Outpost24 webinar - application security in a dev ops world-08-2018
Download as PPTX, PDF1 like212 views
The document discusses the evolution of application security within the DevOps framework, emphasizing the need for integrating security into development processes through the concept of DevSecOps. It highlights the importance of collaboration among development, operations, and security teams, while advocating for the establishment of security champions to bridge gaps in security awareness. The key takeaways stress a cultural shift towards incorporating security earlier in the development cycle, focusing on people, processes, and the right tools to improve overall security posture.
Outpost24 webinar - application security in a dev ops world-08-2018
- 1. Application security in a DevOps World Bob Egner, CMO [email protected] 1
- 2. 2 Helping customers improve security posture since 2001 Over 2,000 customers in all regions of the world Really good at breaking technology
- 3. Agenda DevOps background Lingering security challenges Evolution of DevSecOps. Putting it into practice Takeaways 3
- 4. 1960’s Waterfall Assembler code widely used for development. The Waterfall methodology was coined in 1958 1970’s New languages COBOL, PL1, Pascal all made an appearance. DBMS gains traction in database management 1980’s SQL and OO SQL and object orientated languages appear. Waterfall development still used but in 1986 SCRUM is coined 1990’s WWW appears 94 – unified process 95 – Javascript, SCRUM 96 – Flash, Extreme programming 99 – Concept of Web applications 2000s Agile (and Web) explode 01 – Agile manifesto 05- Ajax created for asynchronous web application development 05 – Declaration of Interdependence 09 – Software craftmanship manifesto 04 Date A brief history of (Application Development) time
- 5. 5 We need a Silver bullet
- 6. DevOps Coined in 2009 Agile success drove integration between Development and Operations Results in the need for cultural change to encourages more collaboration Focus on application release automation, continuous integration and continuous delivery People | Process | Technology approach By Kharnagy - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=51215412 But what about the Security team?
- 7. But is it really a Silver bullet? Source: Verizon data breach investigation report 2017 Source: Verizon data breach investigation report 2018
- 9. DevSecOps – process, people & tools 9
- 10. People | Process | Technology christopherspenn.com | @cspenn People Who’s doing stuff Process How stuff is done Technology What we do stuff with scaleinnovate automate Are we fast enough? Are we efficient enough? Are we creating enough new value?
- 11. Challenges with DevOps and Security teams What happened to Secure by Design? Priority of security in DevOps migration Buy your way out with tools Focusing on the end instead of process management pushes higher “per fix” cost 11
- 12. How do we incorporate Security? Security has historically been a silo Secure by design is assumed part of Agile mentality Process | People can break down silo But does DevSecOps really work?
- 13. Slaying the myths of DevSecOps • Security cant fit into DevOps process. • Configuration management tools are all DevOps need. • Adopting DevOPs eliminates the need for Security experts. • If we can do DevOps we can do SecOps.
- 14. DevSecOps • Distribute security decision making • to the right people • with the right context • at the right time • Embedded into the team, easily accessible by Developers • Gartner refers to these as ‘Champions’
- 15. People
- 16. Your Champion • Have both domain experience and desire to secure development • Help spot security problems sooner • Assign champions to security analysts • Helps security teams translate their priorities into development practices
- 17. Champion & Analyst CHAMPION Member of project team Key contact for security Not an expert A requirement for each project ANALYST Security team member Keeps security involved Key contact for the Champion(s) Security by design thinking • Links IT Security to Development teams and projects • Encourage a community between champions and brokers • Goal to improve the overall security posture • Encourage developer collaboration with champions and analyst
- 18. Process
- 19. Shift left – improve maturity & lower fix costs 19 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments
- 20. Shift left – simple steps 20 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments Penetration testing Code reviews Threat modeling
- 21. Technology
- 22. Choose the right tools for the job • Before settling on what tools, ask yourself: • How frequent are your ’sprints’? • How long does each tool take to run? • Can it be wholly automated into the CI/CD process? • Is it noisy, does it generate lots of false positives? • Answering these questions will help steer you in identifying the tools appropriate for your needs 22
- 23. Perfect is the enemy of Good • Chasing perfection in a DevOps culture leads to slower development • Don’t have to fix everything during development • Compensate with other tools : IPS, WAF to mitigate unknown vulnerabilities • Focus on fixing the critical known vulnerabilities during Development • The tools you select should be agile : in both integration and scanning speed 23
- 24. Tools for Success OpenAPI based to integrate seamlessly in the CI/CD toolchain Can be easily and quickly run by Developers 24
- 25. 25 Tools in the AST kit SAST - Static Automated Focused on developers Noisy DAST - Dynamic Automated Operational system test Can’t address all cases Penetration Test Manual Most comprehensive Low frequency use MAST – Mobile Partially automated Focused on developers Lots of variants of test target IAST – Interactive Automated Included in code Related to RASP (runtime app self protection) Bug Bounty Manual Independent security researchers Pay by finding
- 26. Shift left – improve maturity & lower fix costs 26 Development Pre-production Production Code and commit Continuous integration & automated testing Complete build & test Gate 1 Gate 2 Non- functional testing UAT Ongoing assessments SAST $ IAST $$ DAST $$ MAST $$ Bug Bounty $$$ Penetration Test $$$$
- 27. Takeaways 27
- 29. DevOps • Agile success drove the need for tighter integration between Development and Operations – Coined in 2009 • Encourages (and indeed needs) collaboration between development, operations and QA – results in the need for cultural change • Allows for focus on application release automation, continuous integration and continuous delivery • Process – People – Tools approach to development • Often (and initially) leave out ‘Security teams’ Takeaways DevSecOps – culture change implemented with People | Process | Technology Process – small steps, not immediate perfection, mandate security People – establish security champions in DevOps, support the mandate Tools – integrate into the DevOps tool chain natively Shift Left – introduce additional tools and information earlier in the DevOps process
Editor's Notes
- #5: 2001 Writing Secure Code by Howard and LeBlanc from the earlier Microsoft’s Secure Windows Initiative
- #6: And so we end up with Agile + DevOPs being likened to that fabled Silver bullet. You know : the thing that slays the beast. In this case, addressing the need to align development to an efficient, digital pace of business today. Or the thing that magically addresses a complicated probbkem
- #7: With the success of Agile development, in 2009 the concept of DevOps was raised by Andrew Shafer and Patrick Debois. DevOps is essentially a natural evolution of Agile, it brings closer together the Development team. The Operations team and QA to allow for the rapid release of applications through sprints. Although it requires a cultural change, organizations embracing it can develop and deliver applications much fasters Security by design is often shoe’horned into the Devops process, often focusing on the end of the development journey. however, for many years the security teams were still precluded from the process. In fact, whilst remaining a silo separate to the Agile and DevOps processes security can become the inhibitor to successfully implementing Agile and Devops cultures
- #8: Security by design,…… Agile and DevOPs allows customers to develop and deliver applications to the market at a quck pace. And yet, time after time the surveys show that web application attacks are continually features in the top lists of incidents and often right at the top in sources of breaches.
