Tweet
Tweet

Slide 1

Slide 1 text

Dev(Sec)Ops Architecture for Security and Compliance 曾義峰 (Ant) yftzeng@gmail.com 2019-07-12

Slide 2

Slide 2 text

2/90 Introduction & Research interest 13 年互聯網研發經驗, 4 年顧問資歷。 時而編程,時而沉浸於法律領域、倘洋於資訊安全世界中。 Web Security ( 網頁安全 ) Data(base) Security ( 資料安全 ) Agile Way ( 敏捷方法 ) Compliance ( 法遵 / 合規 )

Slide 3

Slide 3 text

3/90 SDLC & Agile 1 Product Owner & Stakeholders 2 DevOps & Security 3 Agenda 引言 角色 安全 DevOps & Compliance 4 法遵 CI/CD & Pipeline 5 實踐

Slide 4

Slide 4 text

4/90 SDLC & Agile 1 Product Owner & Stakeholders 2 DevOps & Security 3 DevOps & Compliance 4 Agenda 引言 CI/CD & Pipeline 5

Slide 5

Slide 5 text

5/90 Requirements Design Code Test Deploy Software Development Life Cycle (SDLC)

Slide 6

Slide 6 text

6/90 Requirements Design Code Test Deploy Secure Software Development Life Cycle (SSDLC) Risk Assessment Design Review & Threat Modeling Static Analysis Code Review & Penetration Testing Secure Configuration & Security Assessment

Slide 7

Slide 7 text

7/90 Requirements Design Code Test Deploy Secure Software Development Life Cycle (SSDLC) Risk Assessment Design Review & Threat Modeling Static Analysis Code Review & Penetration Testing Secure Configuration & Security Assessment Waterfall EVERYTHING WORK WELL

Slide 8

Slide 8 text

8/90 Agile Credit: https://medium.com/innodev/agile-development-for-dummies-dd161da253c7

Slide 9

Slide 9 text

9/90 Agile Credit: https://www.kisspng.com/png-scrum-sprint-agile-software-development-systems-de-4949713/ Scrum

Slide 10

Slide 10 text

10/90 Agile Credit: https://sanzubusinesstraining.com/how-to-create-a-kanban-board-to-manage-your-to-do-list/ Kanban

Slide 11

Slide 11 text

11/90 Agile Credit: https://dilbert.com/strip/2007-11-26 我們將嘗試一種稱為敏捷開發的模式。 意味著不需計畫,不需文檔。只要寫程式和發牢騷就好。

Slide 12

Slide 12 text

12/90 Agile Prejudices 推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。

Slide 13

Slide 13 text

13/90 Agile Prejudices 推動 Agile 後造成一團混亂 (Chaos) 。 Agile 過於複雜。 Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。 Agile 會產出不安全的軟體。 Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。

Slide 14

Slide 14 text

14/90 Agile Credit: http://www.commitstrip.com/en/2017/06/19/security-too-expensive-try-a-hack/

Slide 15

Slide 15 text

15/90 Agile

Slide 16

Slide 16 text

16/90 Agile Agile ≠ Fast

Slide 17

Slide 17 text

17/90 Agile 很多公司都有推動各種敏捷專案管理流程。 例如 Scrum 或 Kanban 。 但其中有具備資安 (Security) 思維的只有一小部分。

Slide 18

Slide 18 text

18/90 誰說 Agile Coach 不需要懂資安 !? Agile Injection 頻繁安插的無理需求、急件

Slide 19

Slide 19 text

19/90 誰說 Agile Coach 不需要懂資安 !? Agile XSS Injection 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包

Slide 20

Slide 20 text

20/90 誰說 Agile Coach 不需要懂資安 !? Agile XSS StackOverflow Injection 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 我是 Full-Stack Developer 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出

Slide 21

Slide 21 text

21/90 誰說 Agile Coach 不需要懂資安 !? Agile God Injection XSS StackOverflow Injection 頻繁安插的無理需求、急件 從其他團隊來的跨組扔包 我是 Full-Stack Developer 指的是如果再給我一個工作 我的工作 (Stack) 就會溢出 老闆一聲令下 搖身變為隕石開發法

