Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous (Application) Security at DevOps Velocity

Justin Collins
May 16, 2019
Technology
0
87

Continuous (Application) Security at DevOps Velocity

The security industry initially reacted to the “DevOps” movement with dismay: developers deploying code themselves? Hundreds of deploys per day? How could security teams possibly keep up with that rate of change? As the DevOps approach has become a mainstream development method, security teams have begun to embrace DevOps and discover the security benefits enabled by the DevOps methodology. Adapting to a DevOps world requires not just the security team to change how they operate, but a realignment of how security permeates the entire organization.

Justin Collins

May 16, 2019
Tweet

More Decks by Justin Collins

See All by Justin Collins
The Evolution of Rails Security
presidentbeef
1
550
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
91
Practical Static Analysis for Continuous Application Security
presidentbeef
0
140
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
300
Continuous Security with Practical Static Analysis
presidentbeef
1
250
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
150
"Recent Rails SQL Issues" - 2012
presidentbeef
0
49
The World of Rails Security - RailsConf 2015
presidentbeef
8
990
Tales from the Crypt
presidentbeef
1
130

Other Decks in Technology

See All in Technology
ロケーターを学んでテスト自動化上級者を目指そう
nozomiito
0
610
Django with PostgreSQL superpowers
pauloxnet
0
110
位置情報ビッグデータの可視化技術の紹介と実社会での活用
sbtechnight
PRO
0
340
生成AIで文化を創造する(ChatGPT作成タイトル)
sbtechnight
PRO
0
340
Invitation to K8s-Docs ja
nasa9084
0
110
可読性を高めるためのコードレビューテクニック
sbtechnight
PRO
0
420
八王子からお届けするノベルティ - YAPC::Kyoto 2023
uzulla
0
330
NIST SP800-63-4 IPD 63A: Identity Proofing 概要紹介
kthrtty
0
360
dbtでデータ品質活動
foursue
6
1.2k
ChatGPTにR言語を教えてもらう(仮)
doradora09
1
150
マネジメント3.0モデル入門(120分版)
takufujii
11
2.6k
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher" エラーが発生する原因と対策
superbrothers
0
350

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
Making the Leap to Tech Lead
cromwellryan
117
7.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
Product Roadmaps are Hard
iamctodd
38
7.9k
Designing the Hi-DPI Web
ddemaree
273
32k
Six Lessons from altMBA
skipperchong
15
2.4k
Code Reviewing Like a Champion
maltzj
508
38k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
910
The Invisible Side of Design
smashingmag
292
49k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
31
8.8k
How to Ace a Technical Interview
jacobian
270
22k

Transcript

  1. © 2019 Synopsys, Inc. 1
    Justin Collins
    @presidentbeef
    ISSA LA Summit 2019
    Continuous Security for DevOps Velocity

    View Slide

  2. © 2019 Synopsys, Inc. 2
    Justin Collins
    @presidentbeef
    ISSA LA Summit 2019
    Continuous Application Security
    for DevOps Velocity

    View Slide

  3. © 2019 Synopsys, Inc. 3
    Justin Collins - Background
    AT&T Interactive (YP.com)
    Twitter
    SurveyMonkey
    Brakeman
    Brakeman Pro
    Synopsys
    Web Application Security
    Static Analysis (Security)

    View Slide

  4. © 2019 Synopsys, Inc. 4
    DevOps?

    View Slide

  5. © 2019 Synopsys, Inc. 5
    DevOps Principles
    Flow
    Ease development to deployment
    Feedback
    Fast, meaningful tests
    Visibility and monitoring
    Continual Experimentation and Learning
    Resilient infrastructure
    Gene Kim

    View Slide

  6. © 2019 Synopsys, Inc. 6
    DevOps Practices
    Automated Testing
    Continuous Integration
    Continuous Deployment
    Infrastructure as Code
    Proactive Monitoring

    View Slide

  7. © 2019 Synopsys, Inc. 7
    DevOps?
    Sec
    ^

    View Slide

  8. © 2019 Synopsys, Inc. 8
    Rugged
    DevOps?

    View Slide

  9. © 2019 Synopsys, Inc. 9
    Speed is Good for Security
    “High performers, because they are integrating information security
    objectives into everyone’s daily work, are spending half as much time
    remediating security issues.”
    - Gene Kim at LocoMocoSec 2018
    “…organizations that successfully embed security into DevOps
    experience a 50% drop in their production vulnerabilities and
    their time to fix improves by 25%.”
    - WhiteHat Security 2018 Application Security Statistics Report

    View Slide

  10. © 2019 Synopsys, Inc. 10
    Speed is Good for Security – Why?
    How quickly can a system be patched/upgraded,
    safely?

    View Slide

  11. © 2019 Synopsys, Inc. 11
    Speed is Good for Security – Why?
    How quickly can an application vulnerability be fixed,
    safely?

    View Slide

  12. © 2019 Synopsys, Inc. 12
    Is the security team responsible
    for
    shipping secure code?