- #9: And OWASP constantly publish the top 10 list, not the top 3 or 5. Couple that with almost no change in top 10 over the last 4 years, its little wonder our customers are asking how, as they adopt DevOps they are constantly facing the quandary of can security fit into the DevOps model without it being a hinderance.
- #11: Earliest form of this was Harold Leavitt’s 1964 use of 4 elements (structure, tasks, people, technology) in describing organizational change – since then, we’ve improved it to just 3 elements I like this version from Chris Penn because it clearly shows the where the benefits come from – the intersections http://www.christopherspenn.com/2018/01/transforming-people-process-and-technology-part-1/
- #12: In 2017 Gartner shows that the biggest strategy to overcome was collaborating with Security. As organisations adopt a
- #13: If security teams remain silo’d and disengaged from the Agile DevOps process then challenges will arise. In fact, its highly likely that Security will become a stumbling block to the success of Agile. Remember, Agile and DevOps is about collaboration (and rapid iteration). So breaking down the silo’s between the teams, integrating them together to create ‘DevSecOps’
- #14: 1. Wrong. With the right automation and tools security can be injected into the development process much earlier. 2. Wrong, whilst they help with deployment and redeployment they simply cannot handle the security analysis that a security professional can 3. Wrong. The majority of developers are NOT security experts. Neglecting the security experts can lead to your organization becoming the next statistic on the Verizon dibr report. 4. Wrong. Keeping security as its own functional area or Silo misses the point of Agile and DevOps – namely cross-functional integration. Security Experts must partner with development and operations at the beginning of the development process. It might mean a cultural change, but it is absolutely imperative to success
- #20: Point out – this is about situations where you have control over the DevOps process – if you outsource development, you may not be able to evolve with out external collaboration. For customization on COTS, you can still treat it as development and work towards this process Whiilst we try to move away from waterfall in the agile devops world, if we take a moment to look atboth the types of tools available and where they sit in Software development lifecycle we can identify where our own organisation is. Think about a shift left approach, if you don’t have anything inplace today, then can you fit a penetration test into the process. However, remember agile is about shorter development sprints. Therefore your pen test partner needs to be able to deliver on demand and at speed. Likewise if your doing Dast today, shifting left might mean Sast or IAST or Mast depending on the applications you are developing.
- #21: Point out – this is about situations where you have control over the DevOps process – if you outsource development, you may not be able to evolve with out external collaboration. For customization on COTS, you can still treat it as development and work towards this process Whiilst we try to move away from waterfall in the agile devops world, if we take a moment to look atboth the types of tools available and where they sit in Software development lifecycle we can identify where our own organisation is. Think about a shift left approach, if you don’t have anything inplace today, then can you fit a penetration test into the process. However, remember agile is about shorter development sprints. Therefore your pen test partner needs to be able to deliver on demand and at speed. Likewise if your doing Dast today, shifting left might mean Sast or IAST or Mast depending on the applications you are developing.
- #24: Ultimately when considering DevSecOP and starting the journey you need to consider Voltaire’s words: Perfect is the enemy of good. Don’t chase perfection, namely the fixing of ALL vulnerabilities during the Development cycle. This will kill your ability to deliver rapid sprints as you get bogged down with testing in the old Security by design mentality. Instead, use other tools to help mitigate the unknown or less common vulnerabilities : IPS, WAF, even next gen firewalls. Have the development team focus on the known critical vulnerabiltiies and fix them, use OWASP to help guide them on how to fix and not repeat the same errors. And when selecting your SAST, DAST, Mast, IAST tools, make sure they too are agile : agile in scanning and agile in the way they integrate in the CI/CD process.
- #25: This is what our customers are asking us for time and again. 1. in DevOps, the development team should be capable of launching and executing automated scans from directly within their native toolchain. The scanners should be easy to use and not require significant security expertise. Moreover, findings should appear in the same DevOps native toolchain.
- #29: Maturity curve is like climbing stairs – p p t Now carrying a bike on foot Now riding up