Encouraging change with Silverstripe and the SDLT

E0094f65e25ee1f1cb785721fceb7dfd?s=47 luke
September 25, 2020

Encouraging change with Silverstripe and the SDLT

Catalyst has been working with the New Zealand Transport Agency to open source (https://github.com/NZTA/SDLT) an innovative tool that automates essential aspects of the security assurance process and will embed security requirements earlier into the product development lifecycle, saving the agency both time and money.

E0094f65e25ee1f1cb785721fceb7dfd?s=128

luke

September 25, 2020
Tweet

Transcript

  1. NZTA’s Security Development Lifecycle Tool (SDLT)

  2. Catalyst locations https://www.catalyst.net.nz/

  3. at Catalyst • Wellington, NZ • Modest team size of

    8 Silverstripe specialists + Visual Design, Customer experience, QA and CloudOps teams • Delivery and support for a number of councils, government and research institutes systems and websites
  4. The New Zealand Transport Agency The NZ Transport Agency is

    a New Zealand Crown entity tasked with promoting safe and functional transport by land, including the responsibility for driver and vehicle licensing, and administering the New Zealand state highway network.
  5. A problem to solve

  6. Problem • A lack of visibility of software being assessed

    for digital security assurance • Many paper-based processes that are hard to follow • Security forms difficult for non-technical staff to understand • Teams reaching Change Advisory Board (CAB) without following Security Assurance processes • Some teams completing all security assessment documentation when may not be actually necessary • Alternative product(s) licence costs in excess of NZD$250,000+ per year (1500+ staff) plus additional costs in modification, configuration and assessment development.
  7. Slack’s goSDL Tool

  8. goSDL • KiwiCon 2018 • Kelly Ann, Product Security Engineer

    at Slack • Moving Fast and Securing Things (https://2018.kiwicon.org/the-con/talks/) • goSDL tool (https://github.com/slackhq/goSDL) • Highlighted potential of using automated digital workflows for security assurance • Only provided approximately 5% of functionality NZTA needed
  9. Catalyst Silverstripe Project

  10. Silverstripe Project • Product Owner: Scott, Security Architect at NZTA

    • Catalyst Core team: Luke (Agile Delivery Lead/BA), Roopam (Developer), Elliot (Developer), Sherman (QA), Michael (Cloud Ops), Cheryl (Visual Design) • Release 1.0 (roll out) was around 8 weeks – User testing occurred during those first 3-6 weeks. • 18 Releases to date (over 17 months) – We release ~monthly in an ongoing development approach • Hosting: New Zealand Catalyst Cloud CMS Platform • Azure Active Directory - Azure supports OAuth, so we use the Silverstripe oauth-login module to authenticate • JIRA V3 API – Risk controls are populated as tickets in 3rd party JIRA Task Management Software with bi- directional integration i.e. a risk control set to done in JIRA is set to “implemented” in SDLT
  11. Overview • Digital Questionnaire and Task management system for Digital

    Security Assurance • Users answers a series of questions about their product deliverable • SDLT creates and manages the necessary security assurance tasks required to complete (PCI-DSS compliance, penetration tests, information classification, etc.) • The SDLT handles approvals for the submission by simple workflow - Security Architects, Chief Information Security Officers and Business Owners approve or deny digitally • Of course – built on Silverstripe as a flexible open source framework, great for managing the relational data structure required. Utilising Model admins, GraphQL, ReactJS and Redux.
  12. Challenges • Security and Risk assessment is a complex problem

    space • Introduced process change to a large government organisation • Digital Security Risk Assessment • Producing a highly configurable Risk Matrix took some clever thinking • Fully configurable algorithm for Risks and Risk control weight and scores • ModelAdmin and Gridfields • We have Gridfield “inception” so configuration can be a bit of a learning curve – We will demo this shortly
  13. Success • Over 200+ Assessments completed to date • Assessments

    taken from what used to be several weeks (months in extreme cases), to completing assessments in hours or minutes in most cases, saving days of wasted effort in communication overheads and 3rd party assessments • Enabled Business Continuation through COVID lockdown; being able to use the SDLT remotely Using the Silverstripe framework we are able to Encourage real positive business change with Silverstripe and the Security Development Lifecycle tool
  14. Open Source

  15. Open Source Project • Available on GitHub (https://github.com/NZTA/SDLT) • NZTA

    enable Catalyst to help the ongoing community support • NZTA releasing their developed assessments, questions and tasks, meaning other agencies can pick this up and start using it (with a small amount of effort) • Also potentially useful for other agencies to adopt and contribute
  16. Lets take a look (demo) Features: Open sourced assessments Digital

    Security Risk Assessment Configurable Branding Configurable Assessments Admin Event Audit Trail
  17. SDLTaaS https://sdlt.net.nz Hosted and managed service offering: • Subscription service

    • Cloud hosted • Regular Backups and maintenance • Consultation and training • New releases as they are released by the NZTA and open source community
  18. Discussion/Questions?