Your SlideShare is downloading. ×
0
AppSec in a DevOps World
SHAUN GORDON
NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE
OCTOBER 23, 2013

Wednesday,...
Wednesday, November 6, 13
Speed

Wednesday, November 6, 13
Speed

Security
Wednesday, November 6, 13
Speed
vs.
Security
Wednesday, November 6, 13
Wednesday, November 6, 13
Accelerating Development Cycles

Wednesday, November 6, 13
Accelerating Development Cycles
Boxed Software
Waterfall
1 Year

Wednesday, November 6, 13
Accelerating Development Cycles
Web 1.0
3 months Waterfall

Wednesday, November 6, 13
Accelerating Development Cycles

4 week

Wednesday, November 6, 13

Web 2.0
Agile
Accelerating Development Cycles

2x week

DevOps

Wednesday, November 6, 13
Accelerating Development Cycles

daily

Continuous
Deployment
DevOps

Wednesday, November 6, 13
Accelerating Development Cycles

hourly

Wednesday, November 6, 13

Continuous
Deployment
DevOps
Accelerating Development Cycles

hourly

Wednesday, November 6, 13

Continuous
Deployment
DevOps
Accelerating Development Cycles

3 months Waterfall
Agile
4 week

Wednesday, November 6, 13
Accelerating Development Cycles

3 months Waterfall
Agile
4 week

Wednesday, November 6, 13
Accelerating Development Cycles

daily
hourly

Wednesday, November 6, 13

Continuous
Deployment
DevOps
Traditional (Waterfall) SDLC
Requirements

Wednesday, November 6, 13

Design

Development

Tes2ng

Release

Produc2on
Traditional (Waterfall) SDLC
Requirements

Design

Development

Tes2ng

Release

Define functional (features) and nonfuncti...
Traditional (Waterfall) SDLC
Requirements

Design

Development

Tes2ng

Release

Translate requirements into
architecture ...
Traditional (Waterfall) SDLC
Requirements

Design

Development

Tes2ng

Build it!

Wednesday, November 6, 13

Release

Pro...
Traditional (Waterfall) SDLC
Requirements

Design

Development

Tes2ng

Release

Produc2on

Ensure functional and non-func...
Traditional (Waterfall) SDLC
Requirements

Design

Development

Tes2ng

Ship or push live

Wednesday, November 6, 13

Rele...
Traditional (Waterfall) SDLC
Requirements

Design

Development

Tes2ng

Release

Maintain and patch as needed

Wednesday, ...
Traditional (Waterfall) SDLC Security
Wednesday, November 6, 13
Checkpoints
Controls
Formal Processes

Traditional (Waterfall) SDLC Security
Wednesday, November 6, 13
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Wednesday, Novemb...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Design

•
•

Arch...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Design

•
•

Arch...
Traditional (Waterfall) SDLC Security
Requirements

•

Functional &
Non-Functional
security
requirement

Design

•
•

Arch...
Continuous Deployment Security

Wednesday, November 6, 13
Continuous Deployment Security
Requirements
Low to No friction (can’t slow us down)
Transparent
No significant changes to d...
Continuous Deployment Security
Requirements

Strategies & Tactics

Low to No friction (can’t slow us down)

Automation

Tr...
Traditional (Waterfall) SDLC Security
Requirements

• Functional &
Non-Functional
security
requirement

Design

• Architec...
Continuous Deployment Security
Requirements

• Functional &
Non-Functional
security
requirement

Design

• Architectural
•...
Continuous Deployment Security
Requirements

• Functional &
Non-Functional
security
requirement

Design

• Architectural
•...
Continuous Deployment Security
Requirements
Design
Requirements & Design

• Functional &
Non-Functional
security
requireme...
Continuous Deployment Security
Requirements & Design

•

Functional &
Non-Functional
security
requirement

•
•

Architectu...
Continuous Deployment Security
Requirements & Design

•

Functional &
Non-Functional
security
requirement

•
•

Architectu...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Threat Modeling

