© 2016 VERACODE INC. 1 © 2016 VERACODE INC. AppSec in a DevOps World Peter Chestna, Director of Developer Engagement • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna

© 2016 VERACODE INC. 2 Applications are as risky as ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message

© 2016 VERACODE INC. 3 Lack of App Security is Damaging Companies

© 2016 VERACODE INC. 4 High Profile Breaches All attacked through the app layer

© 2016 VERACODE INC. 5 • Unpatched vulnerability in Struts 2 framework (CVE-2017-5638) – Disclosed in March – Exploited in May • Flaw may have been present for 9 years • 143 Million people’s records exfiltrated – Social Security Number – Date of Birth – Other PII • Stock down 30% • CEO, CIO & CISO all fired Equifax – Causes and Fallout

© 2016 VERACODE INC. 6 Waterfall Transformation – Technology & Process Agile DevOps

© 2016 VERACODE INC. 7 What is DevOps and What’s a DevOps Team? DevOps Team

© 2016 VERACODE INC. 8 Agile – Process & Security Copyright 2005, Mountain Goat Software Security

© 2016 VERACODE INC. 9 Is this your current AppSec program?

© 2016 VERACODE INC. 10 Which outcome do you see?

© 2016 VERACODE INC. 11 Strategy • Relationships & Accountability • Integration & Automation • Training & Remediation Coaching • Security Champions

© 2016 VERACODE INC. 12 Strategy - Relationships • Who is your peer in security/development? • Do you understand each others goals & struggles? • Do you ever meet with them?

© 2016 VERACODE INC. 13 Strategy - Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly

© 2016 VERACODE INC. 14 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*

© 2016 VERACODE INC. 15 Strategy - Training • Security teams can help developers by providing training, either through eLearning or in-person instructor-led training • Think about targeted training based on policy violations

© 2016 VERACODE INC. 16 Strategy – Training for the security team

© 2016 VERACODE INC. 17 Strategy - Remediation Coaching For applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte

© 2016 VERACODE INC. 18 • Eyes and ears of security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises • Escalate when necessary Strategy – Security Champions

© 2016 VERACODE INC. 19 Training (eLearning, instructor led, metadata driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design DevOps – Pervasive Security

© 2016 VERACODE INC. 20 Bridge the Gap Between Development and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions