Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query

Seattle | September 16-17, 2019
Overcoming the old ways of working with
DevSecOps
ERKANG ZHENG

Security is an organizational challenge.
What is DevSecOps? How does security keep up with DevOps?

DevOps | DevSecOps
Move fast and automate everything you can,
DevOps DevSecOps
Continuous Integration / Continuous Delivery (Deployment)
CI / CD
Continuous Assurance / Continuous Compliance
CA / C
with confidence
Culture Culture
CI / CD CA / CC

Manifesto for Modern Cybersecurity
https://securitymanifesto.net
Assume compromise, but expose no single point of compromise.
Track everything since you cannot protect what you can’t see.
Engage everyone for there is power in the crowd; two is stronger than one.
Automation is key because people don't scale and changes are constant.
Build products that are secure by design and secure by default.
Favor transparency over obscurity, practicality over process, and usability over complexity.
We must keep security
simple, open, collaborative, enabling and rewarding.
ZERO TRUST
ASSET CMDB
DEV + BUG BOUNTY
SECURITY AS CODE
THREAT MODEL
OPEN & SIMPLE

What enables DevSecOps?

The two aspects of DevSecOps
Security as an enabler for
DevOps
• Automate security checks,
gates and approvals in the
DevOps CI/CD pipeline
Check out
“Fully automated production deployments
with HIPAA / HITRUST compliance”
by Matt Lavin tomorrow at 1:45pm
Development as an enabler for
SecOps
• Aggregate data from source to
gain visibility and insight
• Automate security operations
and manage artifacts with code
• Achieve provable security with
CA/CC
VISIBILITY
GOVERNANCE
ASSURANCE

Security Program Pick assessor
Perform gap assessment
Implement remediation
Collect evidences
Assess and certify
Documented data
flows
Conducted risk
analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEATMonitor, Manage, Optimize
START
Implemented 100+
controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code
scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data
encryption
WAF + DDoS
protection
Asset
inventory and
tagging
Activity and
log
monitoring
YOU
YOU
AUDITOR

Security Program
DATA
+
GRAPH
+
QUERY
Pick assessor
Perform gap assessment
Implement remediation
Monitor, Manage, Optimize
Collect evidences
Assess and certify
Documented data
flows
Conducted risk
analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEAT
START
Implemented 100+
controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code
scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data
encryption
WAF + DDoS
protection
Asset
inventory and
tagging
Activity and
log
monitoring
YOU
AUDITOR
CA / CC
VISIBILITY
GOVERNANCE
ASSURANCE

Security is a data challenge.
Overcome SecOps complexity with DATA, GRAPH, and QUERY
Attackers think in graphs;
Defenders operate with lists.
That’s why attackers win.

Derive meaningful context from relationships, not lists
Stop thinking in lists and tables.
Start thinking in entities and relationships.

AWS Cloud
Security
Which EC2 instances are
exposed to the Internet?
Find aws_subnet with public=true
that HAS aws_instance
that PROTECTS aws_security_group
that ALLOWS Internet
return tree

AWS Cloud
Security
Are there Internet-facing EC2
instances that are allowed access
to non-public S3 buckets?
find Internet
that ALLOWS aws_security_group
that PROTECTS aws_instance
with active=true
that USES aws_iam_role
that ASSIGNED AccessPolicy
that ALLOWS (aws_s3|aws_s3_bucket)
with classification!='public’
return tree

Cross-Account
Trust
What are the cross-account IAM trust
relationships in my AWS
environment?
Find aws_iam_role as a
that TRUSTS (Account|AccessRole) as b
where
a.tag.AccountName != b.tag.AccountName
return tree

S3 Bucket
Access
Are there non-public S3 bucket
access granted to anybody
outside of its account?
Find aws_s3_bucket with
classification!='public' as bucket
that ALLOWS * as grantee
where
bucket.tag.AccountName !=
grantee.tag.AccountName
return tree

SSO Access
Which Okta user is assigned what
AWS IAM role?
find okta_user
that ASSIGNED aws_iam_role
return tree

App Components
and Data Flow
Show the connections and flow
diagram from:
• CloudFront to API Gateway
• CloudFront to S3
• API GW to Lambda Functions
• Lambda to other resources

Vulnerability
Management
Which systems or apps are
vulnerable to what CVEs?
Find CVE that RELATES TO
(Host|HostAgent|Application)
return tree

Development
Insight
Which PRs did Adam open this
past week?
'Adam' that OPENED PR
with createdOn > date.now-7days
return tree

Vulnerability
in Code
Which PRs / developer
introduced new vulnerability
findings this past week?
Find User that OPENED PR
with createdOn > date.now-7days
that RELATES TO CodeRepo
that HAS (Vulernability|Finding)
with _createdOn > date.now-7days
return tree

Use query to create alerts and trigger remediation
Alert rules from query with actions:
• Send Email
• Send Slack message
• Create Jira issue
• Capture Trend
Future remediation automation:
• Trigger Webhook
• Invoke Lambda Function
• etc.