Slide 22

Slide 22 text

22/90 隕石開發法 Credit: http://eiki.hatenablog.jp/entry/meteo_fall Waterfall

Slide 23

Slide 23 text

23/90 隕石開發法 Credit: http://eiki.hatenablog.jp/entry/meteo_fall Agile

Slide 24

Slide 24 text

24/90 隕石開發法 Credit: http://eiki.hatenablog.jp/entry/meteo_fall Agile 無論什麼方法,在神面前, 都無用

Slide 25

Slide 25 text

25/90 DevOps & Security 3 DevOps & Compliance 4 Agenda Product Owner & Stakeholders 2 SDLC & Agile 1 角色 CI/CD & Pipeline 5

Slide 26

Slide 26 text

26/90 Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。” Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team

Slide 27

Slide 27 text

27/90 Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。” Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team Who are your stakeholders ? 誰是你們的利益相關者

Slide 28

Slide 28 text

28/90 Scrum & Product Owner “The Product Owner is the sole person responsible for managing the Product Backlog.” (Scrum guide) “ 產品負責人是負責管理產品待辦清單的唯一人員。” “The PO role is responsible for working with the customers and stakeholders to understand their needs.” “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。” Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team Security officer should start taking up the role of security stakeholders 資安官應該開始擔任利益相關者的角色

Slide 29

Slide 29 text

29/90 Product Backlog Product Backlog Item (PBI) : ● Features ● Bugs ● Refactoring ● Spike ● … ● Security Features ● Security Stories ● Attacker Stories ● Ab-Use User Stories

Slide 30

Slide 30 text

30/90 Product Backlog Scenario: User are able to register Given the user is on “/users/register” When the user types the email “yftzeng@gmail.com” When the user types the password “xxx” When the user clicks the register button Then the response should contains “Password must be at least 8 characters long” ... BDD

Slide 31

Slide 31 text

31/90 Product Backlog Scenario: The application should not contain SQL injection vulnerabilities And the SQL-Injection policy is enabled And the attack strength is set to High And the alert threshold is set to Low When the scanner is run And the following false positives are removed | url | parameter | cweId | wascId | And the XML report is written to the file output/security/sql_injection.xml Then no Medium or Higher risk vulnerabilities should be present Credit: https://continuumsecurity.net/bdd-security/ BDD

Slide 32

Slide 32 text

32/90 Product Backlog Scenario: Present the login form itself over an HTTPS connection Given a new browser instance And the client/browser is configured to use an intercepting proxy And the proxy logs are cleared And the login page is displayed And the HTTP request-response containing the login form Then the protocol should be HTTPS And ... Credit: https://continuumsecurity.net/bdd-security/ BDD

Slide 33

Slide 33 text

33/90 Tools ● SpecFlow (.NET) ● Cucumber (Ruby) ● JBehave (Java) ● Behat (PHP) ● Jest (JavaScript) ● Godog (Go) ● … BDD

Slide 34

Slide 34 text

34/90 DevOps & Compliance 4 Agenda SDLC & Agile 1 DevOps & Security 3 Product Owner & Stakeholders 2 安全 CI/CD & Pipeline 5

Slide 35

Slide 35 text

35/90 DevOps & Security 《 Dev Ops ⋅ 》 同 Agile / Lean ,具備自身核心,更快的執行速度和更快的學習速度。 這就是為什麼它經常被描述為一種文化。 從 DevOps 視角,探討 Security

Slide 36

Slide 36 text

36/90 DevOps & Security 《 Dev Ops ⋅ 》 同 Agile / Lean ,具備自身核心,更快的執行速度和更快的學習速度。 這就是為什麼它經常被描述為一種文化。

Slide 37

Slide 37 text

37/90 DevOps & Security

Slide 38

Slide 38 text

38/90 DevOps & Security SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/

Slide 39

Slide 39 text

39/90 DevOps & Security SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches. Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/ “SecDevOps seeks to embed security inside the development process as deeply as DevOps has done with operations” (SecDevOps 旨在將開發過程中的資訊安全深入到 DevOps 的操作中 )

Slide 40

Slide 40 text

40/90 DevOps & Security The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security—with no exceptions. As with any other methodology, security must be built into DevOps. Credit: https://techbeacon.com/devsecops-foundations

Slide 41

Slide 41 text

41/90 DevOps & Security The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security—with no exceptions. As with any other methodology, security must be built into DevOps. Credit: https://techbeacon.com/devsecops-foundations DevOps 資訊安全成功的關鍵仰賴改變潛在的 DevOps 文化以擁抱安全性 - 沒有例外 -

