$30 off During Our Annual Pro Sale. View Details »

Continuous (Application) Security at DevOps Velocity

Continuous (Application) Security at DevOps Velocity

The security industry initially reacted to the “DevOps” movement with dismay: developers deploying code themselves? Hundreds of deploys per day? How could security teams possibly keep up with that rate of change? As the DevOps approach has become a mainstream development method, security teams have begun to embrace DevOps and discover the security benefits enabled by the DevOps methodology. Adapting to a DevOps world requires not just the security team to change how they operate, but a realignment of how security permeates the entire organization.

Justin Collins

May 16, 2019
Tweet

More Decks by Justin Collins

Other Decks in Technology

Transcript

  1. © 2019 Synopsys, Inc. 1
    Justin Collins
    @presidentbeef
    ISSA LA Summit 2019
    Continuous Security for DevOps Velocity

    View Slide

  2. © 2019 Synopsys, Inc. 2
    Justin Collins
    @presidentbeef
    ISSA LA Summit 2019
    Continuous Application Security
    for DevOps Velocity

    View Slide

  3. © 2019 Synopsys, Inc. 3
    Justin Collins - Background
    AT&T Interactive (YP.com)
    Twitter
    SurveyMonkey
    Brakeman
    Brakeman Pro
    Synopsys
    Web Application Security
    Static Analysis (Security)

    View Slide

  4. © 2019 Synopsys, Inc. 4
    DevOps?

    View Slide

  5. © 2019 Synopsys, Inc. 5
    DevOps Principles
    Flow
    Ease development to deployment
    Feedback
    Fast, meaningful tests
    Visibility and monitoring
    Continual Experimentation and Learning
    Resilient infrastructure
    Gene Kim

    View Slide

  6. © 2019 Synopsys, Inc. 6
    DevOps Practices
    Automated Testing
    Continuous Integration
    Continuous Deployment
    Infrastructure as Code
    Proactive Monitoring

    View Slide

  7. © 2019 Synopsys, Inc. 7
    DevOps?
    Sec
    ^

    View Slide

  8. © 2019 Synopsys, Inc. 8
    Rugged
    DevOps?

    View Slide

  9. © 2019 Synopsys, Inc. 9
    Speed is Good for Security
    “High performers, because they are integrating information security
    objectives into everyone’s daily work, are spending half as much time
    remediating security issues.”
    - Gene Kim at LocoMocoSec 2018
    “…organizations that successfully embed security into DevOps
    experience a 50% drop in their production vulnerabilities and
    their time to fix improves by 25%.”
    - WhiteHat Security 2018 Application Security Statistics Report

    View Slide

  10. © 2019 Synopsys, Inc. 10
    Speed is Good for Security – Why?
    How quickly can a system be patched/upgraded,
    safely?

    View Slide

  11. © 2019 Synopsys, Inc. 11
    Speed is Good for Security – Why?
    How quickly can an application vulnerability be fixed,
    safely?

    View Slide

  12. © 2019 Synopsys, Inc. 12
    Is the security team responsible
    for
    shipping secure code?

    View Slide

  13. © 2019 Synopsys, Inc. 13

    View Slide

  14. © 2019 Synopsys, Inc. 14
    Common Team Size Ratio
    100 : 10 : 1
    Developers Operations Security
    Credit: Shannon Lietz

    View Slide

  15. © 2019 Synopsys, Inc. 15
    Common Team Size Ratio
    100 developers – experts on their slice of the code
    1 security person – responsible for ALL code + systems

    View Slide

  16. © 2019 Synopsys, Inc. 16
    DevOps
    Developers are as responsible for stable code as the ops team is

    View Slide

  17. © 2019 Synopsys, Inc. 17
    DevOps
    Developers are as responsible for stable code as the ops team is
    DevSecOps
    Developers are as responsible for secure code as the security team is

    View Slide

  18. © 2019 Synopsys, Inc. 18
    Security Team’s Role
    Expertise
    Guidance
    Training
    Tools

    View Slide

  19. © 2019 Synopsys, Inc. 19
    Continuous Security Principles

    View Slide

  20. © 2019 Synopsys, Inc. 20
    The Secure Path is the Easy Path

    View Slide

  21. © 2019 Synopsys, Inc. 21
    Secure Path is Easy Path
    Secure-by-default APIs
    Never require “secure” flag or extra arguments
    Security should be simple (e.g. bcrypt)
    Remove insecure APIs if possible
    Out-of-the-Box Functionality
    Self-service server deployment
    CDN
    Secrets management
    User sessions
    Logs / monitoring
    Also, security!

