SlideShare a Scribd company logo

Executive's Guide to Secure DevSecOps

Download as PPTX, PDF
Security Innovation
Security Innovation

DevOps brings the potential of faster time to market and higher quality software applications. But to accelerate adoption or realize its full benefit, organizations need to adapt to the policy, staff, and technology changes that inherently accompany it. Join us for an educational webinar that examines DevOps from an implementation and risk perspective and how to minimize organizational impact. Topics include: * What’s the difference? DevOps vs. other development approaches * Third-party risk: COTS, open source, and cloud * Implications of accelerated development and automation * Making room for DevOps: organizational changes

Technology
1 of 33
1
2 • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ About Security Innovation
3 • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Ponemon Institute Fellow • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for Federal Government About Me
4 Agenda  DevOps vs. Traditional Approaches  DevSecOps in Practice  Managing / Making Room for DevOps
5 DevOps vs. DevSecOps • DevOps Set of practices that automates the processes between development and IT operations teams to build and release software quickly and consistently • DevSecOps Improved collaboration, streamlined feedback, and faster cycles to address security issues
6 • DevOps includes the same ol’ security engineering activities • Harden design, reduce attack surface, code defensively • Perform Code Reviews, Pen Tests, & Deployment Reviews • However… • Done more iteratively with an emphasis on early stage • Introduce more automation and different toolsets • Security is everyone’s job, roles more blurred • Which means you need • Clearly defined policies and easy-to-audit configurations • Ability to scale or rollback configurations when required • Cross functional skills and normalized communication language Familiar Friend
7 Treating Everything as Code • With “Infrastructure as Code” think of everything in a software-defined way • Servers (usually VMs and/or cloud instance) • Containers • Application stacks • “Networks” • Roles/Privileges/Access models • Security needs to be defined in this way, too • More visible, easier to audit, simpler to reproduce, quicker to find issues • Hardened Dockerfiles, Chef cookbooks, digital certificates, hardening scripts, firewall configurations, Cloud-Config files, user permissions
88 DevSecOps in Practice
9 Planning • Similar to any security planning • Threat Modeling, policy development, security assurance models • Sets the stage for integrating security into deployment pipeline • Determine tooling • Test acceptance criteria (note: you need security defect classification) • Give guidance to development and operations teams • Challenge is to inject enough security but don’t obstruct • Risk to overwhelm with unnecessary false positives • Integrate key (and well-defined) checkpoints specific and sufficient to each phase Tip: lack of proper planning in DevOps  inability to execute; slower throughput
10 Coding Phase • Ensure developers are working in secure environments • Virtual Machines, containers, VPNs, etc expand your attack surface • Leverage tools to find and prevent common security mistakes • Know how to handle passwords, API keys, private certificates, and other secrets • At code commit, focus checks on most severe security issues • e.g. hard-coded secrets or API info developers may have left in the code • Determine defect saturation that “breaks the build” (need plan/policy for this)
11 Build • Check for vulnerabilities in 3rd party components and dependencies • Software composition analysis useful here • 70-90% of enterprise applications are 3rd party and/or open-source software • Break the build for high risk publicly disclosed 3rd party vulnerabilities? • Good time to gather metrics and digitally sign/store build-time artifacts • Tip: policies around what’s a “high risk” vulnerability are important • Did I mention defect classification 2 slides ago? 
12 Test • At this point obvious bugs were found with automated tests … right? • Manual checks for critical vulnerabilities ID’s in threat model(s) • Tools: • Static Analysis Security Testing (SAST) – scans for bad coding errors • Dynamic application security testing (DAST) - tests app in “deployed” environment • Interactive application security testing (IAST) - interacts with the app UI controls and APIs • Fuzzing: feed irregular characters and data lengths to identify error handling flaws • Also test OS/cloud configurations, databases, hardening scripts, certificates, etc. • Over time, most testing will be verifying and documenting policy compliance
