Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1

Share

2017-11 Three Ways of Security - OWASP London

Download to read offline

Translating the DevOps "Phoenix Project" "Three Ways" for security. Was recorded... will add link later.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

2017-11 Three Ways of Security - OWASP London

  1. 1. THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security
  2. 2. 1. TODAY’S “AVERAGE” APPLICATION IS A SECURITY DISASTER
  3. 3. 2. SOFTWARE IS LEAVING SECURITY IN THE DUST SOFTWARE SECURITY 2000 2010 2020 SASTDAST WAF •Typical enterprise has hundreds or thousands of applications •Applications are by far the leading cause of breaches (Verizon DBIR)
  4. 4. 3. SOFTWARE SUPPLY CHAIN SECURITY IS TOTALLY BROKEN Jan Feb Mar Apr May Jun Jul Aug Sept Oct March 7 CVE-2017-5638 Disclosed, Apache releases fixed version March 8 We observed widespread attack probes Mid-May Equifax breach occurs July 29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed Equifax ignores Protected DisasterLivin’ la vida loca Prepared Equifax unaware
  5. 5. DIAGNOSIS: GOALS UNCLEAR, TIME WASTED What we are delivering: What we must deliver:  Right defenses in place  Defenses are effective  Attacks detected/blocked  “I ran a scanner” Application/API portfolioApplication/API portfolio
  6. 6. DEV SEC OPS PUPPY MONKEY BABY
  7. 7. SO WHAT IS DEVOPS? https://itrevolution.com/the-three-ways-principles-underpinning-devops/ The “Three Ways” 1. Establish work flow 2. Ensure instant feedback 3. Culture of experimentation
  8. 8. Small batch sizes Tight feedback loops Swarm on problems Optimize for downstream consumers Produce awesome software
  9. 9. QUESTION: CAN DEVOPS HELP SECURITY? • Problem: software is poor quality, late, slow, and doesn’t provide business value. • Approach: DevOps • Outcomes: • 5x lower change failure rate • 96x faster MTTR service • 2x likely to exceed bus. goal • Problem: security is poor quality, late, slow, and doesn’t provide business value. • Possible Approach: DevOps • Required Outcomes: • 10x increase in portfolio coverage? • 80% reduction in vulns to prod? • 0x increase in time to market?
  10. 10. Static Analysis Dynamic Scanning WAF Pen Testing DEV OPS != SHOVING LEGACY SECURIT Y TOOLS AND PROCES SEC
  11. 11. The “Three Ways” of Security* 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work 2. Ensure instant security feedback • Enable self-inventory • Get real application threat intelligence • Create security notification infrastructure 3. Build a security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine” * Shamelessly adapted from The Phoenix Project, by Gene Kim
  12. 12. The First Security Way Establish Security Work Flow Optimize delivery of security work that is valued by the business
  13. 13. Business Security Projects Building defenses, compliance, reporting, etc… 1 Internal Security Work Threat modeling, security architecture, security research, vulnerability assessment, tools 2 Operational Security Jobs Remediation, updates, analytics, alerts, tickets, etc… 3 Unplanned Security Tasks Security “firefighting,” response, recovery, public relations, etc… 4 UMM…. WHAT IS SECURITY “WORK”?
  14. 14. * Shamelessly lifted from the Rugged Software Project Your security story maps threat model ➡️ defense strategy ➡️ defenses ➡️ assurance Making security concrete: • Enables communication • Aligns your team • Expose gaps and priorities • Creates line-of-sight FIRST WAY – BUILD A CONCRETE SECURITY STORY OVER TIME
  15. 15. Leverage existing DevOps processes and tools Refactor monolithic security tasks into small batch sizes. Deliver security one little piece at a time FIRST WAY – ENABLE DEVELOPMENT TO BUILD SECURITY
  16. 16. FIRST WAY – WORK ON BIGGEST THREATS, ONE AT A TIME Add a single risk to threat model • Create JIRA ticket: Prevent XXE Create defense strategy • Update JIRA Ticket • Standardize parser config • Log & block attacks Implement defense • XML library • Update training Establish continuous assessment • Research typical failures • Build custom test cases • Enable IAST XXE rule Establish attack protection • Enable RASP XXE rule Monitor DEV and OPS • Vulns go to JIRA with Slack alert • Attacks go to Splunk and VictorOps Do you really need security experts for all these tasks? XXE Updated Security Story
  17. 17. The Second Security Way Ensure Instant Security Feedback Establish tight security feedback loops across the lifecycle
  18. 18. SECOND WAY – ENABLE SELF-INVENTORY •You need to know the exact version of every app, api, and library running on every server in every environments •Not hard to fully automate self- inventory DEV Internal APIs ContainersPrivate Public Cloud OPS Automatic Application Inventory
  19. 19. SECOND WAY – GET REAL APPLICATION THREAT INTELLIGENCE Establish the infrastructure to… • Know who is attacking you • Know what techniques they’re using • Know what they’re targeting • … and protect within hours Equifax Attack
  20. 20. SECOND WAY – ESTABLISH A REALTIME APPSEC CONTROL PLANE PRODDEV TEST APIs ContainersPrivate Public Cloud APIs ContainersPrivate Public Cloud APIs
  21. 21. The Third Security Way Build Security Culture A culture that constantly advances security with the threat through experimentation and learning
  22. 22. THIRD WAY – MIGRATE TO “POSITIVE” SECURITY Testing for all the ways you might introduce XSS Testing to verify your XSS defense Measure positive security directly from your running application
  23. 23. THIRD WAY – ACCELERATE THE EVOLUTION OF YOUR SECURITY STORY Celebrate new big risks without recrimination Focus on strength and simplicity The faster you cycle, the faster you get secure
  24. 24. THIRD WAY – PROMOTE SECURITY IN SUNSHINE AppSec Visibility Cycle Audit Developers Infosec Legal Architects Users Research Business Monitor Threat Create Security Story Define Security Defenses Implement Security Defenses Share Intelligence Understand Laws Verify Compliance Understand Stakeholders We Trust We Blame We Hide
  25. 25. TRUST
  26. 26. “Don’t hate the playa Hate the game” -- Ice T BLAME
  27. 27. The first rule of security is… …You do not talk about security HIDE
  28. 28. The “Three Ways” of Security* * Shamelessly adapted from The Phoenix Project, by Gene Kim 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work 2. Ensure instant security feedback • Enable self-inventory • Get real application threat intelligence • Create security notification infrastructure 3. Build security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine”
  29. 29. CLOSING THOUGHTS – TURNING SECURITY INTO CODE •Don’t focus on how to build software securely… •Make software security into something you build!
  30. 30. Ask me anything. @planetlevel contrastsecurity.com LEADER Software Development Solution
  • AldoAlves3

    Oct. 12, 2019

Translating the DevOps "Phoenix Project" "Three Ways" for security. Was recorded... will add link later.

Views

Total views

196

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

8

Shares

0

Comments

0

Likes

1

×