Slide 42

Slide 42 text

42/90 DevOps & Security

Slide 43

Slide 43 text

43/90 DevOps & Security

Slide 44

Slide 44 text

44/90 DevOps & Security

Slide 45

Slide 45 text

45/90 Credit: https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Pipeline_Design_Patterns

Slide 46

Slide 46 text

46/90 Credit: https://www.linkedin.com/in/LarryMaccherone/

Slide 47

Slide 47 text

47/90 Agenda SDLC & Agile 1 Product Owner & Stakeholders 2 DevOps & Compliance 4 DevOps & Security 3 法遵 CI/CD & Pipeline 5

Slide 48

Slide 48 text

48/90 DevOps & Compliance Compliance Security License Standards Regulations Law Policies

Slide 49

Slide 49 text

49/90 DevOps & Compliance 很多公司都有推動各種敏捷專案管理流程。 例如 Scrum 或 Kanban 。 但其中有具備資安 (Security) 思維的只有一小部分。 更不用論更大範圍的法遵 / 合規 (Compliance) ,例如 GDPR 等。

Slide 50

Slide 50 text

50/90 DevOps & Compliance 歐盟《通用資料保護規則》 (General Data Protection Regulation, GDPR) 2018-05-25 正式生效 Credit: https://www.clearvertical.co.uk/is-your-website-gdpr-compliant/

Slide 51

Slide 51 text

51/90 DevOps & Compliance 歐盟《通用資料保護規則》 (General Data Protection Regulation, GDPR) 2018-05-25 正式生效 史上最嚴的個人資料保護法 Credit: https://www.clearvertical.co.uk/is-your-website-gdpr-compliant/

Slide 52

Slide 52 text

52/90 DevOps & Compliance 美國加州通過最嚴格的資料隱私法 Credit: https://www.theverge.com/2018/6/28/17509720/california-consumer-privacy-act-legislation-law-vote

Slide 53

Slide 53 text

53/90 DevOps & Compliance CLOUD Act (Clarifying Lawful Overseas Use of Data Act) 2018-03-24 正式生效 Credit: https://restoreprivacy.com/cloud-act/

Slide 54

Slide 54 text

54/90 DevOps & Compliance Compliance Security License Standards Regulations Law Policies Open source

Slide 55

Slide 55 text

55/90 DevOps & Compliance 《法律訴訟》美國 (1/2) 2002 MySQL vs. Progress Software 2002 MySQL vs. Progress Software 2006-03 Jacobson vs. Katzer 2006-03 Jacobson vs. Katzer 2007-10 BusyBox vs. Monsoon 2007-10 BusyBox vs. Monsoon 2007-11 BusyBox vs. Xterasys 2007-11 BusyBox vs. Xterasys 2007-11 BusyBox vs. High-Gain Antennas 2007-11 BusyBox vs. High-Gain Antennas 2007-12 BusyBox vs. Verizon 2007-12 BusyBox vs. Verizon 2008-01 Trend vs. Barracuda 2008-01 Trend vs. Barracuda 2008-06 BusyBox vs. Bell Microproduct 2008-06 BusyBox vs. Bell Microproduct

Slide 56

Slide 56 text

56/90 DevOps & Compliance 《法律訴訟》美國 (2/2) 2008-06 BusyBox vs. Super Micro Computer 2008-06 BusyBox vs. Super Micro Computer 2008-07 BusyBox vs. Extreme Networks 2008-07 BusyBox vs. Extreme Networks 2008-12 FSF vs. Cisco 2008-12 FSF vs. Cisco 2009-02 Microsoft vs. TomTom 2009-02 Microsoft vs. TomTom 2009-12 BusyBox vs. Best Buy 等 14 間 企業 2009-12 BusyBox vs. Best Buy 等 14 間 企業 2014-12 Ximpleware vs. Versata 2014-12 Ximpleware vs. Versata

Slide 57

Slide 57 text

57/90 Agenda SDLC & Agile 1 Product Owner & Stakeholders 2 DevOps & Security 3 CI/CD & Pipeline 5 DevOps & Compliance 4 實踐

