Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peter Chestna - AppSec in a DevOps World

DevOpsDays Singapore
October 25, 2017
Technology
1
370

Peter Chestna - AppSec in a DevOps World

AppSec In A DevOps World

Security has typically been done at the end of the development cycle if it’s done at all. This has all of the same side effects as testing quality just before shipping namely surfacing work and risk at the worst possible time. DevOps is forcing development teams to re-think their accountability. Not only are they responsible for functional quality but now they must also operationalize their software. I assert that they should also be accountable for security. They should treat security findings as equal citizens to their functional defects. Software written without security in mind opens a company up to brand damage and the costs associated with breaches. This will reflect directly on the teams that built the software.

How can DevOps teams add security to DevOps without losing velocity? In this session, Peter Chestna, Director of Developer Engagement, discusses how security is typically bolted on to the development process as well as the pressures on DevOps teams. He will then provide practical strategies to integrate security successfully into the SDLC while maintaining the velocity necessary to realize the benefits of DevOps.

What you will learn:
1. Why application security (AppSec) is important 2. Why traditional approaches don’t work 3. How to add security into DevOps while maintaining velocity 4. What to measure as leading indicators of success

DevOpsDays Singapore

October 25, 2017
Tweet

More Decks by DevOpsDays Singapore

See All by DevOpsDays Singapore
AI-Generated Code Unmasking the Security Pitfalls by Lawrence Crowther
devopsdayssg
0
9
Jaap Brasser - Automation, how I came to see the light
devopsdayssg
1
400
Antonio Cocera - Monitoring As A Service
devopsdayssg
0
570
amie Donoghue - Organising for DevOps - People before Process and Technology
devopsdayssg
2
470
Pradeep Buditi - Making An Easily Scalable Cloud Using MaaS And CEPH
devopsdayssg
0
770
Faisal Ramay - Virtual SA
devopsdayssg
0
350
Matt Ray - Infrastructure Agnostic Application Automation
devopsdayssg
0
490
Rob Sewell - Continuous Delivery to the PowerShell Gallery for your Modules and Scripts
devopsdayssg
0
400
David Varvel - Extreme Automation: Testing the Limits of DevOps Automation
devopsdayssg
0
1.1k

Other Decks in Technology

See All in Technology
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
540
いつか使うかも貯金してたらめちゃめちゃ機能が増えてた話
riyaamemiya
0
330
LLM開発・活用の舞台裏@2024.04.25
yushin_n
1
360
どうするコスト最適化のトレードオフ
tetsuyaooooo
1
530
web-application-security
matsuihidetoshi
0
170
Databricks における 『MLOps』
databricksjapan
2
170
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.6k
Cypress or Playwright?
rainerhahnekamp
0
110
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
16k
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
360
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
480

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Gamification - CAS2011
davidbonilla
76
4.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Embracing the Ebb and Flow
colly
80
4.1k
A Tale of Four Properties
chriscoyier
151
22k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Writing Fast Ruby
sferik
621
60k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k

Transcript

  1. © 2016 VERACODE INC. 1 © 2016 VERACODE INC. AppSec

    in a DevOps World Peter Chestna, Director of Developer Engagement • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna

  2. © 2016 VERACODE INC. 2 Applications are as risky as

    ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message

  3. © 2016 VERACODE INC. 3 Lack of App Security is

    Damaging Companies

  4. © 2016 VERACODE INC. 4 High Profile Breaches All attacked

    through the app layer

  5. © 2016 VERACODE INC. 5 • Unpatched vulnerability in Struts

    2 framework (CVE-2017-5638) – Disclosed in March – Exploited in May • Flaw may have been present for 9 years • 143 Million people’s records exfiltrated – Social Security Number – Date of Birth – Other PII • Stock down 30% • CEO, CIO & CISO all fired Equifax – Causes and Fallout

  6. © 2016 VERACODE INC. 6 Waterfall Transformation – Technology &

    Process Agile DevOps

  7. © 2016 VERACODE INC. 7 What is DevOps and What’s

    a DevOps Team? DevOps Team

  8. © 2016 VERACODE INC. 8 Agile – Process & Security

    Copyright 2005, Mountain Goat Software Security

  9. © 2016 VERACODE INC. 9 Is this your current AppSec

    program?

  10. © 2016 VERACODE INC. 10 Which outcome do you see?

  11. © 2016 VERACODE INC. 11 Strategy • Relationships & Accountability

    • Integration & Automation • Training & Remediation Coaching • Security Champions

  12. © 2016 VERACODE INC. 12 Strategy - Relationships • Who

    is your peer in security/development? • Do you understand each others goals & struggles? • Do you ever meet with them?

  13. © 2016 VERACODE INC. 13 Strategy - Accountability • Shared

    between development and security • Part of annual goals for both teams • Measured and reported regularly

  14. © 2016 VERACODE INC. 14 CI CD 1 Develop 4

    Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*

  15. © 2016 VERACODE INC. 15 Strategy - Training • Security

    teams can help developers by providing training, either through eLearning or in-person instructor-led training • Think about targeted training based on policy violations

  16. © 2016 VERACODE INC. 16 Strategy – Training for the

    security team

  17. © 2016 VERACODE INC. 17 Strategy - Remediation Coaching For

    applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte

  18. © 2016 VERACODE INC. 18 • Eyes and ears of

    security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises • Escalate when necessary Strategy – Security Champions

  19. © 2016 VERACODE INC. 19 Training (eLearning, instructor led, metadata

    driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design DevOps – Pervasive Security

  20. © 2016 VERACODE INC. 20 Bridge the Gap Between Development

    and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions