Security and Continuous Delivery - Sriram "Ram" Narayanan & Prasanna K

Transcript

1. Security and Continuous Delivery Sriram “Ram” Narayanan @sriramNRN www.sriramnarayanan.com Prasanna

   K a.k.a “Shifu” @prasannain

2. @sriramNRN @prasannaIN Agenda How does security fit into Continuous Delivery?

3. @sriramNRN @prasannaIN Continuous Delivery "A software engineering approach in which

   teams keep producing valuable software in short cycles and ensure that the software can be reliably released at any time." - Wikipedia Working code is not enough. It has to be valuable too.

4. @sriramNRN @prasannaIN The usual improvements Focus usually on Faster Build,

   Test, Packaging, and Deploy times More Automation Involve QAs earlier, right from Story writing Dev and Test environments are made “Prod Like”

5. @sriramNRN @prasannaIN The business view of security Financial and Reputation

   risk Legal ramifications

6. @sriramNRN @prasannaIN The usual experiences with “security” “Auditors !” Infosec

   teams “Compliance” External Testers and their “unreasonable” reports Last minute fixes, pushing back, de-prioritization “Lots of theatre and drama with nothing concrete!” “SSL” “User Names and Passwords” “Automated Scanners and Tools” “Encryption” “Credit Card and Password theft!” “All that Infosec teams do is to disallow everything!”

7. @sriramNRN @prasannaIN The “security” people Chief Security Officer Security Advisors

   Pen Testers Auditors

8. @sriramNRN @prasannaIN Policies, Standards, Processes, Guidelines Policies - “Have Passwords

   and Enforce regular password changes” Standards - Password length, strength, entropy, etc Processes - “Here’s how we will remind users to change passwords” Guidelines - “Change Passwords every 90 days”

9. @sriramNRN @prasannaIN Defense in Depth The problem with “You’ve got

   Bigger Problems” Don’t you have a safe at home even though your main door has a lock?

10. @sriramNRN @prasannaIN Traceability and Audibility Can you trace back from

    code in production, to a documented requirement? Can you trace all actions in Development and Production, and know that the traces were not tampered with? Can you guarantee that no unauthorised impersonation occurred at any time between code development and go- live?

11. @sriramNRN @prasannaIN The Truth about the “Cloud” The Cloud is

    just someone else’s server. Moving to the Cloud doesn’t absolve us of taking precautions.

12. @sriramNRN @prasannaIN Layers Network Server Hardware Operating System Tech Stack

    Application Pretty good standards, examples, tools and automation available for all these layers

13. @sriramNRN @prasannaIN Automated Secure Infrastructure • Automate environment creation •

    Automate all hardening steps (CIS Benchmarks) • Use the same hardening steps from dev to production • GPG Signed packages • Tools - Brakeman, ZAP in the pipeline for low hanging fruits • Tech stack scans and hardening

14. @sriramNRN @prasannaIN The Application Layer • “What can I do

    to steal data or circumvent checks within the application to suit my needs?” - the attacker’s guiding thoughts. • The weakest layer - the biggest attack surface • No real defence via firewalls, policies, Intrusion Detection systems, Anti Virus, Change Management, • The biggest fear for business • The biggest time sink for Development teams.

15. @sriramNRN @prasannaIN What Pen Testers do • Exploit Applications •

    Exploit Infrastructure

16. @sriramNRN @prasannaIN What Pen Testers do Speed vs Stealth

17. @sriramNRN @prasannaIN Demo !

18. @sriramNRN @prasannaIN The Truth about Automated Scans • Ongoing experience

    Notes: • Great for low hanging fruit like SQL Injection, some Cross Site Scripting, etc. • Can’t expect an automated scanner to understand and validate domain logic and domain checks • Pen Testers combine a knowledge of domain logic, tech stack, and OWASP Patterns/Anti-Patterns to circumvent workflows.

19. @sriramNRN @prasannaIN In Conclusion • Regular Deployable Packages != Continuous

    Deployment • The truly valuable security testing is manual and by specialists • With the right automation and involvement, we can cut down time between “dev complete” and “Go live”