Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
4. WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS
XSS AND SQL INJECTION EXPLOITS ARE
CONTINUING IN HIGH NUMBERS
Source: IBM X-Force Threat Intelligence Quarterly, 2014Source: IBM X-Force Threat Intelligence Quarterly, 2014
APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN
25%
20%
15%
10%
5%
0%
2009 2010 2011 2012 2013
WEB APPLICATION VULNERABILITIES
33% OF VULNERABILITY DISCLOSURES ARE WEB
APPLICATION VULNERABILITIES
33%
5. Source: The State of Risk-Based Security Management, Research Study by Ponemon
Institute, 2013
INVESTMENT PRIORITY - “SECURITY RISKS” VS. YOUR “SPEND”
MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS
35%
30%
25%
20%
15%
10%
5%
APPLICATION
LAYER
DATA
LAYER
NETWORK
LAYER
HUMAN
LAYER
HOST
LAYER
PHYSICAL
LAYER
SECURITY RISK
SPENDING
SPENDING DOES
NOT EQUAL RISK
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
6. CUSTOM AND OPEN SOURCE CODE MIX
OPEN SOURCE
• Needed functionality without acquisition
costs
• Faster time to market
• Lower development costs
• Broad support from communities
CUSTOM CODE
• Proprietary functionality
• Core enterprise IP
• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
7. The shifting application security threat landscapeRISE OF OPEN SOURCE VULNERABILITIES
OPEN SOURCE COMPONENTS WITH KNOWN VULNERABILITIES
Since 2014, over 6,000
new vulnerabilities in open
source components.
Source: Risk Based Security’s VulnDB
0
200
400
600
800
1,000
1,200
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76
Heartbleed
Disclosure
8. 8 CONFIDENTIAL
WHO’S RESPONSIBLE FOR SECURITY?WHO IS RESPONSIBLE FOR SECURITY?
DEDICATED SECURITY RESEARCHERS
ALERTING AND NOTIFICATION
INFRASTRUCTURE
REGULAR PATCH UPDATES
DEDICATED SUPPORT TEAM WITH SLA
“COMMUNITY”-BASED CODE ANALYSIS
MONITOR NEWSFEEDS YOURSELF
NO STANDARD PATCHING MECHANISM
ULTIMATELY, YOU ARE RESPONSIBLE
COMMERCIAL CODE OPEN SOURCE CODE
9. 9 CONFIDENTIAL
CONTAINERS AND DEVOPS
Containers can be vulnerable by virtue of
the code that runs inside them
• OSS components running inside
containers represent potential attack
vectors
• Could cause problems for the
application itself
• Could cause more problems if the
container is running with the –
privileged flag set
11. 11 CONFIDENTIAL
WHAT IS DEVOPS?
• Set of principles
• Faster software delivery
• Continuous process
• Collaborative
• Achieved by automation
12. 12 CONFIDENTIAL
CHALLENGES WITH APPLICATION SECURITY IN DEVOPS
• Developers are not security experts
• Time pressure
• Security can be an afterthought
• Application security teams are small
• Testing happens too late in the process
13. 13 CONFIDENTIAL
BENEFIT FROM DEVOPS WITHOUT COMPROMISING SECURITY
• Automation of
Security Testing
• Security Gates
18. 18 CONFIDENTIAL
BUILD CUSTOM SECURITY GATES BASED ON NEEDS
DELIVERY
TEAM
VERSION
CONTROL
BUILD &
UNIT TESTS
AUTOMATED
ACCEPTANC
E TESTS
USER
ACCEPTANC
E TESTS
RELEASE
PIPELINE 1
PIPELINE 2
PIPELINE 3
19. 19 CONFIDENTIAL
CUSTOM CODE VULNERABILITIESIBM AND BLACK DUCK – INTEGRATED VIEW
CUSTOM CODE VULNERABILITIES
OPEN SOURCE
VULNERABILITIES
CUSTOM CODE
VULNERABILITIES
20. 20 CONFIDENTIAL
WHAT CAN YOU DO TOMORROW?WHAT CAN YOU DO TOMORROW?
Speak with your head of application development, DevOps and find
out…
What are your current application security practices?
What kinds of security gates do you need to build to
ensure nothing gets through?
What tools are you using as part of the development and
application security lifecycle?
Are containers like Docker part of your deployment
model?
How are you tracking for new vulnerabilities over time?