13 Deploy • Once application is approved for deployment, release team green-lights • Security team performs deployment-related security steps: • Create or update “secrets” – check for leaks and clues left • Document what was updated and by whom • Produce compliance documentation and final security scans • Perform final configuration and hardening • Determine authenticity (e.g. code signing) and versions of 3rd party apps/components • Create communication ports matrix so DevOps can configure firewall and spot unusual traffic • Tip: while there are generally accepted deployment checks, they need to be contextual to your environment and data
14 Operate & Monitor • Continuous feedback loops are what makes DevOps effective • In addition to traditional bug reports, error logs, and telemetry, include: • Pen testing reports (these may look different than traditional pen tests) • Monitoring metrics • User-reported issues • Vulnerability reports, path and update notifications • Intrusion detection, antivirus, and SIEM alerts • Tip: this is why policy is good
1515 Making Room for DevSecOps
16 Make Way for DevOps Need to consider changes to: • 3rd-party Software • Staff Skills • Governance, Policies, and Standards • Risk Assessment • Change Management/Control • Shifting Security Left • Security as Code
17 COTS and OSS: Co-Owning the Software Still need documented steps and standards to follow along properly SLA SLA Configure (cloud services/infrastructure) Your data OSS/GitHub Buy
18 Assessing 3rd party/COTS software • Can’t just rely on patching. Anticipate deployed scenario weaknesses • You don’t have access to source code to fix vulnerabilities • This makes risk mitigation tedious … but achievable • Cloud • Wonderful scale and “turn-key” operations • Loads of (new) deployment configuration issues to consider • Info gathered from assessments… • Improve the supply chain procurement processes • Inform the supply chain risk management process • Serve as foundation for additional testing or SLA conversations
19 DevSecOps Requires New Skills Focus Coding skills Orchestration/automation tools Secrets management Hardening systems Privilege control Web/micro services APIs (often RESTful and lightweight) Scalable Cloud Infrastructure (software- defined environments) Virtualization/containers Hypervisor lockdown Virtual and software-defined networking Container lockdown and scanning Ruby, Python, React, Shell Scripting, etc
20 Sample Skills While each role needs to understand fundamentals of secure development, privacy protection, and cloud infrastructure, additional job specific training is needed Product Owners • Mitigate risk in supporting the application • Safeguard data based on application, infrastructure and operating environment Cloud Architect • Securely design application deployed on cloud infrastructure • Analyze implementation options for core features • Analyze configuration options for architectural frameworks, API gateways, microservices Code Release Manager • Detect and mitigate insecure interfaces and APIs • Prevent common vulnerabilities • Recognize insufficient identity controls and insecure or out-of-date dependencies Site Reliability Engineers (SREs) • Understand how adverse events like Denial of Service (DoS) attacks affect availability • Implement application whitelisting and apply least privileged access to data Automation Engineers • Leverage automation without compromising security • Conduct vulnerability assessments
21 Key to Staff Competency • As roles bleed into one another through collaboration, individuals need wider breadth of knowledge • Risk watering down deep technical competence in the trenches Prevent Jack of All Trades • Create a core set of common knowledge • Security principles, regulatory concerns, infrastructure issues, commonly used tools Don’t make everyone security experts • Developers today are using open-source libraries, spinning up servers, containers, and otherwise self-provisioning infrastructure • Training often focused just on “writing” secure code Consider evolving Developer role
