DevSecOps Meetup - Security Challenges in DevOps - Wynand Viljoen

Transcript

1. Security Challenges in DevOps Wynand Viljoen Offensive Cyber Security Researcher

2. Agenda • Who am I? • How did we get

   to a DevOps world? • Where does security fit in? • Tooling • Wrap

3. A Brief History In the beginning… • IT -> unstructured

   • Development -> centralised, bespoke and slow • Security -> non-existent Then.. • IT -> ITIL • Development -> Waterfall, distributed, web… • Security -> Cobit, NIST, ISO, OWASP… Now… • IT -> DevOps • Development Waterfall -> SCRUM • Security -> ?

4. DevOps Success – Why? Traditional IT/Dev • Huge upfront cost

   and design • Separate design, build and run • Manual processes • Discreet testing • On-premise (mostly) • Enterprise tools • Etc. DevOps • Work it out as you go • Integrated deployment/run • Automation • Testing as you go • Cloud (mostly) • CI/CD tools • Etc.

5. High performers deploy changes 30 times more often with lead

   times 200 times shorter - Puppet Lab's State of DevOps report

6. In 2014, Amazon deployed 50 million changes: that’s more than

   one change deployed every second of every day.

7. Security in DevOps – ETSY’s Story • Trust people to

   do the right thing but still verify • Make data visible, including risks, threats, etc. • Fix it and ship it - no passing the buck • Security cannot be a blocker - realistic, practical security with reasonable trade offs • Security engineers dedicated to DevOps teams
8. None
9. None

10. OWASP Proactive Controls OWASP proactive controls: https://www.owasp.org/index.php/OWASP_Proactive_Controls Set of secure

    development practices, guidelines, and techniques to help build secure applications. These practices will help shift security earlier into design, coding, and testing.

11. Tools (SAST) Static Application Security Testing (SAST) • FindBugs (IDE

    plugin) • OWASP SonarQube wraps multiple SAST tools, runs in CI/CD with plugins for Jenkins and GitHub • HPE Fortify • Checkmarx • Coverity • Veracode • Software Assurance Marketplace (SWAMP)

12. Tools (SCA) Software Component Analysis (SCA) • OWASP's Dependency Check

    project (catalogues and scans open source components) • SourceClear (commercial) • Sonatype's Nexus Lifecycle

13. Tools (DAST) Dynamic Application Security Testing (DAST) • OWASP ZAP

    (Jenkins plugin, integration through API) (Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amsterdam 2017) • Burpsuite Pro (commercial) • NetSparker (commercial) • Acunetix (commercial) • AppScan (commercial)

14. Wrap • Secure coding | Security as code • Prod

    data in test/dev, including keys • Insecure cloud controls (e.g. unprotected S3 buckets) • Mobile app security (learn from web mistakes) • APIs often lacks strict business logic • Client-side security not adequate • Roll your own crypto…bad idea • Stack overflow and other online sources teach bad habits

15. ?