•
•
•

Secure C...
Required Security Evaluation

< 25 Minute Meeting
1.Technical Overview
2.Business Context
3.Developer Concerns
Wednesday, ...
Security Evaluation Outcomes

Wednesday, November 6, 13
Security Evaluation Outcomes

• Low Risk
• Simple
Guidance

Wednesday, November 6, 13
Security Evaluation Outcomes

• Higher Risk
• Deep Dive
• Whiteboarding
• Threat Model
Wednesday, November 6, 13
Security Evaluation Follow-Up

Wednesday, November 6, 13
Security Evaluation Follow-Up

• Document
• Follow Up

Wednesday, November 6, 13
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Threat Modeling

•
•
•

Secure C...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Threat Modeling

Wednesday, November 6, 13
Threat Modeling
Identify your assets and the
threats against them

Wednesday, November 6, 13
Threat Modeling
Identify your assets and the
threats against them
Focus your resources on the
greatest risks
Wednesday, No...
Threat Modeling @ New Relic

Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your Application

Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your Application
Identify your Assets

Wednesday, November 6, 13
Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats

Wednesday, November 6,...
Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threat...
Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threat...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Secure Libraries & Services
Authentication Service
Security Event Logging Service
Input Validation Regex Patterns
Encrypti...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Brakeman
+
Jenkins

brakemanscanner.org
Wednesday, November 6, 13
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Triage Process

Dangerous Methods
Sensitive Modules
Security Keywords

Wednesday, November 6, 13
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Wednesday, November 6, 13
Wednesday, November 6, 13
Wednesday, November 6, 13
Two Sets of (masked) eyes on every change
Wednesday, November 6, 13
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•

Required Security Evaluation

•

Lightweight
Targeted
Threat Mode...
Continuous Deployment Security
Requirements & Design

•
•

Required Security Evaluation
Lightweight
Targeted
Threat Modeli...
Powered By...

Wednesday, November 6, 13
Powered By...
Automation
Training & Empowerment
Lightweight Processes
Triage
Quick Detection & Response

Wednesday, Novemb...
Auditors

Wednesday, November 6, 13
Auditors
Compensating Controls

Wednesday, November 6, 13
Auditors
Compensating Controls
Tell the Story

Wednesday, November 6, 13
Thank You!

Wednesday, November 6, 13
Thank You!

shaun@newrelic.com
security@newrelic.com

Wednesday, November 6, 13
Image Attribution
Slide	
  14
Checkpoint	
  Rheinpark	
  by	
  
h1p://www.flickr.com/photos/kecko/3179561892/

Wednesday, N...
Upcoming SlideShare
Loading in...5
×

FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic

277

Published on

We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including:
- How do we ensure that the code we deploy is secure when it was only written just this morning?
- How can we provide the security our customers expect without impacting our speed and agility?
- How can we insert security into an SDLC when there is no formal SDLC?
- How do you deal with auditors that don't understand DevOps and Continuous Deployment?
At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
277
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "FUTURESTACK13: AppSec in a DevOps World from Shaun Gordon, Director of Information Security & Compliance at New Relic"

