APPSEC PIPELINE IN 2023 APPLICATION SECURITY IN AN AGILE DEVELOPMENT, DEVOPS AND CONTINUOUS INTEGRATION/DELIVERY/CHANGE WORLD. DOUG MORATO - BOFIRM CONFERENCE – JULY 2023 

WHO AM I AGAIN ? •Professionally: - Sr. Program Manager @ Microsoft - Cyber Security Consultant @ Cloud, AppSec, Pentest, Security Operations •Prior roles: - Staff Content Security Engineer @ Disney Studios - Cyber Security Engineer @ Spirit Airlines - Enterprise Security Architect @ Trinity Health - Director – AppSec @ TradeStation - Sr Manager – AppSec @ PwC - Sr. Software Sec Consultant @ HP - Sr. Penetration Tester @ Mastercard - App Sec Specialist @ Disney - Independent AppSec Consultant •25+ Certifications: GIAC Security Expert, CSSLP, CISSP, 8x SANS GIAC, 4x Microsoft, 6x GSTRT, GPEN, GCIA, GCFA, GCIH, GSEC, CCSK, CHFI, ECSA, CEH Certified •Personally: - Born in Brazil (Yes, I speak Portuguese !) - Happily married with a Brazilian wife. - Father of 16 year old girl, 13 year old boy and the 4 year old boss baby girl - Currently living in Live in São Paulo, Brazil, but will be back to next year to South Florida, Boca Raton, A.K.A. PARADISE - Was a core contributor to the OWASP WebGoatProject Hobbies: Cycling and Travel 

WHY APPLICATION SECURITY ? 

WHY APPLICATION SECURITY…. 

WHY APPLICATION SECURITY …. Were you impacted by Log4J / Log4Shell Vulnerability ? • 0 Day vulnerability, with a CVSS score of 10 • Reported on November 24th 2021 • Weaponized / exploited in December 9th 2021 • In weeks, estimated to have 10 million attacks per hour in the U.S. alone • More than 32% of all Log4j scanning activity over the course of the year happened within 30 days of its release • Allowed for remote code execution on the affected systems In the world of finance, the numbers don't lie. The latest Verizon DBIR 2023 report reveals a staggering reality: • out of a total of 1,832 incidents, with 480 incidents resulting in confirmed data disclosure, a whopping 77% of breaches can be attributed to Basic Web Application Attacks, Miscellaneous Errors, and System Intrusion. • These three culprits alone represent the lion's share of vulnerabilities that threaten the security of the financial sector • 83% of breaches involved External actors, and the primary motivation for attacks continues to be overwhelmingly financially driven, at 95% of breaches. 

SDLC: SYSTEM/SOFTWARE DEVELOPMENT LIFECYCLE 

APPSEC PIPELINE What’s that all about? Remember Henry Ford ? Founder of Ford Motor company and sponsor of the development of the assembly line 

APPSEC PIPELINE AT A GLANCE : Standard Build Process Project goes through standard dev and build process, committing code changes as they go through sprints/cycles. Scheduled or triggered builds upon code push. Application Security Tasks Perform AppSec tasks if standard build successful: •Static Application Security (SAST) •Dynamic Application Security Testing (DAST) •Software Compositions Analysis (SCA) •Secrets Detection Release or Act Upon Approve artifact or Act Approve inbound artifact into “blessed” artifact repository if “all good” OR Trigger alternate workflow, which can be manual review or reassign to AppDev team 

APPLICATION SECURITY PIPELINE (A.K.A DEVSECOPS PIPELINE) A set of automated processes and tools integrated into the software development lifecycle (SDLC) to ensure the security of an application throughout its development, deployment, and maintenance stages. Here are the typical stages or components of an application security pipeline: 1. Static Application Security Testing (SAST): This stage involves analyzing the application's source code or compiled binaries to detect security flaws, such as code injection, insecure configurations, or potential vulnerabilities. SAST tools scan the codebase and provide feedback to developers on potential security issues. 2. Dynamic Application Security Testing (DAST): In this phase, the application is tested dynamically while it is running to identify security weaknesses, such as input validation flaws, cross-site scripting (XSS), or SQL injection vulnerabilities. DAST tools simulate attacks against the running application and generate reports on identified security weaknesses. 3. Software Composition Analysis (SCA): This stage focuses on analyzing the application's dependencies, including third-party libraries and frameworks, to identify any known security vulnerabilities or licensing issues. SCA tools scan the dependencies and provide information on vulnerabilities that need to be addressed or updated. 4. Security Code Reviews: This involves manual or automated reviews of the application's codebase to identify potential security issues. Code reviews involve analyzing the logic, architecture, and design of the application to uncover security flaws that might have been missed by automated tools. 5. Security Testing and Penetration Testing: This stage involves performing targeted security testing and penetration testing on the application to simulate real-world attacks and identify vulnerabilities that could be exploited by malicious actors. 6. Security Checks in the CI/CD Pipeline: To ensure that security checks are performed continuously, organizations integrate security tools and checks into their Continuous Integration and Continuous Deployment (CI/CD) pipelines. This allows security scans to be automatically triggered during the build and deployment processes, providing immediate feedback to developers. By integrating these stages into the development workflow, an application security pipeline helps organizations identify and address security issues early in the SDLC. It promotes a shift- left approach to security, where security practices are integrated into the development process from the beginning, reducing the cost and effort of fixing security flaws at later stages. 