22 Accelerating Success with DevOps Security Champions • InfoSec team can help, but not scalable • Practitioners that serve as mentors • Determine when to engage the security team • Single point of contact w/in their group • Clearly define goals and responsibilities • Conduct and/or verify security reviews • Guard and promote “best practices” • Raise issues for risks in existing/new software • Build threat models for new features • Should be knowledgeable (and passionate) about software engineering Gartner Report: 3 Steps to Integrate Security Into DevOps: https://web.securityinnovation.com/gartner-report-devops
23 Good Security Hygiene Begins with Good Policy • There are many aspects of governance to consider • Security policies • Procurement and risk assessment practices • Change management and control • What goes into a policy? • Acceptable cloud deployment models/practices • Data types that can and cannot go to the cloud • Key/credential/data protection requirements • APIs documentation • Logging and monitoring • Compliance requirements
24 Ensure Policies are Tailored for…. DevOps Network, Infrastructure, and Software security Especially secure build/dev standards Cloud platforms How Amazon IAM users/groups should be configured Proper use, distribution and storage of cloud API keys COTS supply chain Acceptance policy and culpability Eliminate need for inspection on a mass basis by ensuring quality in each component (built or supplied)
25 Risk Assessment • At each checkpoint perform checks applicable to that stage • As deployment progresses, checks evolve from simple automated pattern matching to more complex human-driven • e.g., DAST scan  Penetration Testing / Red Teaming • Can be run in parallel as you cycle through the DevOps “figure 8” • Procurement / Risk Assessment • Early: static and dynamic code analysis • Early: defined libraries and configs • Later: monitoring and control in instances • Later: SLA-based acceptance testing
26 Change Control • Too heavy-handed sign-off process slows speed to release • Micro change management; policy driven; importance of planning Traditional change control often falls apart in a DevOps model • Which changes need traditional tracking • Which changes can be “log and review” • Review cycles and review board groups • Daily defect triage teams with filtered/streamlined reviews Security professionals need to work with DevOps to determine:
27 Hardening Design • Define policies for components, networks, and more • Configurations (Puppet, Chef) • App deployment and automation (Ansible, Jenkins) • Orchestration, automation and cloud provider tools • These will be specific use cases and requirements: • Input validation for app X • Use of TLS for all communications • Hardening to CIS Benchmark standards • Implement in code or via policy files • Threat models developed early useful here
28 Security as Code • Testing tools can simplify policy validation • Coordinate penetration tests and routine checks to validate policies’ effectiveness • Are only required ports open? • Are credentials secured? • Are encryption keys secured? • Are privileges assigned properly? • Re-usable test scripts to validate no security regressions • Also aids with consistency; quickly ID’s undocumented change
29 Summary • Secure DevOps solves some plaguing issues: • Lack of cross-functional knowledge between build and deployed state • Security slowing down ability to get features out the door • Streamlines communications from the customer to the product owner • Success of DevOps relies on 3 key principles • Automate what can be done faster than humans • Understand where manual inspection is needed • Balance tools, knowledge, and process – can’t rely too heavily on one
30 How Can We Help? DevOps/SDLC Risk Review • Fill compliance gaps with tools, activities and skills • Roadmap with optimal sequencing Computer Based Training • Specific to DevOps roles • Covers all major technologies, roles, frameworks Cyber Range • Turn-key, fun • Automated scoring • Real-world applications, platforms, systems
31 Cyber Range: Build Cross-Functional Security Skills • Experts predict a shortage of 3.5 million cybersecurity professionals for 2021* • Hard to build a strong DevOps outfit without expertise to support it • Quickly and accurately identify security champions *https://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html Commercial Ranges Free Range: InstaFriends Community.securityinnovation.com
32 Questions?
33 www.securityinnovation.com Thank You!