Security Artifacts as Code

Security Policy and Procedure Documents
github.com/jupiterone/security-policy-templates
• Written in Markdown
• Small, individual files –
“micro-docs” like micro-services
• Linked together via config.json
• Document reviews and approvals via PRs
• Templatized and published in HTML

Security Policy and Procedure Documents (published)
https://security.lifeomic.com/psp

Manual Assessments and Findings
• Covers a variety of testing
• Manual penetration testing
• Risk assessment
• Privacy impact assessment
• Threat modeling
• Assessment objects and findings written in
JSON or YAML
• Publish to graph for report and analysis
Follows the same code deploy process
when PR is merged to `master` branch
github.com/jupiterone/secops-automation-examples
- entityKey: assessment:prodsec:2019q1
entityType: prodsec_assessment
entityClass: Assessment
properties:
name: internal-pen-test-2019q1
displayName: LifeOmic Internal Penetration Test 2019Q1
summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29th
description:
Performed a thorough security assessment of the LifeOmic product line.
Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android.
category: penetration-testing
status: complete
assessors:
- security.team@lifeomic.com
open: false
classification: confidential
completedOn: 2019-04-05
reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src...
...
- entityKey: finding:prodsec:2019q1:app-api-1
entityType: pentest_finding
entityClass: Finding
properties:
name: Some made up issue
displayName: ’[Medium] What it says’
summary: Summary of the made up issue
targets:
- Service API
description: >
Within the application API, ....
stepsToReproduce:
- '1 - Add ...’
- '2 - Use ...’
- '3 - Verify ...’
impact: ...
severity: medium
...

Vendors and External Organizations
• Maintain list of vendors as code
• Leverage product management and dev
leads to help maintain
• Trigger third party security review and
approval via PR
• Publish to graph for report and analysis
Follows the same code deploy process
when PR is merged to `master` branch
github.com/jupiterone/secops-automation-examples
- entityKey: vendor:apple
entityType: apple
entityClass: Vendor
properties:
name: Apple
displayName: Apple
category:
- software
- mobile
- development
description: >
Provides Developer account and App Store Connect account for mobile apps...
validated: true
approved: true
approvalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2
approvalPRName: security-artifacts/2
website: https://www.apple.com
owners:
- owner.one@lifeomic.com
- owner.two@lifeomic.com
mainContactName:
mainContactEmail:
mainContactPhone:
mainContactAddress:
breachResponseDays:
linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple-
Developer-Agreement-English.pdf
linkToMSA: https://developer.apple.com/programs/whats-included/
linkToSLA:
criticality: 10
risk: 5
tag.PHI: false
tag.PII: true
tag.PCI: false
statusPage:
notes:
...

Security and Privacy Considerations in Product Design RFC
• Engineering team writes product design RFC
documents and check into code
• RFC templates includes mandatory sections
for
• Security Considerations
• Privacy Considerations
• Bot to detect new RFC PR and alert security
team via Slack message
bitbucket-pr-detector
github.com/jupiterone/bitbucket-pr-detector
...
## Security considerations
### Data Flow
Does this feature collect or process additional data? Does it impact the current
data flow of the system/application?
If so, create new or update the existing data flow diagram and document the
data flow.
### Secrets
Does this feature involve usage of additional secrets (API keys, tokens, etc.),
either external (i.e. storing and using secrets from a provider) or internal
(i.e. generating and using secrets as an internal component)?
If so, document the secret management process.
### Attack Scenarios
How could an attacker abuse this design? What risks does this approach present
and what mitigations can be pursued? What security requirements need to be
included in the implementation?
An example of how to document this:
- **Abuse case name**
- _Risk_ -- a description of the abuse case and the risks identified
- _Mitigation_ -- what is being put in place as mitigation controls
This is a practice to ensure that some level of security considerations is
always included in the design of a new feature, component or process.
## Privacy Considerations
...

Compliance Evidence Collection
• Compliance framework and control
requirements defined in JSON
• Map policy procedures to each control
requirement
• Map query questions to each control
requirement
• Write positive case queries and negative
case queries for automated gap analysis
• Include evidence associated with manual
processes
{
"standard": "SOC 2",
"version": "2019",
"sections": [
{
"title": "Access Controls",
"requirements": [
{
"ref": "SOC2-01",
"title": "Single Sign On",
"summary": "SSO for all users ..."
},
...
]
}
]
”domains": [
{
"title": ”Control Domain A",
”controls": [
{
"ref": ”A-01",
"title": ”A technical control",
"summary": ”control description ..."
},
...
]
}
]
}
{
"title": "Which user accounts do not have multi-
factor authentication enabled?",
"description": ”...",
"queries": [
{
"name": "bad",
"query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m
fa_device"
},
{
"name": "good",
"query": "Find User with mfaEnabled = true"
},
{
"name": "goodToo",
"query": "Find User that (ASSIGNED|USES|HAS) mfa_device"
}
],
"compliance": [
{
"standard": "CIS Controls",
"requirements": [
"4.5",
"12.11",
"16.3"
]
},
{
"standard": "HITRUST CSF",
"controls": [
"01.b",
"01.j",
"01.q"
]
},
{
"standard": "PCI DSS",
"requirements": [
"8.2",
"8.3"
]
}
]
}
github.com/jupiterone/security-policy-templates/tree/master/templates/standards

In Summary, our approach to DevSecOps...
• Keep a simple, open, collaborative, enabling and rewarding security culture
• Use data, code and graph (not lists) to build a digital knowledgebase of your
environment
• Use query to gain insights, provide assurance and collect compliance evidence
continuously
• Automate security gates and approvals in code deployment pipeline
(check out tomorrow’s session)
Continuous Assurance Provable SecurityContinuous Compliance

Questions?
Demo?
J U P I T E R O N E . C O M

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query

Recommended

More Related Content

What's hot (20)

Similar to Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query (20)

Recently uploaded (20)

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query

Editor's Notes