Slide 58

Slide 58 text

58/90 CI/CD & Pipeline 《 Dev Ops ⋅ & CI ⋅ CD 》 DevOps 非商業口號,是以工具為中心的哲學,支持持續交付價值鏈。 持續交付採用自動部署流水線,以便可靠、快速地將軟體發佈的方法。 持續交付和 DevOps 擁有敏捷和精益的共同背景:小而快速的變化。 DevOps 關乎文化、開發和運營之間、明確的流程。關乎敏捷。 你可以在不實施持續交付的情況下接受並實踐 DevOps 理念。 從 CI/CD & Pipeline 視角,探討 Security

Slide 59

Slide 59 text

59/90 CI/CD & Pipeline 《 Dev Ops ⋅ & CI ⋅ CD 》 DevOps 非商業口號,是以工具為中心的哲學,支持持續交付價值鏈。 持續交付採用自動部署流水線,以便可靠、快速地將軟體發佈的方法。 持續交付和 DevOps 擁有敏捷和精益的共同背景:小而快速的變化。 DevOps 關乎文化、開發和運營之間、明確的流程。關乎敏捷。 你可以在不實施持續交付的情況下接受並實踐 DevOps 理念。

Slide 60

Slide 60 text

60/90 Credit: https://www.linkedin.com/in/LarryMaccherone/

Slide 61

Slide 61 text

61/90 Credit: https://www.linkedin.com/in/LarryMaccherone/ 實踐上的困難點?

Slide 62

Slide 62 text

62/90 CI/CD & Pipeline 《 Pen testing 》 滲透測試 (Penetration testing) 有時長達兩個月。 每一次的提交與改變,是否會影響之前滲透測試的結果? 《 Compliance validation 》 如果發布需要通過外部審核機構 ( 法務 / 會計 / 稽核 ) , 如何能實現快速循環實驗?

Slide 63

Slide 63 text

63/90 Credit: https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700

Slide 64

Slide 64 text

64/90 Credit: https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700

Slide 65

Slide 65 text

65/90 CI/CD & Pipeline Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/ 以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例 The Scaled Agile Framework (abbreviated as SAFe)

Slide 66

Slide 66 text

66/90 CI/CD & Pipeline Credit: https://www.scaledagileframework.com/release-on-demand/ Develop on Cadence. Release on Demand. - A SAFe mantra

Slide 67

Slide 67 text

67/90 CI/CD & Pipeline Credit: https://www.scaledagileframework.com/release-on-demand/ Develop on Cadence. Release on Demand. - A SAFe mantra 按節奏開發,按所需發布 -SAFe 的口號 -

Slide 68

Slide 68 text

68/90 CI/CD & Pipeline Credit: https://twitter.com/deanleffingwell/status/612425925515317248

Slide 69

Slide 69 text

69/90 CI/CD & Pipeline Credit: https://www.scaledagileframework.com/release-on-demand/ Develop on Cadence. Release on Demand. - A SAFe mantra Develop on Cadence ( 技術流程 ) Release on Demand ( 商業決策 )

Slide 70

Slide 70 text

70/90 CI/CD & Pipeline Credit: https://www.scaledagileframework.com/release-on-demand/ Develop on Cadence. Release on Demand. - A SAFe mantra Develop on Cadence ( 技術流程 ) Release on Demand ( 商業決策 ) 解耦 (decoupling)

Slide 71

Slide 71 text

71/90 CI/CD & Pipeline Credit: https://martinfowler.com/books/continuousDelivery.html Continuous delivery is about putting the release schedule in the hands of the business, not in the hands of IT.

Slide 72

Slide 72 text

72/90 CI/CD & Pipeline Credit: https://martinfowler.com/books/continuousDelivery.html Continuous delivery is about putting the release schedule in the hands of the business, not in the hands of IT. 持續交付是指將發布時程放在業務手中,而不是掌握在 IT 手中

Slide 73

Slide 73 text

73/90 CI/CD & Pipeline Credit: https://martinfowler.com/bliki/ContinuousDelivery.html Continuous Delivery is sometimes confused with Continuous Deployment. Continuous Deployment means that every change goes through the pipeline and automatically gets put into production, resulting in many production deployments every day. Continuous Delivery just means that you are able to do frequent deployments but may choose not to do it, usually due to businesses preferring a slower rate of deployment. In order to do Continuous Deployment you must be doing Continuous Delivery. Martin Fowler