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 

Recommended

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilSecurity Innovation
 
Hacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideHacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideSecurity Innovation
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

More Related Content

More from Security Innovation

Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Hacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideHacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideSecurity Innovation
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 

More from Security Innovation (20)

Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
HTML5 - The Promise & The Peril
HTML5 - The Promise & The PerilHTML5 - The Promise & The Peril
HTML5 - The Promise & The Peril
 
Hacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing GuideHacking iOS Applications: A Detailed Testing Guide
Hacking iOS Applications: A Detailed Testing Guide
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still Exists
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Executive's Guide to Secure DevSecOps

  • 1. 1
  • 2. 2 • Securing software in all the challenging places…. • ….while helping clients get smarter Assessment: show me the gaps Standards: set goals and make it easy Education: help me make good decisions Over 3 Million Users Authored 18 Books Named 6x Gartner MQ About Security Innovation
  • 3. 3 • CEO by day; engineer by trade (and heart) • Mechanical Engineer, Software Engineer • Ponemon Institute Fellow • Privacy by Design Ambassador, Canada • In younger days, built non-lethal weapons systems for Federal Government About Me
  • 4. 4 Agenda  DevOps vs. Traditional Approaches  DevSecOps in Practice  Managing / Making Room for DevOps
  • 5. 5 DevOps vs. DevSecOps • DevOps Set of practices that automates the processes between development and IT operations teams to build and release software quickly and consistently • DevSecOps Improved collaboration, streamlined feedback, and faster cycles to address security issues
  • 6. 6 • DevOps includes the same ol’ security engineering activities • Harden design, reduce attack surface, code defensively • Perform Code Reviews, Pen Tests, & Deployment Reviews • However… • Done more iteratively with an emphasis on early stage • Introduce more automation and different toolsets • Security is everyone’s job, roles more blurred • Which means you need • Clearly defined policies and easy-to-audit configurations • Ability to scale or rollback configurations when required • Cross functional skills and normalized communication language Familiar Friend
  • 7. 7 Treating Everything as Code • With “Infrastructure as Code” think of everything in a software-defined way • Servers (usually VMs and/or cloud instance) • Containers • Application stacks • “Networks” • Roles/Privileges/Access models • Security needs to be defined in this way, too • More visible, easier to audit, simpler to reproduce, quicker to find issues • Hardened Dockerfiles, Chef cookbooks, digital certificates, hardening scripts, firewall configurations, Cloud-Config files, user permissions
  • 9. 9 Planning • Similar to any security planning • Threat Modeling, policy development, security assurance models • Sets the stage for integrating security into deployment pipeline • Determine tooling • Test acceptance criteria (note: you need security defect classification) • Give guidance to development and operations teams • Challenge is to inject enough security but don’t obstruct • Risk to overwhelm with unnecessary false positives • Integrate key (and well-defined) checkpoints specific and sufficient to each phase Tip: lack of proper planning in DevOps  inability to execute; slower throughput
  • 10. 10 Coding Phase • Ensure developers are working in secure environments • Virtual Machines, containers, VPNs, etc expand your attack surface • Leverage tools to find and prevent common security mistakes • Know how to handle passwords, API keys, private certificates, and other secrets • At code commit, focus checks on most severe security issues • e.g. hard-coded secrets or API info developers may have left in the code • Determine defect saturation that “breaks the build” (need plan/policy for this)
  • 11. 11 Build • Check for vulnerabilities in 3rd party components and dependencies • Software composition analysis useful here • 70-90% of enterprise applications are 3rd party and/or open-source software • Break the build for high risk publicly disclosed 3rd party vulnerabilities? • Good time to gather metrics and digitally sign/store build-time artifacts • Tip: policies around what’s a “high risk” vulnerability are important • Did I mention defect classification 2 slides ago? 
