© 2019 Synopsys, Inc. 1 Justin Collins @presidentbeef ISSA LA Summit 2019 Continuous Security for DevOps Velocity 

© 2019 Synopsys, Inc. 2 Justin Collins @presidentbeef ISSA LA Summit 2019 Continuous Application Security for DevOps Velocity 

© 2019 Synopsys, Inc. 3 Justin Collins - Background AT&T Interactive (YP.com) Twitter SurveyMonkey Brakeman Brakeman Pro Synopsys Web Application Security Static Analysis (Security) 

© 2019 Synopsys, Inc. 4 DevOps? 

© 2019 Synopsys, Inc. 5 DevOps Principles Flow Ease development to deployment Feedback Fast, meaningful tests Visibility and monitoring Continual Experimentation and Learning Resilient infrastructure Gene Kim 

© 2019 Synopsys, Inc. 6 DevOps Practices Automated Testing Continuous Integration Continuous Deployment Infrastructure as Code Proactive Monitoring 

© 2019 Synopsys, Inc. 7 DevOps? Sec ^ 

© 2019 Synopsys, Inc. 8 Rugged DevOps? 

© 2019 Synopsys, Inc. 9 Speed is Good for Security “High performers, because they are integrating information security objectives into everyone’s daily work, are spending half as much time remediating security issues.” - Gene Kim at LocoMocoSec 2018 “…organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and their time to fix improves by 25%.” - WhiteHat Security 2018 Application Security Statistics Report 

© 2019 Synopsys, Inc. 10 Speed is Good for Security – Why? How quickly can a system be patched/upgraded, safely? 

© 2019 Synopsys, Inc. 11 Speed is Good for Security – Why? How quickly can an application vulnerability be fixed, safely? 

© 2019 Synopsys, Inc. 12 Is the security team responsible for shipping secure code? 

© 2019 Synopsys, Inc. 13 

© 2019 Synopsys, Inc. 14 Common Team Size Ratio 100 : 10 : 1 Developers Operations Security Credit: Shannon Lietz 

© 2019 Synopsys, Inc. 15 Common Team Size Ratio 100 developers – experts on their slice of the code 1 security person – responsible for ALL code + systems 

© 2019 Synopsys, Inc. 16 DevOps Developers are as responsible for stable code as the ops team is 

© 2019 Synopsys, Inc. 17 DevOps Developers are as responsible for stable code as the ops team is DevSecOps Developers are as responsible for secure code as the security team is 

© 2019 Synopsys, Inc. 18 Security Team’s Role Expertise Guidance Training Tools 

© 2019 Synopsys, Inc. 19 Continuous Security Principles 

© 2019 Synopsys, Inc. 20 The Secure Path is the Easy Path 

© 2019 Synopsys, Inc. 21 Secure Path is Easy Path Secure-by-default APIs Never require “secure” flag or extra arguments Security should be simple (e.g. bcrypt) Remove insecure APIs if possible Out-of-the-Box Functionality Self-service server deployment CDN Secrets management User sessions Logs / monitoring Also, security! 

© 2019 Synopsys, Inc. 22 Fast, Empathetic Feedback Loops Photo credit: wocintechchat.com Automated Tools Code Actionable Feedback 

© 2019 Synopsys, Inc. 23 Fast, Empathetic Feedback Loops Photo credit: wocintechchat.com Automated Tools Code 

© 2019 Synopsys, Inc. 24 Fast, Empathetic Feedback Loops Photo credit: wocintechchat.com Automated Tools Code 

© 2019 Synopsys, Inc. 25 Security as an Ally 

© 2019 Synopsys, Inc. 26 Implementation Strategy 

© 2019 Synopsys, Inc. 27 Guidance Friendly, accessible security team Encourage discussion Default to “yes” Document preferred solutions Relevant training 

© 2019 Synopsys, Inc. 28 Guardrails Single path to production Hardened default configurations/environment Secure-by-default libraries/frameworks Standardized secret management Centralized, self-service deployment 

© 2019 Synopsys, Inc. 29 Tools (Security Automation) 1. Identify a real security issue 2. Determine solution 3. Automate detection 4. Automate enforcement https://flic.kr/p/dGYq6v 

© 2019 Synopsys, Inc. 30 Lessons Learned 

© 2019 Synopsys, Inc. 31 Listen First 

© 2019 Synopsys, Inc. 32 Tailor Your Strategy https://flic.kr/p/f2JEum 

© 2019 Synopsys, Inc. 33 Detect and Prevent https://flic.kr/p/21WAMJ4 

© 2019 Synopsys, Inc. 34 Small Steps 

© 2019 Synopsys, Inc. 35 Principles Summary Continuous Security Principles Ø The Secure Path is the Easy Path Ø Fast, Empathetic Feedback Loops Ø Security as an Ally Security Approach Ø Listen First Ø Tailor Your Strategy Ø Detect and Prevent Ø Small Steps 

© 2019 Synopsys, Inc. 36 Now for the Bad News 

© 2019 Synopsys, Inc. 37 AppSecUSA 2012 

© 2019 Synopsys, Inc. 38 Security Team Evolution Zero Maybe one “security- minded” developer First security hire! Hire specialists Split into teams Responsible for everything Network Application Cloud Corporate … Network Application Cloud Corporate … 

© 2019 Synopsys, Inc. 39 

© 2019 Synopsys, Inc. 40 The End of the AppSec Team 

© 2019 Synopsys, Inc. 41 End of the AppSec Team Secure coding? Code review? Threat modeling? Bug bounty reports? Training? Developer tooling? Secure libraries? Incident management? …? 

© 2019 Synopsys, Inc. 42 Summary DevOps’ fast pace can be beneficial to security Security’s role must shift away from gates, towards guardrails The future is diffusion of security responsibility across the organization 

© 2019 Synopsys, Inc. 43 Further Resources Top Infosec Lessons Learned Researching And Co-Authoring The DevOps Handbook We Come Bearing Gifts: Enabling Product Security with Culture and Cloud Rise of the Machines: Security Automation at Twitter 

Thank You 

No content