    View Slide

  22. © 2019 Synopsys, Inc. 22
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code
    Actionable
    Feedback

    View Slide

  23. © 2019 Synopsys, Inc. 23
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code

    View Slide

  24. © 2019 Synopsys, Inc. 24
    Fast, Empathetic Feedback Loops
    Photo credit: wocintechchat.com
    Automated
    Tools
    Code

    View Slide

  25. © 2019 Synopsys, Inc. 25
    Security as an Ally

    View Slide

  26. © 2019 Synopsys, Inc. 26
    Implementation Strategy

    View Slide

  27. © 2019 Synopsys, Inc. 27
    Guidance
    Friendly, accessible security team
    Encourage discussion
    Default to “yes”
    Document preferred solutions
    Relevant training

    View Slide

  28. © 2019 Synopsys, Inc. 28
    Guardrails
    Single path to production
    Hardened default configurations/environment
    Secure-by-default libraries/frameworks
    Standardized secret management
    Centralized, self-service deployment

    View Slide

  29. © 2019 Synopsys, Inc. 29
    Tools (Security Automation)
    1. Identify a real security issue
    2. Determine solution
    3. Automate detection
    4. Automate enforcement
    https://flic.kr/p/dGYq6v

    View Slide

  30. © 2019 Synopsys, Inc. 30
    Lessons Learned

    View Slide

  31. © 2019 Synopsys, Inc. 31
    Listen First

    View Slide

  32. © 2019 Synopsys, Inc. 32
    Tailor Your Strategy
    https://flic.kr/p/f2JEum

    View Slide

  33. © 2019 Synopsys, Inc. 33
    Detect and Prevent
    https://flic.kr/p/21WAMJ4

    View Slide

  34. © 2019 Synopsys, Inc. 34
    Small Steps

    View Slide

  35. © 2019 Synopsys, Inc. 35
    Principles Summary
    Continuous Security Principles
    Ø The Secure Path is the Easy Path
    Ø Fast, Empathetic Feedback Loops
    Ø Security as an Ally
    Security Approach
    Ø Listen First
    Ø Tailor Your Strategy
    Ø Detect and Prevent
    Ø Small Steps

    View Slide

  36. © 2019 Synopsys, Inc. 36
    Now for the Bad News

    View Slide

  37. © 2019 Synopsys, Inc. 37
    AppSecUSA 2012

    View Slide

  38. © 2019 Synopsys, Inc. 38
    Security Team Evolution
    Zero
    Maybe one
    “security-
    minded”
    developer
    First security
    hire!
    Hire
    specialists
    Split into
    teams
    Responsible
    for everything
    Network
    Application
    Cloud
    Corporate

    Network
    Application
    Cloud
    Corporate

    View Slide

  39. © 2019 Synopsys, Inc. 39

    View Slide

  40. © 2019 Synopsys, Inc. 40
    The End of the AppSec Team

    View Slide

  41. © 2019 Synopsys, Inc. 41
    End of the AppSec Team
    Secure coding?
    Code review?
    Threat modeling?
    Bug bounty reports?
    Training?
    Developer tooling?
    Secure libraries?
    Incident management?
    …?

    View Slide

  42. © 2019 Synopsys, Inc. 42
    Summary
    DevOps’ fast pace can be beneficial to security
    Security’s role must shift away from gates,
    towards guardrails
    The future is diffusion of security responsibility
    across the organization

    View Slide

  43. © 2019 Synopsys, Inc. 43
    Further Resources
    Top Infosec Lessons Learned Researching And Co-Authoring The DevOps Handbook
    We Come Bearing Gifts: Enabling Product Security with Culture and Cloud
    Rise of the Machines: Security Automation at Twitter

    View Slide

  44. Thank You

    View Slide

  45. View Slide