  • 12. 12 Test • At this point obvious bugs were found with automated tests … right? • Manual checks for critical vulnerabilities ID’s in threat model(s) • Tools: • Static Analysis Security Testing (SAST) – scans for bad coding errors • Dynamic application security testing (DAST) - tests app in “deployed” environment • Interactive application security testing (IAST) - interacts with the app UI controls and APIs • Fuzzing: feed irregular characters and data lengths to identify error handling flaws • Also test OS/cloud configurations, databases, hardening scripts, certificates, etc. • Over time, most testing will be verifying and documenting policy compliance
  • 13. 13 Deploy • Once application is approved for deployment, release team green-lights • Security team performs deployment-related security steps: • Create or update “secrets” – check for leaks and clues left • Document what was updated and by whom • Produce compliance documentation and final security scans • Perform final configuration and hardening • Determine authenticity (e.g. code signing) and versions of 3rd party apps/components • Create communication ports matrix so DevOps can configure firewall and spot unusual traffic • Tip: while there are generally accepted deployment checks, they need to be contextual to your environment and data
  • 14. 14 Operate & Monitor • Continuous feedback loops are what makes DevOps effective • In addition to traditional bug reports, error logs, and telemetry, include: • Pen testing reports (these may look different than traditional pen tests) • Monitoring metrics • User-reported issues • Vulnerability reports, path and update notifications • Intrusion detection, antivirus, and SIEM alerts • Tip: this is why policy is good
  • 15. 1515 Making Room for DevSecOps
  • 16. 16 Make Way for DevOps Need to consider changes to: • 3rd-party Software • Staff Skills • Governance, Policies, and Standards • Risk Assessment • Change Management/Control • Shifting Security Left • Security as Code
  • 17. 17 COTS and OSS: Co-Owning the Software Still need documented steps and standards to follow along properly SLA SLA Configure (cloud services/infrastructure) Your data OSS/GitHub Buy
  • 18. 18 Assessing 3rd party/COTS software • Can’t just rely on patching. Anticipate deployed scenario weaknesses • You don’t have access to source code to fix vulnerabilities • This makes risk mitigation tedious … but achievable • Cloud • Wonderful scale and “turn-key” operations • Loads of (new) deployment configuration issues to consider • Info gathered from assessments… • Improve the supply chain procurement processes • Inform the supply chain risk management process • Serve as foundation for additional testing or SLA conversations
  • 19. 19 DevSecOps Requires New Skills Focus Coding skills Orchestration/automation tools Secrets management Hardening systems Privilege control Web/micro services APIs (often RESTful and lightweight) Scalable Cloud Infrastructure (software- defined environments) Virtualization/containers Hypervisor lockdown Virtual and software-defined networking Container lockdown and scanning Ruby, Python, React, Shell Scripting, etc
  • 20. 20 Sample Skills While each role needs to understand fundamentals of secure development, privacy protection, and cloud infrastructure, additional job specific training is needed Product Owners • Mitigate risk in supporting the application • Safeguard data based on application, infrastructure and operating environment Cloud Architect • Securely design application deployed on cloud infrastructure • Analyze implementation options for core features • Analyze configuration options for architectural frameworks, API gateways, microservices Code Release Manager • Detect and mitigate insecure interfaces and APIs • Prevent common vulnerabilities • Recognize insufficient identity controls and insecure or out-of-date dependencies Site Reliability Engineers (SREs) • Understand how adverse events like Denial of Service (DoS) attacks affect availability • Implement application whitelisting and apply least privileged access to data Automation Engineers • Leverage automation without compromising security • Conduct vulnerability assessments
  • 21. 21 Key to Staff Competency • As roles bleed into one another through collaboration, individuals need wider breadth of knowledge • Risk watering down deep technical competence in the trenches Prevent Jack of All Trades • Create a core set of common knowledge • Security principles, regulatory concerns, infrastructure issues, commonly used tools Don’t make everyone security experts • Developers today are using open-source libraries, spinning up servers, containers, and otherwise self-provisioning infrastructure • Training often focused just on “writing” secure code Consider evolving Developer role
