Is Continuous Delivery Killing Application Security?

Transcript

1. Tony Rice Senior Information Security Engineer, Cisco Systems Is Continuous

   Delivery Killing Application Security? Maintaining Security at the Speed of DevOps

2. And you are? Tony Rice Senior Information Security Engineer Cisco

   Security and Trust Organization
 Research Triangle Park, North Carolina, USA @rtphokie

3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

   Public 3 Is Continuous Delivery Killing Application Security? Es muss nicht Ian Betteridge

4. Barry W. Boehm
 Director Emeritus University of Southern California
 Center

   for Systems and Software Engineering 1981 Error Cost Escalation 
 Through the Project Life Cycle JM Stecklein et al. NASA Johnson Space Center 2004

5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

   Public 5 Requirements Design Coding Test Deploy Cost to Fix $1 $100-1000 $15 $30 Source: Software Engineering Economics, Barry W. Boehm


6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

   Public 6 Requirements Design Coding Test Deploy Defect Introduction 29% 18% Source: Error Cost Escalation Through the Project Life Cycle, Stecklein, NASA/JSC 26%

7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

   Public 7 Requirements Design Coding Test Deploy Vulnerability Introduction 60%

8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

   Public 8 Requirements Design Coding Test Deploy Defect/Vulnerability Discovery 86% Source: Software Engineering Economics, Barry W. Boehm


9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

   Public 9 Requirements Design Coding Test Deploy Discovery Yesterday Tomorrow

10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 10 Manual Everything ✗ Code merged by hand (senior developer) ✗ Ad hoc manual builds, manual tests ✗ Measurement: customer complaints Requirements & Design Coding Integration Test Deploy

11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 11 Continuous Integration ✔ Automated builds ✔ Automated integration testing Measurement: build quality Requirements & Design Coding Integration Test Deploy

12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 12 Vulnerability Scanning ✔ Automated Vulnerability Scanning Measurement: vulnerability counts Requirements & Design Coding Integration Test Deploy

13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public authentication & authorization OS/container hardening subtle, complex defects evolving threats interaction with other components 13 Static vs Dynamic Application Security Testing SQL injection configuration issues cross site Scripting Static Analysis Dynamic Analysis buffer overflows cross site request forgery sensitive data exposure

14. © 2016 Cisco. All rights reserved. Cisco Public 14 Continuous

    Security CI Platform CI Platform Static/Dynamic Vulnerability Analysis Rest API Code Change DB Developer Feedback InfoSec Analytics Training

15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 15 Requirements & Design Coding Integration Test Deploy Developer Culture Shift ✔ Test driven development, unit test reuse ✔ Dynamic & Static Automated Vulnerability Scanning ✔ Code Review / Pair Programming Measurement: vulnerability counts, code review records

16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 16 Continuous Deployment ✔ Version control for all artifacts ✔ Proactive Monitoring ✔ Stable, reproducible development environment Measurement: deployments per day Requirements & Design Coding Integration Test Deploy

17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public Requirements & Design Coding Integration Test Deploy 17 Continuous Security ✔ Zero manual intervention from check-in to deployment ✔ Only inputs: code, configs and tests ✔ Development priority on refactoring legacy code, tests Measurement: code coverage

18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 18 Agile vs. Waterfall Sprint 2 Waterfall Sprint 1 Sprint 3 “The Homer” courtesy of Fox Backlog Backlog Backlog

19. © 2016 Cisco. All rights reserved. Cisco Public 19 Pros

    • Coding Standards • Continuous testing • Design simplicity • Automation • Progress regularly reflected on and measured Cons • Customer as only driver • Requirements focus only functionality • Security tests don’t fit well into unit tests • Insulated customer-team focus • Measure progress in functionality • (Blind) Trust Maintaining Security while Staying Agile

20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco

    Public 20 • Haskins, Stecklein, Dick, Moroney, Lovell, and Dabney. 8.4.2 Error Cost Escalation Through the Project Life Cycle INCOSE International Symposium 14.1 (2004): 1723-737. NASA Technical Reports Server. NASA Johnson Space Center. • Boehm, Barry W. Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, 1981. ISBN 0138221227 • Puppet Labs. State of DevOps (2016) • Martin, James. An Information Systems Manifesto. Englewood Cliffs, NJ: Prentice-Hall, 1984. ISBN 0134647696. • Lindvall, Basili, and Boehm. Empirical Findings in Agile Methods Extreme Programming and Agile Methods: XP/Agile Universe 2002: Second XP Universe and First Agile Universe Conference, Chicago, IL, USA, August 4-7, 2002: Proceedings. Springer, 2002. 197-207 • Security in the Software Lifecycle United States Department of Homeland Security, (Draft version 1.2, August 2016) References

21. http://www.slideshare.net/tony_rice