Agenda • Introductions • What is DevOps to Security • Case Study 1 • Case Study 2 • Pipeline • Conceptual framework • Maturity Model • OWASP Projects • How to Get Involved
Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing
Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js Future: many more possible. Designed for extension. Files Code
Other Internals • Within “Tasks”, each of the files, code and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
A detailed example: • Let’s say a feature is being developed • Then devs and testers are checking a new feature • Let them browse through an attack proxy (like Burp or ZAP) in passive mode • At night or when the system is quiet, use the browsing pattern as seeds for overnight attacks
Kata Name: Run ZAP Proxy Daily Kata Detail: Automate a way to run ZAP Proxy against an app on a daily basis and report issues to Jira How to Do the Kata: Activate “XYZ” Jenkins Plugin Training Resource: A web page with specifics about this Kata. Experts: A reference to people that can help with this Kata. Difficulty: Belt level for the Kata. Security Objectives: What security objectives does this Kata help us to achieve?
Data Classification OWASP Top 10 Training Simple Developer Environment Setup Continuous Integration and Testing Source Code Repository and Proper Tags Repeatable Deployment HTTPS (TLS) Everywhere
Baseline Security Requirements Test for Security Headers Lockout to Prevent Brute Force Consistent Output Encoding Audit Records Written IDE Style Checks Villain Persona and Security Requirements Operational Metrics Unauthenticated Scanning
Attack Awareness Behavioral Blocking Centralized Security Service Security Unit Tests for Business Logic Hands on Developer Security Training Dynamic Analysis Runtime Application Security Analysis Application Honeypot
The intent is not to force everyone to do every one of those things. The intent is to help to identify the things that can be done and layer them so that they can be prioritized.
I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
I recognize that software has become a foundation of our modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.