  • 22. 22 Accelerating Success with DevOps Security Champions • InfoSec team can help, but not scalable • Practitioners that serve as mentors • Determine when to engage the security team • Single point of contact w/in their group • Clearly define goals and responsibilities • Conduct and/or verify security reviews • Guard and promote “best practices” • Raise issues for risks in existing/new software • Build threat models for new features • Should be knowledgeable (and passionate) about software engineering Gartner Report: 3 Steps to Integrate Security Into DevOps: https://web.securityinnovation.com/gartner-report-devops
  • 23. 23 Good Security Hygiene Begins with Good Policy • There are many aspects of governance to consider • Security policies • Procurement and risk assessment practices • Change management and control • What goes into a policy? • Acceptable cloud deployment models/practices • Data types that can and cannot go to the cloud • Key/credential/data protection requirements • APIs documentation • Logging and monitoring • Compliance requirements
  • 24. 24 Ensure Policies are Tailored for…. DevOps Network, Infrastructure, and Software security Especially secure build/dev standards Cloud platforms How Amazon IAM users/groups should be configured Proper use, distribution and storage of cloud API keys COTS supply chain Acceptance policy and culpability Eliminate need for inspection on a mass basis by ensuring quality in each component (built or supplied)
  • 25. 25 Risk Assessment • At each checkpoint perform checks applicable to that stage • As deployment progresses, checks evolve from simple automated pattern matching to more complex human-driven • e.g., DAST scan  Penetration Testing / Red Teaming • Can be run in parallel as you cycle through the DevOps “figure 8” • Procurement / Risk Assessment • Early: static and dynamic code analysis • Early: defined libraries and configs • Later: monitoring and control in instances • Later: SLA-based acceptance testing
  • 26. 26 Change Control • Too heavy-handed sign-off process slows speed to release • Micro change management; policy driven; importance of planning Traditional change control often falls apart in a DevOps model • Which changes need traditional tracking • Which changes can be “log and review” • Review cycles and review board groups • Daily defect triage teams with filtered/streamlined reviews Security professionals need to work with DevOps to determine:
  • 27. 27 Hardening Design • Define policies for components, networks, and more • Configurations (Puppet, Chef) • App deployment and automation (Ansible, Jenkins) • Orchestration, automation and cloud provider tools • These will be specific use cases and requirements: • Input validation for app X • Use of TLS for all communications • Hardening to CIS Benchmark standards • Implement in code or via policy files • Threat models developed early useful here
  • 28. 28 Security as Code • Testing tools can simplify policy validation • Coordinate penetration tests and routine checks to validate policies’ effectiveness • Are only required ports open? • Are credentials secured? • Are encryption keys secured? • Are privileges assigned properly? • Re-usable test scripts to validate no security regressions • Also aids with consistency; quickly ID’s undocumented change
  • 29. 29 Summary • Secure DevOps solves some plaguing issues: • Lack of cross-functional knowledge between build and deployed state • Security slowing down ability to get features out the door • Streamlines communications from the customer to the product owner • Success of DevOps relies on 3 key principles • Automate what can be done faster than humans • Understand where manual inspection is needed • Balance tools, knowledge, and process – can’t rely too heavily on one
  • 30. 30 How Can We Help? DevOps/SDLC Risk Review • Fill compliance gaps with tools, activities and skills • Roadmap with optimal sequencing Computer Based Training • Specific to DevOps roles • Covers all major technologies, roles, frameworks Cyber Range • Turn-key, fun • Automated scoring • Real-world applications, platforms, systems
  • 31. 31 Cyber Range: Build Cross-Functional Security Skills • Experts predict a shortage of 3.5 million cybersecurity professionals for 2021* • Hard to build a strong DevOps outfit without expertise to support it • Quickly and accurately identify security champions *https://www.csoonline.com/article/3200024/security/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html Commercial Ranges Free Range: InstaFriends Community.securityinnovation.com

