Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Peter Chestna - AppSec in a DevOps World

Peter Chestna - AppSec in a DevOps World

AppSec In A DevOps World

Security has typically been done at the end of the development cycle if it’s done at all. This has all of the same side effects as testing quality just before shipping namely surfacing work and risk at the worst possible time. DevOps is forcing development teams to re-think their accountability. Not only are they responsible for functional quality but now they must also operationalize their software. I assert that they should also be accountable for security. They should treat security findings as equal citizens to their functional defects. Software written without security in mind opens a company up to brand damage and the costs associated with breaches. This will reflect directly on the teams that built the software.

How can DevOps teams add security to DevOps without losing velocity? In this session, Peter Chestna, Director of Developer Engagement, discusses how security is typically bolted on to the development process as well as the pressures on DevOps teams. He will then provide practical strategies to integrate security successfully into the SDLC while maintaining the velocity necessary to realize the benefits of DevOps.

What you will learn:
1. Why application security (AppSec) is important 2. Why traditional approaches don’t work 3. How to add security into DevOps while maintaining velocity 4. What to measure as leading indicators of success

Cc6ffa01992b5fa13e1bb5091a202b77?s=128

DevOpsDays Singapore

October 25, 2017
Tweet

More Decks by DevOpsDays Singapore

Other Decks in Technology

Transcript

  1. © 2016 VERACODE INC. 1 © 2016 VERACODE INC. AppSec

    in a DevOps World Peter Chestna, Director of Developer Engagement • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna
  2. © 2016 VERACODE INC. 2 Applications are as risky as

    ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message
  3. © 2016 VERACODE INC. 3 Lack of App Security is

    Damaging Companies
  4. © 2016 VERACODE INC. 4 High Profile Breaches All attacked

    through the app layer
  5. © 2016 VERACODE INC. 5 • Unpatched vulnerability in Struts

    2 framework (CVE-2017-5638) – Disclosed in March – Exploited in May • Flaw may have been present for 9 years • 143 Million people’s records exfiltrated – Social Security Number – Date of Birth – Other PII • Stock down 30% • CEO, CIO & CISO all fired Equifax – Causes and Fallout
  6. © 2016 VERACODE INC. 6 Waterfall Transformation – Technology &

    Process Agile DevOps
  7. © 2016 VERACODE INC. 7 What is DevOps and What’s

    a DevOps Team? DevOps Team
  8. © 2016 VERACODE INC. 8 Agile – Process & Security

    Copyright 2005, Mountain Goat Software Security
  9. © 2016 VERACODE INC. 9 Is this your current AppSec

    program?
  10. © 2016 VERACODE INC. 10 Which outcome do you see?

  11. © 2016 VERACODE INC. 11 Strategy • Relationships & Accountability

    • Integration & Automation • Training & Remediation Coaching • Security Champions
  12. © 2016 VERACODE INC. 12 Strategy - Relationships • Who

    is your peer in security/development? • Do you understand each others goals & struggles? • Do you ever meet with them?
  13. © 2016 VERACODE INC. 13 Strategy - Accountability • Shared

    between development and security • Part of annual goals for both teams • Measured and reported regularly
  14. © 2016 VERACODE INC. 14 CI CD 1 Develop 4

    Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*
  15. © 2016 VERACODE INC. 15 Strategy - Training • Security

    teams can help developers by providing training, either through eLearning or in-person instructor-led training • Think about targeted training based on policy violations
  16. © 2016 VERACODE INC. 16 Strategy – Training for the

    security team
  17. © 2016 VERACODE INC. 17 Strategy - Remediation Coaching For

    applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte
  18. © 2016 VERACODE INC. 18 • Eyes and ears of

    security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises • Escalate when necessary Strategy – Security Champions
  19. © 2016 VERACODE INC. 19 Training (eLearning, instructor led, metadata

    driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design DevOps – Pervasive Security
  20. © 2016 VERACODE INC. 20 Bridge the Gap Between Development

    and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions