Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Continuous (Application) Security at DevOps Velocity

Continuous (Application) Security at DevOps Velocity

The security industry initially reacted to the “DevOps” movement with dismay: developers deploying code themselves? Hundreds of deploys per day? How could security teams possibly keep up with that rate of change? As the DevOps approach has become a mainstream development method, security teams have begun to embrace DevOps and discover the security benefits enabled by the DevOps methodology. Adapting to a DevOps world requires not just the security team to change how they operate, but a realignment of how security permeates the entire organization.

711272a06d435ca5139b50874351cdbf?s=128

Justin Collins

May 16, 2019
Tweet

Transcript

  1. © 2019 Synopsys, Inc. 1 Justin Collins @presidentbeef ISSA LA

    Summit 2019 Continuous Security for DevOps Velocity
  2. © 2019 Synopsys, Inc. 2 Justin Collins @presidentbeef ISSA LA

    Summit 2019 Continuous Application Security for DevOps Velocity
  3. © 2019 Synopsys, Inc. 3 Justin Collins - Background AT&T

    Interactive (YP.com) Twitter SurveyMonkey Brakeman Brakeman Pro Synopsys Web Application Security Static Analysis (Security)
  4. © 2019 Synopsys, Inc. 4 DevOps?

  5. © 2019 Synopsys, Inc. 5 DevOps Principles Flow Ease development

    to deployment Feedback Fast, meaningful tests Visibility and monitoring Continual Experimentation and Learning Resilient infrastructure Gene Kim
  6. © 2019 Synopsys, Inc. 6 DevOps Practices Automated Testing Continuous

    Integration Continuous Deployment Infrastructure as Code Proactive Monitoring
  7. © 2019 Synopsys, Inc. 7 DevOps? Sec ^

  8. © 2019 Synopsys, Inc. 8 Rugged DevOps?

  9. © 2019 Synopsys, Inc. 9 Speed is Good for Security

    “High performers, because they are integrating information security objectives into everyone’s daily work, are spending half as much time remediating security issues.” - Gene Kim at LocoMocoSec 2018 “…organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and their time to fix improves by 25%.” - WhiteHat Security 2018 Application Security Statistics Report
  10. © 2019 Synopsys, Inc. 10 Speed is Good for Security

    – Why? How quickly can a system be patched/upgraded, safely?
  11. © 2019 Synopsys, Inc. 11 Speed is Good for Security

    – Why? How quickly can an application vulnerability be fixed, safely?
  12. © 2019 Synopsys, Inc. 12 Is the security team responsible

    for shipping secure code?
  13. © 2019 Synopsys, Inc. 13

  14. © 2019 Synopsys, Inc. 14 Common Team Size Ratio 100

    : 10 : 1 Developers Operations Security Credit: Shannon Lietz
  15. © 2019 Synopsys, Inc. 15 Common Team Size Ratio 100

    developers – experts on their slice of the code 1 security person – responsible for ALL code + systems
  16. © 2019 Synopsys, Inc. 16 DevOps Developers are as responsible

    for stable code as the ops team is
  17. © 2019 Synopsys, Inc. 17 DevOps Developers are as responsible

    for stable code as the ops team is DevSecOps Developers are as responsible for secure code as the security team is
  18. © 2019 Synopsys, Inc. 18 Security Team’s Role Expertise Guidance

    Training Tools
  19. © 2019 Synopsys, Inc. 19 Continuous Security Principles

  20. © 2019 Synopsys, Inc. 20 The Secure Path is the

    Easy Path
  21. © 2019 Synopsys, Inc. 21 Secure Path is Easy Path

    Secure-by-default APIs Never require “secure” flag or extra arguments Security should be simple (e.g. bcrypt) Remove insecure APIs if possible Out-of-the-Box Functionality Self-service server deployment CDN Secrets management User sessions Logs / monitoring Also, security!
  22. © 2019 Synopsys, Inc. 22 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code Actionable Feedback
  23. © 2019 Synopsys, Inc. 23 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code
  24. © 2019 Synopsys, Inc. 24 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code
  25. © 2019 Synopsys, Inc. 25 Security as an Ally

  26. © 2019 Synopsys, Inc. 26 Implementation Strategy

  27. © 2019 Synopsys, Inc. 27 Guidance Friendly, accessible security team

    Encourage discussion Default to “yes” Document preferred solutions Relevant training
  28. © 2019 Synopsys, Inc. 28 Guardrails Single path to production

    Hardened default configurations/environment Secure-by-default libraries/frameworks Standardized secret management Centralized, self-service deployment
  29. © 2019 Synopsys, Inc. 29 Tools (Security Automation) 1. Identify

    a real security issue 2. Determine solution 3. Automate detection 4. Automate enforcement https://flic.kr/p/dGYq6v
  30. © 2019 Synopsys, Inc. 30 Lessons Learned

  31. © 2019 Synopsys, Inc. 31 Listen First

  32. © 2019 Synopsys, Inc. 32 Tailor Your Strategy https://flic.kr/p/f2JEum

  33. © 2019 Synopsys, Inc. 33 Detect and Prevent https://flic.kr/p/21WAMJ4

  34. © 2019 Synopsys, Inc. 34 Small Steps

  35. © 2019 Synopsys, Inc. 35 Principles Summary Continuous Security Principles

    Ø The Secure Path is the Easy Path Ø Fast, Empathetic Feedback Loops Ø Security as an Ally Security Approach Ø Listen First Ø Tailor Your Strategy Ø Detect and Prevent Ø Small Steps
  36. © 2019 Synopsys, Inc. 36 Now for the Bad News

  37. © 2019 Synopsys, Inc. 37 AppSecUSA 2012

  38. © 2019 Synopsys, Inc. 38 Security Team Evolution Zero Maybe

    one “security- minded” developer First security hire! Hire specialists Split into teams Responsible for everything Network Application Cloud Corporate … Network Application Cloud Corporate …
  39. © 2019 Synopsys, Inc. 39

  40. © 2019 Synopsys, Inc. 40 The End of the AppSec

    Team
  41. © 2019 Synopsys, Inc. 41 End of the AppSec Team

    Secure coding? Code review? Threat modeling? Bug bounty reports? Training? Developer tooling? Secure libraries? Incident management? …?
  42. © 2019 Synopsys, Inc. 42 Summary DevOps’ fast pace can

    be beneficial to security Security’s role must shift away from gates, towards guardrails The future is diffusion of security responsibility across the organization
  43. © 2019 Synopsys, Inc. 43 Further Resources Top Infosec Lessons

    Learned Researching And Co-Authoring The DevOps Handbook We Come Bearing Gifts: Enabling Product Security with Culture and Cloud Rise of the Machines: Security Automation at Twitter
  44. Thank You

  45. None