Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DODDFW2017 - Root-Causing Culture Impact on the Secure-by-Design Transformation

DODDFW2017 - Root-Causing Culture Impact on the Secure-by-Design Transformation

We built a dashboard that aggregates feeds from various security-specific tools in our DevSecOps Tool Chain. The result was an eye opener on the effect of organizational culture and individual behavior on the application security posture. The Developer Dashboard collects data from tools such static code analysis, dynamic app-scan, open source scan, JIRA, source code repository/version control, LMS (training), LDAP, and others. The data is visualized to help identifying root cause for repeated introduction of vulnerable code or poor quality code as related to effort that includes the adoption of secure coding practices, management endorsement of the secure-by-design mentality, availability or lack of proper training, legacy apps with dead or obsolete code, or applications with no active development or support. The capabilities of the dashboard provide a view all the way from the individual contributor up to the CIO (navigating the LDAP hierarchy) to help establish a scope of the problem whether (isolated or wide-spread) and help in identifying a proper remedy across teams and organizations where similar conditions existed.

The aggregated data into a single dashboard rendered the information more accessible and helped in addressing some important concerns and questions: - Measuring indicators of the secure-by-design transformation - Explain the significant variations in the Vulnerability Density and relation to obsolete/dead code clean-up - Rate of reusing common code and its implications on the cost of remediation vs. overall risk and probability of discovery of vulnerabilities - Defining a custom vs. standard training program to yield a higher ROI - Managing remediation through a risk-reduction vs. compliance approach - Building awareness about real threats and cyber-attacks in the wild - Prioritizing the remediation of vulnerabilities (e.g., OWASP Top 10, exploitability, severity) - Distribution of roles and skills in the org (Management vs. individuals, doers vs. management, junior vs. senior, …) - Impact of geographical distribution of team on other indicators

The dashboard was never meant to be a glorified, metric-driven to-do list. Rather, it was intended, through the use of data visualization and pattern correlation, to help in understanding the key drivers of an accelerated and needed culture change.

01cb962dcdc528b53f824092b4d9ab7c?s=128

DevOpsDays DFW

August 29, 2017
Tweet

Transcript

  1. © Verizon 2017, All Rights Reserved. Information contained herein is

    provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Root-Causing Culture Impact on the Secure-by-Design Transformation Manah Khalil IT Application Security, Director manah.khalil@verizon.com
  2. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 2 Background & Context Improve Release Time & Quality Sustainable Process Reducing Operating Cost DevOps, Cloud, and the Security Initiative Enhanced Application Security Posture Delivering on the Business Requirement Shareholder Value
  3. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Corporate culture refers to the shared values, attitudes, standards, and beliefs that characterize members of an organization and define its nature. 3 Corporate Culture
  4. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 4 IT DevOps Culture a good, solid agile IT culture requires nurturing, mentoring, and guidance TIME TRAINING TECHNOLOGY
  5. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Are we moving in the right direction? • Can you really establish causality? • Can we justify the spending? • What else can we do? 5 So, What’s the Problem What is the root cause?
  6. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Look Closely: 6 Your DevOps Dashboard is full of clues!!
  7. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 7 Developer Dashboard
  8. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Possible reasons for Increase: • Adding more projects to an app • Adding new vulnerable code • Reducing code Possible reasons for decrease: • Vulnerability remediation • Clean-up of dead code • Removing obsolete projects Follow-ups: • Ask questions. Why? • Check total count of lines of code 8 Example: Vulnerability Density
  9. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Who’s lagging and why? • Why those peaks and valleys? 9 Ask the Questions • Scans are slowing down • App count increasing • Is it a tool capacity issue? or • Team spread too thin?
  10. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Who’s introducing new issues? Why? • New issues vs. recurring similar issue types? • How long is it taking to remediate? 10 Release to Release Vulnerabilities Instant feedback promotes true accountability
  11. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Done with a Checklist vs. Thorough Coverage? 11 Dynamic Application Scanning Trust but Verify!
  12. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. 1. ↘ Drill Down to zoom in on problematic area 2. ↗ Climb-up to find extent and scope of issue 12 Locate the Problem • Is it individual (training, accountability, tool…) • Manager (training, prioritization, focus, authority, accountability,…) • Application (technology, tools, process, …) • Organization (direction, priority, …)
  13. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. • Talent Management & Individuals • Experience (Senior vs Junior) • Suitability of training material and delivery method (CBT vs. classroom vs. hands-on) • Applications & Roles • Who’s checking in code • Who’s managing • Who’s PM’ing • Capacity Planning • Which applications are properly resourced • Active vs. in-sustained engineering application 13 Other Things to Look at
  14. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. ‘Succeed Together’ or ‘Fail Alone’ 14 Is Your IT Culture Promoting a: $$$
  15. Confidential and proprietary materials for authorized Verizon personnel and outside

    agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. © Verizon 2017, All Rights Reserved. Information contained herein is provided AS IS and subject to change without notice. All trademarks used herein are property of their respective owners. Ask the Questions 15 Final Thought, ….