DEV(SEC)OPS EMBEDDING SECURITY INTO DEVELOPMENT AND OPERATIONS 

ACTIONS IN THE DEVSECOPS PROCESS 

HOW CAN WE SECURELY SUPPORT THE NEW MODEL OF EVER CHANGING, AGILE INITIATIVES, CONTINUOUS DELIVERY AND DEVOPS? 

AUTOMATION Consistent and Repeatable Human capital is the critical resource, but also the most expensive Computational resources are cheap. Automate time-consuming tasks where/when possible. 

DEVELOPERS CAN BECOME GREAT SECURITY PROFESSIONALS 

TECHNOLOGY STACK A SAMPLE OF TOOLS, PRODUCTS AND SERVICES AT OUR DISPOSAL, BOTH FREE AND PAID OFFERINGS 

SAMPLE OF TOOLS AND VENDOR SOLUTIONS: Static Application Security Testing (SAST) •SonarQube (free) •SemGrep (free / paid) •Fortify •CheckMarx •Semgrep •Veracode •Breakman •Coverity •Kiuwan •DeepSource •Github Advance Security Software Composition Analysis (SCA) •WhiteSource •BlackDuck •OWASP Dependency Check (Free) •SNYK (free/paid) •Syft (free) •Trivy (free) •Github Advance Security Secret Detection •TruffleHug (free) •GitGuardian •GitLeaks (free) •GitSecrets •Detect-secrets •Github Advance Security Dynamic Application Security Testing (DAST) •OWASP ZAP (free) •BURP Suite (Free / paid) •WebInspect •HCL AppScan •Invicti / Netsparker Interactive Application Security Testing (IAST) •Contrast Security •Seeker •Sqreen Container Security •Anchore •Clair •Aqua Security •Twistlock •Sysdig Secure •Grype (free) Cloud Security •ScoutSuite (free) •Prowler (Free / Pro) •CloudCustodian (free) •CloudSploit (free) •Prisma Cloud •WIZ.IO 

TOOLS IN THE SDLC PROCESS DESIGN •OWASP ASVS •OWASP Proactive Controls DEVELOPMENT •SAST •SonarQube (free) •SemGrep (free / paid) •Fortify •CheckMarx •Semgrep •Veracode •Breakman •Coverity •Kiuwan •DeepSource •SCA •WhiteSource •BlackDuck •OWASP Dependency Check (Free) •SNYK (free/paid) •Github Advance Security BUILD •Continuous Integration •Github Actions •Azure DevOps •Atlassian Bamboo •Gitlab •Jenkins •Secret Scanning •Github Advance Security •TruffleHug (free) •GitGuardian •GitLeaks (free) •GitSecrets •Github Advance Security TEST •DAST •OWASP ZAP (free) •BURP Suite (Free / paid) •WebInspect •HCL AppScan •Invicti / Netsparker •IAST •Contrast Security •Seeker •Sqreen DEPLOY •Deployment tools •Azure DevOps •Jenkins •Ansible •Terraform •Artifact Repository •Jfrog Artifactory •Sonatype Nexus MAINTAIN & GOVERN •Cloud Security •Anchore •Clair •Aqua Security •Twistlock •SysdigSecure •Governance •DefectDojo (free) •Kondukto 

DEVELOPMENT CYCLES The proposed workflow demonstrates how the tools and the possible service offerings integrate within the development lifecycle, whether the team is using standard (waterfall) or agile (scrum) methodology 

DEPLOYMENT CYCLES The proposed workflow demonstrates how the tools and the possible service offerings integrate within the deployment lifecycle. Additionally, this diagram shows possible DevOps and Continuous Delivery integration points pulling “blessed” artifacts from Artifact Repository 

HOW DOES IT LOOK? 

HOW DOES IT LOOK? JENKINS 

HOW ELSE CAN YOU DO IT ? • Using Github Actions, Azure DevOps Pipelines, Jenkins Pipelines or Gitlab • GitHub Actions example: https://github.com/magnologan/gha-devsecops 

AWS EXAMPLE 

No content

No content

No content

NO MONEY? NO PROBLEM ! Open Source it’s you best friend There is a huge number of free tools and resources to get you started in your journey…. ● https://owasp.org/ ● https://www.appsecengineer.com/ ● https://www.infracloud.io/blogs/implement -devsecops-secure-ci-cd-pipeline/ ● https://aws.amazon.com/blogs/devops/buil ding-end-to-end-aws-devsecops-ci-cd- pipeline-with-open-source-sca-sast-and- dast-tools/ ● https://github.com/rmkanda/secure- pipeline-java-demo 

HOW DO I LEARN MORE ? 

AI CAN HELP US, RIGHT ? 

YES, AI CAN HELP… Both the Good Guys and the Bad Guys 

QUESTIONS? 

OBRIGADO / THANK YOU ! Doug Morato [email protected] ` Contact Info: Download Slides: