Slide 1

Slide 1 text

© 2016 VERACODE INC. 1 © 2016 VERACODE INC. AppSec in a DevOps World Peter Chestna, Director of Developer Engagement • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna

Slide 2

Slide 2 text

© 2016 VERACODE INC. 2 Applications are as risky as ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message

Slide 3

Slide 3 text

© 2016 VERACODE INC. 3 Lack of App Security is Damaging Companies

Slide 4

Slide 4 text

© 2016 VERACODE INC. 4 High Profile Breaches All attacked through the app layer

Slide 5

Slide 5 text

© 2016 VERACODE INC. 5 • Unpatched vulnerability in Struts 2 framework (CVE-2017-5638) – Disclosed in March – Exploited in May • Flaw may have been present for 9 years • 143 Million people’s records exfiltrated – Social Security Number – Date of Birth – Other PII • Stock down 30% • CEO, CIO & CISO all fired Equifax – Causes and Fallout

Slide 6

Slide 6 text

© 2016 VERACODE INC. 6 Waterfall Transformation – Technology & Process Agile DevOps

Slide 7

Slide 7 text

© 2016 VERACODE INC. 7 What is DevOps and What’s a DevOps Team? DevOps Team

Slide 8

Slide 8 text

© 2016 VERACODE INC. 8 Agile – Process & Security Copyright 2005, Mountain Goat Software Security

Slide 9

Slide 9 text

© 2016 VERACODE INC. 9 Is this your current AppSec program?

Slide 10

Slide 10 text

© 2016 VERACODE INC. 10 Which outcome do you see?

Slide 11

Slide 11 text

© 2016 VERACODE INC. 11 Strategy • Relationships & Accountability • Integration & Automation • Training & Remediation Coaching • Security Champions

Slide 12

Slide 12 text

© 2016 VERACODE INC. 12 Strategy - Relationships • Who is your peer in security/development? • Do you understand each others goals & struggles? • Do you ever meet with them?

Slide 13

Slide 13 text

© 2016 VERACODE INC. 13 Strategy - Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly

Slide 14

Slide 14 text

© 2016 VERACODE INC. 14 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*

Slide 15

Slide 15 text

© 2016 VERACODE INC. 15 Strategy - Training • Security teams can help developers by providing training, either through eLearning or in-person instructor-led training • Think about targeted training based on policy violations

Slide 16

Slide 16 text

© 2016 VERACODE INC. 16 Strategy – Training for the security team

Slide 17

Slide 17 text

© 2016 VERACODE INC. 17 Strategy - Remediation Coaching For applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte

Slide 18

Slide 18 text

© 2016 VERACODE INC. 18 • Eyes and ears of security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises • Escalate when necessary Strategy – Security Champions

Slide 19

Slide 19 text

© 2016 VERACODE INC. 19 Training (eLearning, instructor led, metadata driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design DevOps – Pervasive Security

Slide 20

Slide 20 text

© 2016 VERACODE INC. 20 Bridge the Gap Between Development and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions