Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous (Application) Security at DevOps Velocity

Continuous (Application) Security at DevOps Velocity

The security industry initially reacted to the “DevOps” movement with dismay: developers deploying code themselves? Hundreds of deploys per day? How could security teams possibly keep up with that rate of change? As the DevOps approach has become a mainstream development method, security teams have begun to embrace DevOps and discover the security benefits enabled by the DevOps methodology. Adapting to a DevOps world requires not just the security team to change how they operate, but a realignment of how security permeates the entire organization.

Justin Collins

May 16, 2019

More Decks by Justin Collins

Other Decks in Technology


  1. © 2019 Synopsys, Inc. 1 Justin Collins @presidentbeef ISSA LA

    Summit 2019 Continuous Security for DevOps Velocity
  2. © 2019 Synopsys, Inc. 2 Justin Collins @presidentbeef ISSA LA

    Summit 2019 Continuous Application Security for DevOps Velocity
  3. © 2019 Synopsys, Inc. 3 Justin Collins - Background AT&T

    Interactive (YP.com) Twitter SurveyMonkey Brakeman Brakeman Pro Synopsys Web Application Security Static Analysis (Security)
  4. © 2019 Synopsys, Inc. 5 DevOps Principles Flow Ease development

    to deployment Feedback Fast, meaningful tests Visibility and monitoring Continual Experimentation and Learning Resilient infrastructure Gene Kim
  5. © 2019 Synopsys, Inc. 6 DevOps Practices Automated Testing Continuous

    Integration Continuous Deployment Infrastructure as Code Proactive Monitoring
  6. © 2019 Synopsys, Inc. 9 Speed is Good for Security

    “High performers, because they are integrating information security objectives into everyone’s daily work, are spending half as much time remediating security issues.” - Gene Kim at LocoMocoSec 2018 “…organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and their time to fix improves by 25%.” - WhiteHat Security 2018 Application Security Statistics Report
  7. © 2019 Synopsys, Inc. 10 Speed is Good for Security

    – Why? How quickly can a system be patched/upgraded, safely?
  8. © 2019 Synopsys, Inc. 11 Speed is Good for Security

    – Why? How quickly can an application vulnerability be fixed, safely?
  9. © 2019 Synopsys, Inc. 14 Common Team Size Ratio 100

    : 10 : 1 Developers Operations Security Credit: Shannon Lietz
  10. © 2019 Synopsys, Inc. 15 Common Team Size Ratio 100

    developers – experts on their slice of the code 1 security person – responsible for ALL code + systems
  11. © 2019 Synopsys, Inc. 17 DevOps Developers are as responsible

    for stable code as the ops team is DevSecOps Developers are as responsible for secure code as the security team is
  12. © 2019 Synopsys, Inc. 21 Secure Path is Easy Path

    Secure-by-default APIs Never require “secure” flag or extra arguments Security should be simple (e.g. bcrypt) Remove insecure APIs if possible Out-of-the-Box Functionality Self-service server deployment CDN Secrets management User sessions Logs / monitoring Also, security!
  13. © 2019 Synopsys, Inc. 22 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code Actionable Feedback
  14. © 2019 Synopsys, Inc. 23 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code
  15. © 2019 Synopsys, Inc. 24 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code
  16. © 2019 Synopsys, Inc. 27 Guidance Friendly, accessible security team

    Encourage discussion Default to “yes” Document preferred solutions Relevant training
  17. © 2019 Synopsys, Inc. 28 Guardrails Single path to production

    Hardened default configurations/environment Secure-by-default libraries/frameworks Standardized secret management Centralized, self-service deployment
  18. © 2019 Synopsys, Inc. 29 Tools (Security Automation) 1. Identify

    a real security issue 2. Determine solution 3. Automate detection 4. Automate enforcement https://flic.kr/p/dGYq6v
  19. © 2019 Synopsys, Inc. 35 Principles Summary Continuous Security Principles

    Ø The Secure Path is the Easy Path Ø Fast, Empathetic Feedback Loops Ø Security as an Ally Security Approach Ø Listen First Ø Tailor Your Strategy Ø Detect and Prevent Ø Small Steps
  20. © 2019 Synopsys, Inc. 38 Security Team Evolution Zero Maybe

    one “security- minded” developer First security hire! Hire specialists Split into teams Responsible for everything Network Application Cloud Corporate … Network Application Cloud Corporate …
  21. © 2019 Synopsys, Inc. 41 End of the AppSec Team

    Secure coding? Code review? Threat modeling? Bug bounty reports? Training? Developer tooling? Secure libraries? Incident management? …?
  22. © 2019 Synopsys, Inc. 42 Summary DevOps’ fast pace can

    be beneficial to security Security’s role must shift away from gates, towards guardrails The future is diffusion of security responsibility across the organization
  23. © 2019 Synopsys, Inc. 43 Further Resources Top Infosec Lessons

    Learned Researching And Co-Authoring The DevOps Handbook We Come Bearing Gifts: Enabling Product Security with Culture and Cloud Rise of the Machines: Security Automation at Twitter