$30 off During Our Annual Pro Sale. View Details »

Continuous (Application) Security at DevOps Velocity

Justin Collins
May 16, 2019
Technology
0
110

Continuous (Application) Security at DevOps Velocity

The security industry initially reacted to the “DevOps” movement with dismay: developers deploying code themselves? Hundreds of deploys per day? How could security teams possibly keep up with that rate of change? As the DevOps approach has become a mainstream development method, security teams have begun to embrace DevOps and discover the security benefits enabled by the DevOps methodology. Adapting to a DevOps world requires not just the security team to change how they operate, but a realignment of how security permeates the entire organization.

Justin Collins

May 16, 2019
Tweet

More Decks by Justin Collins

See All by Justin Collins
The Evolution of Rails Security
presidentbeef
1
620
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
96
Practical Static Analysis for Continuous Application Security
presidentbeef
0
150
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
310
Continuous Security with Practical Static Analysis
presidentbeef
1
250
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
150
"Recent Rails SQL Issues" - 2012
presidentbeef
0
53
The World of Rails Security - RailsConf 2015
presidentbeef
8
1k
Tales from the Crypt
presidentbeef
1
150

Other Decks in Technology

See All in Technology
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
340
【論文紹介】 A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions
tomoaki25
5
160
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
710
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
1
230
スタートアップにおける、チーム拡大を見据えたコンポーネント分割の取り組み
rynsuke
2
870
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
160
分散型SNS最新状況
kojira
0
190
DMMオンラインサロン エンジニア採用資料/ for-software-engineers
onlinesalon
0
3.6k
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
5
3k
從心開始的純軟之路
line_developers_tw
PRO
0
1.2k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
1.2k
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
480

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
39
12k
The Pragmatic Product Professional
lauravandoore
23
5.4k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
53
33k
Unsuck your backbone
ammeep
660
56k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
KATA
mclloyd
13
11k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
0
270
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
44
12k
Being A Developer After 40
akosma
52
580k
Music & Morning Musume
bryan
38
5.2k
It's Worth the Effort
3n
180
27k

Transcript

  1. © 2019 Synopsys, Inc. 1
    Justin Collins
    @presidentbeef
    ISSA LA Summit 2019
    Continuous Security for DevOps Velocity

    View Slide

  2. © 2019 Synopsys, Inc. 2
    Justin Collins
    @presidentbeef
    ISSA LA Summit 2019
    Continuous Application Security
    for DevOps Velocity

    View Slide

  3. © 2019 Synopsys, Inc. 3
    Justin Collins - Background
    AT&T Interactive (YP.com)
    Twitter
    SurveyMonkey
    Brakeman
    Brakeman Pro
    Synopsys
    Web Application Security
    Static Analysis (Security)

    View Slide

  4. © 2019 Synopsys, Inc. 4
    DevOps?

    View Slide

  5. © 2019 Synopsys, Inc. 5
    DevOps Principles
    Flow
    Ease development to deployment
    Feedback
    Fast, meaningful tests
    Visibility and monitoring
    Continual Experimentation and Learning
    Resilient infrastructure
    Gene Kim

    View Slide

  6. © 2019 Synopsys, Inc. 6
    DevOps Practices
    Automated Testing
    Continuous Integration
    Continuous Deployment
    Infrastructure as Code
    Proactive Monitoring

    View Slide

  7. © 2019 Synopsys, Inc. 7
    DevOps?
    Sec
    ^

    View Slide

  8. © 2019 Synopsys, Inc. 8
    Rugged
    DevOps?

    View Slide

  9. © 2019 Synopsys, Inc. 9
    Speed is Good for Security
    “High performers, because they are integrating information security
    objectives into everyone’s daily work, are spending half as much time
    remediating security issues.”
    - Gene Kim at LocoMocoSec 2018
    “…organizations that successfully embed security into DevOps
    experience a 50% drop in their production vulnerabilities and
    their time to fix improves by 25%.”
    - WhiteHat Security 2018 Application Security Statistics Report

    View Slide

  10. © 2019 Synopsys, Inc. 10
    Speed is Good for Security – Why?
    How quickly can a system be patched/upgraded,
    safely?

    View Slide

  11. © 2019 Synopsys, Inc. 11
    Speed is Good for Security – Why?
    How quickly can an application vulnerability be fixed,
    safely?

    View Slide

  12. © 2019 Synopsys, Inc. 12
    Is the security team responsible
    for
    shipping secure code?

