InterDevOps - DevSecOps: How hard it is

Transcript

1. dev sec ops HOW HARD IT IS Thiago Ribeiro github.com/ribeiroit

   . twitter.com/ribeiroit

2. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit disclaimer this presentation does not represent the Itaú-Unibanco do Brasil opinions. all the ideas exposed on this speech is based on my own will.

3. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit agenda • about me • why devsecops? • quick concepts • myths • cultural change • tips • responsabilities • q&a

4. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit about me • 97 / helpdesk internet provider • 00 / sysadm / web developer • 06 / it manager • 09 / sysadm / infra developer • 12 / backend developer • 14 / security architect 1 • tech data processing • grad industrial design • mba it management • ms production engineering [aborted] • itil / cobit / project management / lean / cybersecurity / cloud computing / opensource experience professional experience education

5. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 2 cybersecurity: technologies + processes + practices = protect enterprise goods application security + information security + network security + disaster recovery + business continuity + operational security + end user education source: http://whatis.techtarget.com/definition/cybersecurity

6. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 3 fix a web application ranges from $400 to $4000 depending on vulnerability source: http://www.darkreading.com/risk/the-cost-of-fixing-an- application-vulnerability/d/d-id/1131049? $$ it is not about computers. it is about branding and reputation.

7. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 4 sox handle requirements from regulators and introduce maturity models concepts on sdlc. pci hipaa csa iso 27001 opensamm bsimm bacen

8. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 5 understand security metrics during the sdlc. great opportunity to get the “time to fix” from the teams and handle risks accurately.

9. dev sec ops HOW HARD IT IS Thiago Ribeiro .

   github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 6 dev repo build deploy blackhat simple attack scenario vulnerability fix development vulnerabilities before being deployed in prod.

10. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit why devsecops? 7 dev repo build deploy blackhat advanced attack scenario confidential files ops vulnerability malware help to protect information leakage.

11. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit quick concepts 8 • sast – static analysis security testing • dast – dynamic analysis security testing • waf – web application firewall • pentesting – security penetration tests • rasp – runtime application self- protection • owasp – open web application security project • asvs – application security verification standard • soc – security operations center

12. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit myths 9 people often sell devops like they are selling bananas. devops is a complex ecosystem and demands many hours of implementation. there is no silver bullet. it's hard to scale devops in big companies. “ ”

13. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit myths 10 problems? just install docker to get the things done. support containers on high availability is not a piece of cake. problems like networking policies and data volumes are not too easy to be implemented. all the people “layers” must be solved to implement containers. take care about using containers, it could host a malware on that. “ ”

14. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit myths 11 static analysis of security testing are enough to keep you protected. it's hard to make devs understand all the threats that they could be vulnerable. fix vulnerabilities can take a long time. fix vulnerabilities might generate new vulnerabilities. consider have a waf or rasp to be covered. “ ”

15. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit myths 12 12factors. Whaaattt? that's not easy to find developers that can absorb the 12factors and deliver them. it is a big challenge to maintain a devsecops process running. it demands massive comunication and iteration with the crew. “ ”

16. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit cultural change 13 developers think that they will deliver software in production easely. devsecops is much more responsability than facilitation. apply different gates to different teams based on maturity of them. create KPIs to measure the maturity. great power comes with great responsabilities. “ ”

17. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit cultural change 14 the team members don't understand about the data classification and what they need to protect. your company should have a good aproach about data classification and awareness the team about what they handle. a good education program about risks can help the team to understand the value of the information. “ ”

18. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit cultural change 15 product owners must consider security tests as 'valuable deliverable' onto their products. security is still considered a pain in the ass to many people. some applications need manual tests to go deeper in some attacks scenarios. automated dynamic analysis can speedy the releases, but that's not enough. “ ”

19. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 16 know your enemies and threats. * must know about OWASP Top 10 * must know about SANS 25 if you don't know how to attack, how could you defend? sql injection appeared in 98 and it still continues on the top vulnerabilities.

20. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 16 start everything classifying risks and validating requirements owasp asvs can help you to validate your technical security controls keep your application inventory updated. ref: https://github.com/aparsons/bag-of-holding ref: https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS

21. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 17 add sast to your pipeline * save money and time to grab and fix vulnerabilities * sast helps to scale your team knowledge and understanding * it keeps your code safer, even the best makes mistakes. * establish a code reviewing process to critical code. double checking really matters. ref: https://www.owasp.org/index.php/Source_Code_Analysis_Tools

22. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 18 invest time coding automated tests whatever the layer you should guarantee. * automate functional tests * automate vulnerability tests * automate infra-structure scans * prioritize your efforts by the risks.

23. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 19 threat modeling can help you to understand threats and risks on your solution and to apply the correct countermeasures. * keep your solutions' documentation and diagrams updated * perform express threat modeling sessions with your team * create a security check list and try to automate that

24. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 20 always automate infra-structure to keep hardening itens in place. good aproach to make inventory management and apply patches in a risk situation. * pay attention to microsegmentation and guarantee free access to your vulnerability scanners. * always consider automation as a defensive factor.

25. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 21 continuous logging can help you to handle loglevels in different rbac scenarios. interface to help developers to figure out application debugging without login to production. integrate OPS logs to behavior analysis can help you to mitigate attacks or trigger automatic fixes. availability is part of security. amplifying SOC visibility.

26. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit tips 22 building enterprise secure components can help you to scale security inside your company. put the smart people to generate smart solutions and distribute them over the organization. libraries and software dependencies are 80% of the whole application.

27. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit responsabilities 23 never transfer your responsability to another one. your infra-structure or your code is a product of your efforts. if you are you trying to earn easy money, you should seek for another profession. security must be in your duties. always keep the things working to the next ones.

28. dev sec ops HOW HARD IT IS Thiago Ribeiro .

    github.com/ribeiroit . twitter.com/ribeiroit q&a ?? ?? ?? ?? thanks! get in touch on my twitter or github.