    View Slide

  13. © 2019 Synopsys, Inc. 13

    View Slide

  14. © 2019 Synopsys, Inc. 14
    Common Team Size Ratio
    100 : 10 : 1
    Developers Operations Security
    Credit: Shannon Lietz

    View Slide

  15. © 2019 Synopsys, Inc. 15
    Common Team Size Ratio
    100 developers – experts on their slice of the code
    1 security person – responsible for ALL code + systems

    View Slide

  16. © 2019 Synopsys, Inc. 16
    DevOps
    Developers are as responsible for stable code as the ops team is

    View Slide

  17. © 2019 Synopsys, Inc. 17
    DevOps
    Developers are as responsible for stable code as the ops team is
    DevSecOps
    Developers are as responsible for secure code as the security team is

    View Slide

  18. © 2019 Synopsys, Inc. 18
    Security Team’s Role
    Expertise
    Guidance
    Training
    Tools

    View Slide

  19. © 2019 Synopsys, Inc. 19
    Continuous Security Principles

    View Slide

  20. © 2019 Synopsys, Inc. 20
    The Secure Path is the Easy Path

    View Slide

  21. © 2019 Synopsys, Inc. 21
    Secure Path is Easy Path
    Secure-by-default APIs
    Never require “secure” flag or extra arguments
    Security should be simple (e.g. bcrypt)
    Remove insecure APIs if possible
    Out-of-the-Box Functionality
    Self-service server deployment
    CDN
    Secrets management
    User sessions
    Logs / monitoring
    Also, security!

    View Slide

  22. © 2019 Synopsys, Inc. 22
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code
    Actionable
    Feedback

    View Slide

  23. © 2019 Synopsys, Inc. 23
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code

    View Slide

  24. © 2019 Synopsys, Inc. 24
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code

    View Slide

  25. © 2019 Synopsys, Inc. 25
    Security as an Ally

    View Slide

  26. © 2019 Synopsys, Inc. 26
    Implementation Strategy

    View Slide

  27. © 2019 Synopsys, Inc. 27
    Guidance
    Friendly, accessible security team
    Encourage discussion
    Default to “yes”
    Document preferred solutions
    Relevant training

    View Slide

  28. © 2019 Synopsys, Inc. 28
    Guardrails
    Single path to production
    Hardened default configurations/environment
    Secure-by-default libraries/frameworks
    Standardized secret management
    Centralized, self-service deployment

    View Slide

  29. © 2019 Synopsys, Inc. 29
    Tools (Security Automation)
    1. Identify a real security issue
    2. Determine solution
    3. Automate detection
    4. Automate enforcement
    https://flic.kr/p/dGYq6v

    View Slide

  30. © 2019 Synopsys, Inc. 30
    Lessons Learned

    View Slide

  31. © 2019 Synopsys, Inc. 31
    Listen First

    View Slide

  32. © 2019 Synopsys, Inc. 32
    Tailor Your Strategy
    https://flic.kr/p/f2JEum

    View Slide

  33. © 2019 Synopsys, Inc. 33
    Detect and Prevent
    https://flic.kr/p/21WAMJ4

    View Slide

  34. © 2019 Synopsys, Inc. 34
    Small Steps

    View Slide

  35. © 2019 Synopsys, Inc. 35
    Principles Summary
    Continuous Security Principles
    Ø The Secure Path is the Easy Path
    Ø Fast, Empathetic Feedback Loops
    Ø Security as an Ally
    Security Approach
    Ø Listen First
    Ø Tailor Your Strategy
    Ø Detect and Prevent
    Ø Small Steps

    View Slide

  36. © 2019 Synopsys, Inc. 36
    Now for the Bad News

    View Slide

  37. © 2019 Synopsys, Inc. 37
    AppSecUSA 2012

    View Slide

  38. © 2019 Synopsys, Inc. 38
    Security Team Evolution
    Zero
    Maybe one
    “security-
    minded”
    developer
    First security
    hire!
    Hire
    specialists
    Split into
    teams
    Responsible
    for everything
    Network
    Application
    Cloud
    Corporate

    Network
    Application
    Cloud
    Corporate

    View Slide

  39. © 2019 Synopsys, Inc. 39

    View Slide

  40. © 2019 Synopsys, Inc. 40
    The End of the AppSec Team

    View Slide

  41. © 2019 Synopsys, Inc. 41
    End of the AppSec Team
    Secure coding?
    Code review?
    Threat modeling?
    Bug bounty reports?
    Training?
    Developer tooling?
    Secure libraries?
    Incident management?
    …?

    View Slide

  42. © 2019 Synopsys, Inc. 42
    Summary
    DevOps’ fast pace can be beneficial to security
    Security’s role must shift away from gates,
    towards guardrails
    The future is diffusion of security responsibility
    across the organization

    View Slide

  43. © 2019 Synopsys, Inc. 43
    Further Resources
    Top Infosec Lessons Learned Researching And Co-Authoring The DevOps Handbook
    We Come Bearing Gifts: Enabling Product Security with Culture and Cloud
    Rise of the Machines: Security Automation at Twitter

    View Slide

  44. Thank You

    View Slide

  45. View Slide