    View Slide

  13. © 2019 Synopsys, Inc. 13

    View Slide

  14. © 2019 Synopsys, Inc. 14
    Common Team Size Ratio
    100 : 10 : 1
    Developers Operations Security
    Credit: Shannon Lietz

    View Slide

  15. © 2019 Synopsys, Inc. 15
    Common Team Size Ratio
    100 developers – experts on their slice of the code
    1 security person – responsible for ALL code + systems

    View Slide

  16. © 2019 Synopsys, Inc. 16
    DevOps
    Developers are as responsible for stable code as the ops team is

    View Slide

  17. © 2019 Synopsys, Inc. 17
    DevOps
    Developers are as responsible for stable code as the ops team is
    DevSecOps
    Developers are as responsible for secure code as the security team is

    View Slide

  18. © 2019 Synopsys, Inc. 18
    Security Team’s Role
    Expertise
    Guidance
    Training
    Tools

    View Slide

  19. © 2019 Synopsys, Inc. 19
    Continuous Security Principles

    View Slide

  20. © 2019 Synopsys, Inc. 20
    The Secure Path is the Easy Path

    View Slide

  21. © 2019 Synopsys, Inc. 21
    Secure Path is Easy Path
    Secure-by-default APIs
    Never require “secure” flag or extra arguments
    Security should be simple (e.g. bcrypt)
    Remove insecure APIs if possible
    Out-of-the-Box Functionality
    Self-service server deployment
    CDN
    Secrets management
    User sessions
    Logs / monitoring
    Also, security!

    View Slide

  22. © 2019 Synopsys, Inc. 22
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code
    Actionable
    Feedback

    View Slide

  23. © 2019 Synopsys, Inc. 23
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code

    View Slide

  24. © 2019 Synopsys, Inc. 24
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code

    View Slide

  25. © 2019 Synopsys, Inc. 25
    Security as an Ally

    View Slide

  26. © 2019 Synopsys, Inc. 26
    Implementation Strategy

    View Slide

  27. © 2019 Synopsys, Inc. 27
    Guidance
    Friendly, accessible security team
    Encourage discussion
    Default to “yes”
    Document preferred solutions
    Relevant training

    View Slide

  28. © 2019 Synopsys, Inc. 28
    Guardrails
    Single path to production
    Hardened default configurations/environment
    Secure-by-default libraries/frameworks
    Standardized secret management
    Centralized, self-service deployment

    View Slide

  29. © 2019 Synopsys, Inc. 29
    Tools (Security Automation)
    1. Identify a real security issue
    2. Determine solution
    3. Automate detection
    4. Automate enforcement
    https://flic.kr/p/dGYq6v

    View Slide

  30. © 2019 Synopsys, Inc. 30
    Lessons Learned

    View Slide

  31. © 2019 Synopsys, Inc. 31
    Listen First

    View Slide

  32. © 2019 Synopsys, Inc. 32
    Tailor Your Strategy
    https://flic.kr/p/f2JEum

    View Slide

  33. © 2019 Synopsys, Inc. 33
    Detect and Prevent
    https://flic.kr/p/21WAMJ4

    View Slide

  34. © 2019 Synopsys, Inc. 34
    Small Steps

    View Slide

  35. © 2019 Synopsys, Inc. 35
    Principles Summary
    Continuous Security Principles
    Ø The Secure Path is the Easy Path
    Ø Fast, Empathetic Feedback Loops
    Ø Security as an Ally
    Security Approach
    Ø Listen First
    Ø Tailor Your Strategy
    Ø Detect and Prevent
    Ø Small Steps

    View Slide

  36. © 2019 Synopsys, Inc. 36
    Now for the Bad News

    View Slide

  37. © 2019 Synopsys, Inc. 37
    AppSecUSA 2012

    View Slide

  38. © 2019 Synopsys, Inc. 38
    Security Team Evolution
    Zero
    Maybe one
    “security-
    minded”
    developer
    First security
    hire!
    Hire
    specialists
    Split into
    teams
    Responsible
    for everything
    Network
    Application
    Cloud
    Corporate

    Network
    Application
    Cloud
    Corporate

    View Slide

  39. © 2019 Synopsys, Inc. 39

    View Slide

  40. © 2019 Synopsys, Inc. 40
    The End of the AppSec Team

    View Slide

  41. © 2019 Synopsys, Inc. 41
    End of the AppSec Team
    Secure coding?
    Code review?
    Threat modeling?
    Bug bounty reports?
    Training?
    Developer tooling?
    Secure libraries?
    Incident management?
    …?

    View Slide

  42. © 2019 Synopsys, Inc. 42
    Summary
    DevOps’ fast pace can be beneficial to security
    Security’s role must shift away from gates,
    towards guardrails
    The future is diffusion of security responsibility
    across the organization

    View Slide

  43. © 2019 Synopsys, Inc. 43
    Further Resources
    Top Infosec Lessons Learned Researching And Co-Authoring The DevOps Handbook
    We Come Bearing Gifts: Enabling Product Security with Culture and Cloud
    Rise of the Machines: Security Automation at Twitter

    View Slide

  44. Thank You

    View Slide

  45. View Slide