DevSecOps: Develop Fast & Stay Secure

Transcript

1. #43 - DevSecOps Develop Fast & Stay Secure Sibiu Web

   Meetup

2. Agenda Introduction - SDLC & DevOps DevSecOps - Secure Development

   Workshop Security - Tools & Practices DevSecOps - Success Stories Q&A

3. Andrei Popa Senior Software Engineer @ Snyk DevEx

4. SDLC Software Development Lifecycle

5. • Plan: cost-benefit analysis, scheduling, resource estimation, and allocation •

   Design: analyze requirements and identify solutions • Build: develop the product as per requirements • Test: combine automation and manual testing to check the software for bugs • Deploy: move the latest build to production environment (packaging, environment configuration, and installation) • Maintain: continuous monitoring, maintenance, feedback SDLC - Software Development Lifecycle

6. DevOps Unification and automation of processes

7. DevOps - Software Development Lifecycle • conceive, build and deliver

   secure software at top speed • combines development (Dev) and operations (Ops) • increase the efficiency & speed of software development

8. How about security? Secure Software Development Lifecycle SSDLC

9. SSDLC - Secure Software Development Lifecycle • Risk Assessment •

   Threat Modeling & Design Review • Static Analysis • Security Testing & Code Review • Security Assessment & Secure Configuration

10. IBM System Science Institute: Relative Cost of Fixing Defects, 2010

11. DevSecOps A culture of Shift Left Security

12. What is Shift Left Testing Shift left testing integrates software

    testing practices, including security, as early as possible in the software development lifecycle (SDLC)

13. Benefits of the DevSecOps Model

14. Developer Security Tools & Practices

15. Risk assessment - Requirements analysis Understanding the security implications of

    the project. • Establish if requirements security aspect is well covered • Document initial known risks • Prioritise risks

16. Threat Modeling: Four Question Framework A process to identify potential

    threats, such as structural vulnerabilities or absence of appropriate safeguards using systematic analysis. (OWASP10) • Assess Scope - What are we working on? • Identify what can go wrong - What can go wrong? • Manage risk - What are we going to do about it? • Assess your work - Did we do a good job?

17. Secure development: SAST & SCA Static Application Security Testing (SAST)

    • test application source code for a range of known security vulnerabilities • scan codebase for security vulnerabilities Software Composition Analysis (SCA) • an application security methodology • track and analyze any open source component brought into a project • SCA is used to scan dependencies for security vulnerabilities

18. Security testing: DAST Dynamic Application Security Testing (DAST) • automated

    penetration tests to find vulnerabilities • simulates real-world attacks for critical threats (XSS, SQL injection, CSRF) Penetration Testing (Pen Tests) • identify vulnerabilities in systems and applications before they can be exploited • provides insight into the security posture of a system • provides visibility into potential risks

19. Secure deployments: IaC & Releases Infrastructure as Code (IaC) •

    security scans are conducted on source code written for cloud infrastructure • code is secure before it is deployed Secure Release Management • process of controlling and managing system and application releases • ensuring that the release meets organization security standards

20. Operate & monitor: Audit & Continuous Analysis Security Audits •

    should be performed with some regularity • allow for swift identification and remediation of security vulnerabilities Continuous monitoring • tracks new vulnerabilities • monitors your code for changes

21. DevSecOps Tools: SAST, SCA, Pentest SCA • Dependabot • Snyk

    Open-Source • Renovate-bot DAST • Gitlab DAST • Zed Attack Proxy (ZAP) • Probely TruffleHog IaC • Terrascan • Snyk IaC SAST • Gitleaks • Snyk (CLI & IDE Extension) • semgrep • CodeQL • SonarQube • TruffleHog

22. Success Stories Revolut: Project Security Drone

23. Security Drone: Scaling Continuous Security at Revolut Facts • internal

    Application Security Team (AppSec) • responsible for the security assurance of every new feature developed • there were nearly 39,000 commits created by over 900 authors (Jul 2022) Key challenges: • software changes are constantly increasing • new changes are integrated and deployed every day • engineers tend to prioritise development of functionalities over security • internal application security team is not big enough • security processes automation is required • more pipeline integrated tools increase job execution time • negatively affects development experience • triaging all of the security findings

24. Security Drone: Scaling Continuous Security at Revolut Relevant numbers •

    every 24h of a working day were about 950 new pull requests • nearly 1.85 commits per PR • automated scans executed with a frequency of 3–4 times per minute • 81% of the commits had a final destination to the main branch

25. Security Drone: Scaling Continuous Security at Revolut Number of automated

    security scans per 30 minutes (Jul 2022)

26. Security Drone: Scaling Continuous Security at Revolut Solution: Shift-left Security

    • Security static analysis tools can easily be shifted left to an earlier phase in the SDLC • communicating security issues to developers as early as possible • scan code changes during the pull request phase (trigger scan on PR create) • place Security Drone in a Kubernetes cluster (scan the code independently from CI/CD pipelines)

27. Security Drone: Scaling Continuous Security at Revolut Positive Impact •

    Security Drone performed over 39,000 scans (Jul 2022) • median scanning time is below 112 seconds • 19 SAST and 63 IaC custom rules used • productionize Security Drone for the next eight months without issues • lowered the false positive rate to ~3.8% FP rate • scans 100% of the code in Revolut • 1700 pull requests scanned / 24h • 3900 associated scans performed / 24h Key achievements • adopted a shift-left approach to security • fix security issues before going into production • only merged security issues are reported to AppSec Team (easy triage) • save hundreds of hours of manual reviews • Parallel scans = Happy developers • Median scanning time: ~11s SAST, ~22s IaC & ~101s SCA

28. Security Drone: Scaling Continuous Security at Revolut Tools • Semgrep

    - Static Application Security Testing (SAST) • Snyk Open Source - Software Composition Analysis (SCA) • Checkov - Infrastructure as a Code (IaC) • Github Actions - Pipelines (CI/CD)

29. Workshop SAST, SCA & IaC  Vulnerabilities Scanning

30. Q&A Discussions, Observations & Curiosities

31. Thank you! Develop Fast. Stay Secure. Sibiu Web Meetup