Editor's Notes

  1. DevOps has long proven to be an effective approach to speeding up development cycles and improving reliability, along with many other technical, business, and cultural benefits. Those same qualities of DevOps, that improve software development and deployment, can also improve your application’s security. Integrating security into your DevOps pipeline can provide a united culture between the developer, operations, and security teams. Integrating security into your DevOps pipeline can also provide improved feedback loops and faster cycles for addressing security issues, better collaboration to make all players involved with security, and repeatable, automated, and easy-to-audit configurations.
  2. The planning stage for DevSecOps is similar to any security planning; threat modeling, policy development, and security assurance models. But in a DevSecOps model, planning is where you set the stage for integrating security into the deployment pipeline. This includes determining tooling, test acceptance criteria, and providing guidance and education to developers and operations teams. Planning how you integrate DevSecOps into the deployment pipeline will set the stage for the entire project. This can be the most difficult part because you need to inject enough security to be effective at the same time it shouldn't be an obstruction to deployment schedules, nor should you overwhelm other teams with unnecessary false positives. The safest way to integrate security is to spread it out across the entire pipeline so each stage has a natural and incremental security checkpoint..
  3. The coding stage provides many opportunities for introducing and automating security. First is the environment the developers use for writing code. As you move security left on the DevOps pipeline you should make sure that developers are working in secure environments. Virtual machines, Docker containers, VPNs, and user desktop machines all have the potential for expanding the attack surface and increasing risk and should be secured accordingly. Next is the tooling you provide to developers to identify common security mistakes. This tooling might include IDE add-ons, linters, and similar tools. These tools typically do not catch complex logic errors but are well-suited for spotting common vulnerability patterns. The final consideration is how developers handle secrets such as passwords, API keys, or private certificates.
  4. . At this stage you still want to focus on the most serious issues, but at build time you may perform additional test such as checking for vulnerabilities in third-party components and dependencies or performing more in-depth risk-based checks. You don’t need to break the build unless you encounter serious vulnerabilities, a large number of vulnerabilities, or publicly disclosed issues with third-party components. For all other issues you can simply trigger alerts for the security team.
  5. The testing phase is your last chance to identify security vulnerabilities before the code goes into production. Unlike waterfall or other development methodologies, DevOps is meant to allow for rapid and continuous deployments. Some organizations may push dozens of builds for deployment every day. With these fast deployment cycles, you don’t want security checks to delay deployment, nor do you want to overwhelm your security team with a never-ending stream of builds to test. This is why all testing up to this point should be automated and only break a build for the most serious issues. For all other issues, you can address them through your normal feedback loops, such as filing a bug report and alerting the security team. On the other hand, you also don’t want to neglect more in-depth testing so you should perform manual testing periodically or when there are concerning automated test results. At this point in deployment, many obvious bugs should have been identified with earlier automated tests, over time existing code will become more secure, and vulnerabilities reported from other sources will already have been documented. Therefore, much of the testing in this phase will be to continuously verify and document policy compliance. Nevertheless, there is always room for advanced testing and to address emerging threats. For this stage of testing, SAST tools should check for a broader range of vulnerabilities and any unit tests should address any additional items identified and your threat modeling. Here you would also want to make use of additional classes of tools such as: Dynamic application security testing (DAST), which are tools that test applications in a running state and covers the full execution environment. Interactive application security testing (IAST), automated tools that interact with the application’s user interface controls and API models to identify vulnerabilities. Fuzzing, tools that feed irregular characters and data lengths to identify common flaws with bounds checking and error handling. This testing phase should not only include application code, but also include: OS Configurations, databases and other back-end software, hardening scripts, other automation files, and certificates and certificate chains.
  6. Once the application has passed testing and is approved for deployment, the security team will need triggers to perform any deployment-related security steps. These might include: Creating or updating any secrets necessary for deployment or operations, documenting what was updated and by whom, producing any compliance documentation and final security scan output as artifacts, performing any final configuration or hardening, and determining authenticity of any third-party applications or components. At this stage you should assume the deployment is approved for release. Any significant security issues should have been addressed in earlier
  7. Continuous feedback loops are a big part of what makes DevOps so effective. In addition to the traditional bug reports, error logs, and telemetry that provide feedback to developers, integrated security provides additional sources of feedback include pen-testing reports, monitoring metrics, user-reported issues, and bug bounties. Also there will be vulnerability reports and update notifications for third-party components. Lastly there will be intrusion detection, antivirus, and security intelligence event management (SIEM) alerts. These feedback loops will take you back to the beginning of the pipeline where you will repeat the process again
  8. Security and IT leaders need to lay out a detailed plan for how they’re going to develop security skills relevant to every function
  9. DevOps depends on an increased collaboration between IT roles and self- service. The challenge is as roles start to bleed into one another through deeper collaboration, individuals start to need a wider breadth of knowl- edge than ever before about how their actions impact the organization’s threat posture. Take developers, for example: so much of application security (APPSEC) training today is focused solely on secure coding techniques, with- out accounting for the reality that developers today are using open-source libraries, spinning up servers, containers, and otherwise self-provisioning the infrastructure their software is running on.
  10. . For example, consider setting policies around how to the company should be using the Amazon’s IAM feature. Make specific policies around how IAM users and groups should be configured and used. Use the doctrine of least privilege and design a sane access control policy. Consider a policy where only a few trusted users have full admin access and other users are in a power users group where they can launch instances, but cannot alter AWS console configuration or access. You might want to give your accounting team limited access to the console as well to review billing and usage. While you are at it, develop specific policies around the use, distribution and storage of cloud API keys. Furthermore, consider enforcing two factor authentication. These kinds of specific use case policies will go a long way for security teams in gaining confidence with the DevOps teams. DevOps might be the cool new hotness that is making waves in every kind of organization, but that doesn’t mean we can forget our information security requirements in a DevOps environment. One of the starting points in ensuring DevOps organizations follow good security practices is to start with a minimum set of security policies. Make sure you champion these policies and tailor them to your specific organization and use case. With a little luck and determination even your DevOps teams can follow security best practices.
  11. CIS – Center for Internet Security