  1. 1. AppSec in a DevOps World SHAUN GORDON NEW RELIC DIRECTOR OF INFORMATION SECURITY & COMPLIANCE OCTOBER 23, 2013 Wednesday, November 6, 13
  2. 2. Wednesday, November 6, 13
  3. 3. Speed Wednesday, November 6, 13
  4. 4. Speed Security Wednesday, November 6, 13
  5. 5. Speed vs. Security Wednesday, November 6, 13
  6. 6. Wednesday, November 6, 13
  7. 7. Accelerating Development Cycles Wednesday, November 6, 13
  8. 8. Accelerating Development Cycles Boxed Software Waterfall 1 Year Wednesday, November 6, 13
  9. 9. Accelerating Development Cycles Web 1.0 3 months Waterfall Wednesday, November 6, 13
  10. 10. Accelerating Development Cycles 4 week Wednesday, November 6, 13 Web 2.0 Agile
  11. 11. Accelerating Development Cycles 2x week DevOps Wednesday, November 6, 13
  12. 12. Accelerating Development Cycles daily Continuous Deployment DevOps Wednesday, November 6, 13
  13. 13. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  14. 14. Accelerating Development Cycles hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  15. 15. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  16. 16. Accelerating Development Cycles 3 months Waterfall Agile 4 week Wednesday, November 6, 13
  17. 17. Accelerating Development Cycles daily hourly Wednesday, November 6, 13 Continuous Deployment DevOps
  18. 18. Traditional (Waterfall) SDLC Requirements Wednesday, November 6, 13 Design Development Tes2ng Release Produc2on
  19. 19. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Define functional (features) and nonfunctional requirements (capabilities) Wednesday, November 6, 13 Produc2on
  20. 20. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Translate requirements into architecture and detailed design Wednesday, November 6, 13 Produc2on
  21. 21. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Build it! Wednesday, November 6, 13 Release Produc2on
  22. 22. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Produc2on Ensure functional and non-functional requirements Wednesday, November 6, 13
  23. 23. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Ship or push live Wednesday, November 6, 13 Release Produc2on
  24. 24. Traditional (Waterfall) SDLC Requirements Design Development Tes2ng Release Maintain and patch as needed Wednesday, November 6, 13 Produc2on
  25. 25. Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  26. 26. Checkpoints Controls Formal Processes Traditional (Waterfall) SDLC Security Wednesday, November 6, 13
  27. 27. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  28. 28. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  29. 29. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  30. 30. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  31. 31. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  32. 32. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  33. 33. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  34. 34. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  35. 35. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  36. 36. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  37. 37. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  38. 38. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  39. 39. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  40. 40. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  41. 41. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Wednesday, November 6, 13 Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff Production • • Vulnerability Scanning Penetration Testing
  42. 42. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  43. 43. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  44. 44. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • • Architectural Review Threat Modeling Development • • • Secure Coding Practices Static Analysis White Box Testing Testing • • • Separation Dynamic Analysis Requirements Testing Release • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • • Vulnerability Scanning Penetration Testing
  45. 45. Continuous Deployment Security Wednesday, November 6, 13
  46. 46. Continuous Deployment Security Requirements Low to No friction (can’t slow us down) Transparent No significant changes to development processes Make us More Secure Wednesday, November 6, 13
  47. 47. Continuous Deployment Security Requirements Strategies & Tactics Low to No friction (can’t slow us down) Automation Transparent Training & Empowerment No significant changes to development processes Lightweight Processes Make us More Secure Triage Quickly Detect & Respond Wednesday, November 6, 13
  48. 48. Traditional (Waterfall) SDLC Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  49. 49. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  50. 50. Continuous Deployment Security Requirements • Functional & Non-Functional security requirement Design • Architectural • Review Threat Modeling Development • Secure Coding • • Practices Static Analysis White Box Testing Testing • Dynamic • • Separation Analysis Requirements Testing Release • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  51. 51. Continuous Deployment Security Requirements Design Requirements & Design • Functional & Non-Functional security requirement • Architectural • Review Threat Modeling Development Development, Testing & Release Release Testing, • Secure Coding • • Practices Static Analysis White Box Testing • Dynamic • • Separation Analysis Requirements Testing • Penetration • • Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production • Vulnerability • Scanning Penetration Testing
  52. 52. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  53. 53. Continuous Deployment Security Requirements & Design • Functional & Non-Functional security requirement • • Architectural Review Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  54. 54. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  55. 55. Required Security Evaluation < 25 Minute Meeting 1.Technical Overview 2.Business Context 3.Developer Concerns Wednesday, November 6, 13