Slide 74

Slide 74 text

74/90 CI/CD & Pipeline Credit: https://martinfowler.com/bliki/ContinuousDelivery.html Continuous Delivery is sometimes confused with Continuous Deployment. Continuous Deployment means that every change goes through the pipeline and automatically gets put into production, resulting in many production deployments every day. Continuous Delivery just means that you are able to do frequent deployments but may choose not to do it, usually due to businesses preferring a slower rate of deployment. In order to do Continuous Deployment you must be doing Continuous Delivery. Martin Fowler 持續交付只是意味著你可以進行頻繁部署 , 但可以選擇不這樣做, 通常是因為企業更喜歡較慢的部署速度

Slide 75

Slide 75 text

75/90 CI/CD & Pipeline Credit: https://www.scaledagileframework.com/release-on-demand/ Develop on Cadence. Release on Demand. - A SAFe mantra Develop on Cadence ( 技術流程 ) Release on Demand ( 商業決策 ) 解耦 (decoupling)

Slide 76

Slide 76 text

76/90 CI/CD & Pipeline Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/ 以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例 The Scaled Agile Framework (abbreviated as SAFe)

Slide 77

Slide 77 text

77/90 CI/CD & Pipeline Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/ 以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例 The Scaled Agile Framework (abbreviated as SAFe) 解耦 (decoupling)

Slide 78

Slide 78 text

78/90 CI/CD & Pipeline Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/ 以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例 The Scaled Agile Framework (abbreviated as SAFe) 商業決策 技術流程 商業決策

Slide 79

Slide 79 text

79/90 CI/CD & Pipeline Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/ 商業決策 技術流程 商業決策 Compliance Security 滲透測試 (Penetration testing) / 紅隊演練 (Red Team Assessment) 。 外部審核機構 ( 法務 / 會計 / 稽核 ) 。

Slide 80

Slide 80 text

80/90 Security Marketing Compliance needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline Develop

Slide 81

Slide 81 text

81/90 Security Marketing Compliance Develop needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline

Slide 82

Slide 82 text

82/90 Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

Slide 83

Slide 83 text

83/90 Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

Slide 84

Slide 84 text

84/90 Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

Slide 85

Slide 85 text

85/90 Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

Slide 86

Slide 86 text

86/90 Security Marketing Compliance Develop needs pen testing red team regulations controls standards unit / integration / performance test unit / integration / performance test scheduling unit / integration / performance test scheduling schedule pipeline

Slide 87

Slide 87 text

87/90 程式提交 程式提交 …… …… 授權分析 授權分析 授權白名單 授權白名單 授權黑名單 授權黑名單 授權灰名單 授權灰名單 程式通過 程式通過 靜態分析 靜態分析 動態分析 動態分析 註解分析 註解分析 相容分析 相容分析 X 問題清單 問題清單 MIT Apache-2.0 BSD-2-Clause BSD-3-Clause …… AGPL-3.0 CPAL OSL SSPL …… LGPL-2.1 / 動態連結 → OK LGPL-2.1 / 靜態連結 → NO LGPL-3.0 / 動態連結 → OK LGPL-3.0 / 靜態連結 → NO …… X X https://github.com/fossology/fossology https://github.com/google/licenseclassifier https://github.com/github/licensed https://github.com/dmgerman/ninka https://github.com/jslicense/licensee.js [npm] https://github.com/davglass/license-checker [npm] https://github.com/pmezard/licenses [Go] https://github.com/Comcast/php-legal-licenses [PHP] https://github.com/composer/spdx-licenses [SPDX]

Slide 88

Slide 88 text

88/90 Password Policy XSS Insider Threat Information Disclosure SQL Injection GDPR Policy

Slide 89

Slide 89 text

89/90 Agile ≠ Fast 產品負責人必須將資安官納入主要利益相關人 借鏡 DevOps/SAFe ,引入 DevSecOps 文化 利用軟體工程的手法 , 將複雜的流程解耦、分段 階段性實施 DevSecOps ( 小跑步法 ) 確認團隊所有成員認同資安對於客戶的價值 持續投入資安訓練及演練

Slide 90

Slide 90 text

90/90 yftzeng@gmail.com https://www.facebook.com/yftzeng.tw https://twitter.com/yftzeng 曾義峰 (Ant)