more than security specialists
Implement features securely
more than security features
Rely on continuous learning
more than end-of-phase gates
Build on culture change
more than policy enforcement
DevSecOpsManifesto
17. We, the Security Teamā¦
Recognize that Engineering Teamsā¦
ā¢ Want to do the right thing
ā¢ Are closer to the business context and will
make smart trade-off decisions between
security and other risks
ā¢ Want information and assistance so they
can improve our security posture
Pledge toā¦
ā¢ Lower the cost/effort side
of any investment in
developer security tools or
practices
ā¢ Assist 2x as much with
preventative initiatives as
we beg for your assistance
reacting to security
incidents
Understand thatā¦
ā¢ We are no longer gate keepers but rather tool-smiths and advisors
20. Think of security testing tools
as just another testing suite
like those for
unit, acceptance, etc.
21. Dev[Sec]Ops Tool Landscape
Static Analysis (aka SAST)
ā¢ Looks at source code
ā¢ Data/control flow analysis
ā¢ Prone to false positives
ā¢ Rapid feedback for developers
ā¢ Code fix suggestions
Dynamic
ā¢ Exercises app via UI/API
ā¢ Senses vulnerability by response to input
ā¢ Zero? false positives. Report is an exploit
ā¢ High false negatives
ā¢ Difficult to implement especially w/ auth
ā¢ Sometimes hard to find code to remediate
Runtime Application
Security Protection
(RASP)
ā¢ Often uses same engine
as IAST
ā¢ Reports on ābadā
behavior
ā¢ Can abort transaction or
kill process to protect
Fuzzing (black box)
ā¢ Instruments system (to varying degrees)
ā¢ Sends unexpected input at API
ā¢ Looks at response and instrumentation output
ā¢ Great for testing protocols like SIP
ā¢ Good for REST APIs
ā¢ Potentially long run times
ā¢ Hard to find code to remediate
Software Composition
Analysis (SCA)
for code imported
ā¢ Identifies dependency and
version
ā¢ Checks CVE/NVD + ā¦ for
reported vulnerabilities
ā¢ Proposes version/patch to
remediate
ā¢ Checks license vs policy
ā¢ Runs fast
ā¢ Easy to implement
ā¢ Best bang for buck!
IAST
ā¢ Runtime code analysis
ā¢ Combine dynamic/static
ā¢ Low false positives
ā¢ Depends on test coverage
ā¢ Immature but getting there
22. Criteria for DevSecOps tools
ā¢ Integrated and runs fast in pipeline for current dev cycle:
ā¢ Parallelized with other test suites, orā¦
ā¢ In-series, orā¦
ā¢ Incremental parallelized/in-series from asynchronous baseline, orā¦
ā¢ Asynchronous out of pipeline for baseline/feedback for next dev cycle
ā¢ Notifications the way the team wants: Slack, email, report,
dashboard, etc.
ā¢ Interrupt the pipeline the way the team wants: break the build,
turn the merge button red, etc.
ā¢ Environment-specific (dev, staging, prod, etc.) āpolicyā
23. DevSecOps Tool recommendations
ā¢ SCA (aka dependency checkers, open source security scanners) are
the best bang for the buck/effort. START HERE
ā¢ Next implement IAST or SAST (together, we created a category
grouping these two called Primary Code Analysis). FAVOR IAST
ā¢ Embed in pipeline and treat like an additional test suite.
ā¢ For greenfield turn on all checkers and interrupt pipeline unless
automated security tests come up clean.
ā¢ For legacy, āstop the bleedingā by interrupting pipeline for NEW
issues and slowly turn up the interrupt policy until all legacy issues
are resolved. Plan to address all critical/high issues within 120 days.
26. ā¦ similar to what happened to QA
Engineers with the Agile movement
ā¦ they will join a
development team
ā¦ or they will become
tool-smiths and advisors