  56. 56. Security Evaluation Outcomes Wednesday, November 6, 13
  57. 57. Security Evaluation Outcomes • Low Risk • Simple Guidance Wednesday, November 6, 13
  58. 58. Security Evaluation Outcomes • Higher Risk • Deep Dive • Whiteboarding • Threat Model Wednesday, November 6, 13
  59. 59. Security Evaluation Follow-Up Wednesday, November 6, 13
  60. 60. Security Evaluation Follow-Up • Document • Follow Up Wednesday, November 6, 13
  61. 61. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  62. 62. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  63. 63. Threat Modeling Wednesday, November 6, 13
  64. 64. Threat Modeling Identify your assets and the threats against them Wednesday, November 6, 13
  65. 65. Threat Modeling Identify your assets and the threats against them Focus your resources on the greatest risks Wednesday, November 6, 13
  66. 66. Threat Modeling @ New Relic Wednesday, November 6, 13
  67. 67. Threat Modeling @ New Relic Decompose your Application Wednesday, November 6, 13
  68. 68. Threat Modeling @ New Relic Decompose your Application Identify your Assets Wednesday, November 6, 13
  69. 69. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Wednesday, November 6, 13
  70. 70. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Wednesday, November 6, 13
  71. 71. Threat Modeling @ New Relic Decompose your Application Identify your Assets Enumerate your Threats Rate & Rank your Threats Address or Accept Wednesday, November 6, 13
  72. 72. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • Secure Coding Practices Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  73. 73. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  74. 74. Secure Libraries & Services Authentication Service Security Event Logging Service Input Validation Regex Patterns Encryption Libraries Wednesday, November 6, 13
  75. 75. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  76. 76. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  77. 77. Brakeman + Jenkins brakemanscanner.org Wednesday, November 6, 13
  78. 78. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis White Box Testing • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  79. 79. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  80. 80. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  81. 81. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • • • Separation Dynamic Analysis Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • • Vulnerability Scanning Penetration Testing
  82. 82. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  83. 83. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • Separation Requirements Testing • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  84. 84. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  85. 85. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Penetration Testing Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release • Penetration Testing
  86. 86. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  87. 87. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Security Assessment Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  88. 88. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  89. 89. Triage Process Dangerous Methods Sensitive Modules Security Keywords Wednesday, November 6, 13
  90. 90. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Security SignOff of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  91. 91. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  92. 92. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Separation • • • Automated Commit Triage Quick Detection & Recovery of Duties • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  93. 93. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  94. 94. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Management Release Sign-Off • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  95. 95. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  96. 96. Wednesday, November 6, 13
  97. 97. Wednesday, November 6, 13
  98. 98. Wednesday, November 6, 13
  99. 99. Two Sets of (masked) eyes on every change Wednesday, November 6, 13
  100. 100. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • • • Automated Commit Triage Quick Detection & Recovery • Accountability • Sidekick Process • Limits on Production Access Wednesday, November 6, 13 Production Development, Testing, & Release Penetration Testing
  101. 101. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  102. 102. Continuous Deployment Security Requirements & Design • Required Security Evaluation • Lightweight Targeted Threat Modeling • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production Development, Testing, & Release • • • Automated Commit Triage Quick Detection & Recovery Penetration Testing
  103. 103. Continuous Deployment Security Requirements & Design • • Required Security Evaluation Lightweight Targeted Threat Modeling Development, Testing, & Release • • • • Secure Coding Practices Security Libraries & Services Automated Static Analysis Testing Tools & Training • Continuous Scanning in Test, Staging, & Production • Automated • Penetration Commit Triage Testing Quick Detection • & Recovery • Accountability • Sidekick Process • Enabling Tools Wednesday, November 6, 13 Production
  104. 104. Powered By... Wednesday, November 6, 13
  105. 105. Powered By... Automation Training & Empowerment Lightweight Processes Triage Quick Detection & Response Wednesday, November 6, 13
  106. 106. Auditors Wednesday, November 6, 13
  107. 107. Auditors Compensating Controls Wednesday, November 6, 13
  108. 108. Auditors Compensating Controls Tell the Story Wednesday, November 6, 13
  109. 109. Thank You! Wednesday, November 6, 13
  110. 110. Thank You! shaun@newrelic.com security@newrelic.com Wednesday, November 6, 13
  111. 111. Image Attribution Slide  14 Checkpoint  Rheinpark  by   h1p://www.flickr.com/photos/kecko/3179561892/ Wednesday, November 6, 13
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×