Cyphercon - Shifting Security Left

Transcript

1. Shifting Security Left Securing Systems In The Age of Agile

   and DevOps

2. whoami TYPICAL DISCLAIMERS: ▪ All opinions are mine, except the

   bad ones. The bad ones probably came from Twitter. ▪ All examples are hypothetical, especially the bad ones. ▪ Nearly all of this is me showcasing other people's work. ▪ I strive for good attribution. If I missed someone, @ me.

3. agenda.txt FIRST WE WILL TALK ABOUT: ▪ Trying harder ▪

   Failing ▪ Having an existential crisis. ▪ Wondering if there’s a better way. THEN WE WILL DISCUSS: ▪ Giving up our desire for control. ▪ Trusting others. ▪ Becoming an enabler. ▪ Modestly improving security with a few smart technology plays.

4. Security Failures Configuration

5. Congratulations, you got a seat at the table. Now what?

   ▪ Secure all the things! ▪ Bend them to my will! ▪ SME all the projects! ▪ Make sure security signs off on EVERYTHING. ▪ Pen testing is the only testing. ▪ Don’t change anything after you build it.

6. In waterfall security models angst, cost, delay and failure are

   features, not bugs.

7. Technology Project Snarkchart Remediation Work 22 days Jan Mar May

   Jul Sep Nov 2019 Mar May Project Kickoff Jan 10 Executive Review Mar 7 Go No-go Decision Mar 14 Committed Go Live Date Aug 6 The Date You Crossed Your Fingers and Put It In Production Oct 20 Project Close Re-assigning contract staff to new project Feb 4 Remediation Deadline Data Breach Uncovered Requirements 34 days Prototype 29 days Development 150 days Launch 30 days Security Test 6 days Disagreeing About the Severity of the Findings 5 days Bargaining with Compliance for Longest Possible Remediation Timeframe 33 days

8. All bugs cost money, some more than others

9. Left of What?

10. What is DevOps? “ DevOps is the combination of cultural

    philosophies, principles, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity ”

11. Cultural Philosophies ▪ Small, multi-disciplinary teams, responsible for all aspects

    of the development, testing and deployment of a product. ▪ Working autonomously to develop a product. ▪ Rapid development of small changes to deliver incremental value to customers faster ▪ Growth mindset – using continuous feedback, teams generate hypothesis, generate data, test, and adapt. ▪ Shift from incident prevention to incident preparedness, Focus on reacting quickly to failures and adapting.

12. Practices ▪ Everything as code ▪ Self-service configuration ▪ Automated

    provisioning ▪ Continuous build ▪ Continuous integration ▪ Continuous delivery ▪ Integrated change management ▪ Automated release management ▪ Immutable everything ▪ Incremental testing ▪ Continuous monitoring ▪ Baked-in security

13. Does you security team even understand what’s going on? What

    developers see What security sees

14. Let’s talk about a high performing DevOps team.

15. Case Study – Combi Security ▪ 1 B+ in Revenue,

    3,600 clients. ▪ Unified, cross functional DevOps teams: ▪ Invests in attracting and retaining top talent. ▪ Significant R&D investment. ▪ Uses Best of Breed DevOps Tools: JIRA, HipChat, Azure Cloud Services, etc. ▪ Seamless daily releases to thousands of endpoints. ▪ Able to quickly deploy to major clients in food service, hospitality, gaming, healthcare and financial services. ▪ Provides excellent work-life balance to staff, who rarely need to work nights and weekends.

16. …also known as Fin7/Carbanak ▪ 1 B+ in THEFT, 3,600

    VICTIMS. ▪ Unified, cross functional DevOps teams: ▪ Invests in attracting and retaining top talent. ▪ Significant R&D investment. ▪ Uses Best of Breed DevOps Tools: JIRA, HipChat, Azure Cloud Services, etc. ▪ Seamless daily releases to thousands of INFECTED endpoints. ▪ Able to quickly PLUNDER major clients in food service, hospitality and financial services. ▪ Provides excellent work-life balance to staff, who rarely need to work nights and weekends.

17. The moment you realize your adversaries are better at Agile

    and DevOps than you…

18. The reality of DevOps and agile adoption

19. Improving security in most organizations ▪ Training ▪ Threat Modeling

    ▪ Requirements Definition ▪ Secure Architectural Patterns ▪ Code Quality Tools ▪ Incident Response

20. Training Need to prioritize other security investments? Have a Training

    Budget? (Don’t snub YouTube. We know every household skill you learned in the last five years came from a YouTube video.)

21. Teach Lightweight Threat Modeling ▪ Threat modeling exercises help you

    evaluate your application design for security risks. ▪ Threat modeling frameworks and processes can get complicated fast. ▪ Use just enough to achieve a win, and improve threat modeling over time until it’s a good fit. ▪ Mature DevOps teams may benefit from threat-modeling-as-code - ThreatSpec Resources: ▪ Elevation of Privilege – Microsoft ▪ The Security Cards – U of Washington ▪ ThreatSpec
22. None
23. None

24. Give Teams Self-Service Requirements ▪ OWASP Security Knowledge Framework ▪

    Uses the OWASP Application Security Verification Standard (ASVS) to guide teams through identifying security design requirements. ▪ Slack goSDL (Security Development Lifecycle) ▪ Helps teams perform lightweight risk assessments / technology profiles, and provides checklists of security requirements.

25. Inform Your Self-Service Requirements With Secure Architecture Standards ▪ AWS

    Well-Architected Framework ▪ AWS Security Pillar ▪ Microsoft Best Practices

26. Help developers discover their bugs Make it seamless… ▪ Auto-provision

    – give developers birthright access to code quality systems. ▪ Include code quality tooling into templates for repos pipelines. But drive accountability… ▪ Develop easy to understand quality indicators. ▪ Warn/Break builds and deploys for critical security defects and obvious misconfigurations.

27. Code quality tools ▪ Code Linting Tools: SonarLint Fortify Security

    Assistant ▪ Static Analysis: Codeacy Sonarqube Synopsis Coverity NodeJScan (Requires python, ironically) LGTM ▪ Dynamic Analysis Burp Suite OWASP Zap w3af Arachni Codepulse (Use for coverage monitoring of DAST tools) ▪ Secure Composition Analysis Tools Snyk (free for OSS) OWASP Dependency Track SonaType OSS Index

28. Delivering Golden Images ▪ AWS Golden AMI Pipelines ▪ CIS

    Benchmark Hardened AMIs ▪ AWS Config Rules ▪ Azure Security and Compliance Center ▪ Container Scanning Clair Anchore

29. Vulnerability Management ▪ Audit your CloudFormation templates – Cloudsploit. ▪

    Use APIs to continually poll your cloud accounts for new assets. ▪ Post-build, scan your container registries for vulnerabilities. ▪ Use Amazon inspector to check for vulns and misconfigurations. Use vuln scanner APIs ▪ All modern vuln scanners have an API. ▪ At deploy time, identify the target deployment servers and query their vuln state. ▪ Set your WARN/BREAK states to a level that works for your org.

30. Incident Response ▪ CloudTrail all the things ▪ EC2 Clean

    Room Forensics ▪ Ensure endpoint tools are baked into golden images. Monitor for unsafe behavior in GuardDuty: ▪ Bad firewall rules ▪ Opening unapproved ports ▪ Clearing logs ▪ Non-IAM user logins

31. Secrets Detection ▪ Git pre-commit hooks ▪ Scanning your repos

    ▪ Better ways to store keys: HashiCorp Vault AWS Secrets Manager Azure Key Vault ▪ Use your DLP to monitor for API keys.

32. Where do we go from here?

33. Where we’re going