Agile Network India | DevSecOps - The What and the Why by Ritesh Shregill

1. DEVSECOPS
IT’S A CULTURE

2. THE WHY?
The Ashley Madison Hack – Zero day exploit used to gain Server root access
$30 Million in fines, legal fees, settlements etc. Users are being blackmailed to this day
by hackers who stole their data
The Sony hack – Worm attacks through email attachments
$8 Million in remuneration to employees apart from loss of revenue due to leaked
movies
The linkedin hack – Web crawlers scraped data from the website
700 Million linked in users’ data posted online. Users targeted by spam
emails, scamsters and identity theft.
A total number of 110, 54 and 59 Indian Central Ministries, Departments and State
Government sites have been hacked during the year 2018, 2019 and 2020,
respectively
Around 3.7 Lakh Crore lost due to Cybercrimes in India since the year 2019

3. HACKERS ONLY NEED TO SUCCEED ONCE
DEFENDERS NEED TO SUCCEED EVERYTIME

4. THE PROBLEM

5. PASSING THE BUCK

6. THE RUSH TO DELIVER

7. TAKING SHORTCUTS
Intercepts the call to
the server
curl -X GET
'http://localhost:8080/a
ccounts/abc%27%20or%20%2
71%27=%271’
select customer_id,
acc_number,branch_id,
balance from Accounts
where customerId = 'abc'
or '1' = '1'
GETS ALL THE CUTOMER DATA

8. CONSEQUENCES
• Loss of client confidence
• Loss of business
• Potential lawsuits
• Negative press
• Mounting losses
• Catastrophe

9. THE WHAT?

10. THREAT MODELLING
• Identify threats early
• Identify attack surfaces and vulnerabilities
• Address them early
• Test regularly
• Release a quality secure product
• Eat pizza

11. THE ATTACK SURFACE CHECKLIST
• OWASP Top 10 - https://owasp.org/www-project-top-ten/
The OWASP top 10 list is constantly updated and is a list
compiled from observations around the most critical aspects of
web applications that can be vulnerable to be exploited by hackers.
• MITRE ATT&CK Matrix - https://attack.mitre.org/
The ATT&CK Matrix is a comprehensive checklist based on
analysis and real time observation of tools in the areas of Private
Sector organizations, Government agencies, Cybersecurity firms
and Community contributions.

12. THE HOW?

13. THE LEFT SHIFT
Traditional
The shiny new pipeline

14. TOOLS THAT HELP
• SAST – Analyze at rest
• Gitlab
• Fortify
• Bandit(Python)
• Eslint(Javascript)
• IAST – Analyze at run (Intrusively)
• Acutenix
• Snyk
• DAST – Analyze at run (Agnostically)
• ZAP(Zed Attack Proxy)
• Burp suite

15. SAMPLE DAST ANALYSIS

16. RED TEAMING AND BAS TOOLS
• Form ethical hacking teams to exploit the entire attack surface
• Breach and Attack simulation tools automatically simulate real threats
and analyse how an attack can spread on successful penetration
BAS tools:
• AttackIQ
• Cymulate
• FireEye

17. CART – CONTINUOUS AUTOMATED RED
TEAMING
• Automates red teaming by finding attack surface automatically and runs a full
gamut of penetration tests against the attack surface
• Launches multi-stage attacks to simulate real time attacks
• Uses outside in approach and does not require hardware or software to be
installed on premises
Tools:
FireCompass (Most widely used and adopted)
Atomic Red Team + Swimlane SOAR

18. CONS OF BAS AND CART TOOLS
Cons:
• Lots of manual time and effort involved in simulating tests and
exploring attack surfaces
• Expensive
• Requires on premises installation of software and technical knowhow
• Predominantly provided by third party vendors
• Cannot be run against live production servers as they can be
disruptive

21. FORMULA FOR SUCCESS
AGILE + DEV + OPS + SEC + MICROSERVICES
TEAM

22. WHY MICROSERVICES?
• Containers can be shared around so everyone is working on the
same environment
• Multiple environments can be used as sandboxes for
dev/uat/pocs/chaos testing, etc
• Canary deployments
• SAST against pipelines, DAST against Containers and BAS
against Kubernetes clusters / Service Mesh

23. REDUCING ATTACK SURFACES
• Small apps smaller concerns
• Focus is on continuous testing, continuous patching
• Fewer tests to be executed as code base is small
• Re-engineering and re-architecting is a smaller effort in case
design breaking vulnerabilities are exposed
• Better management of priorities

24. BEST PRACTICES
• MFA and access controls
• Session and cookie hygiene
• Common Attack Matrix generated from SAST, DAST and BAS tools
• Encryption at rest – Database encryption, Storage Encryption
• Encryption in transit – HTTPS, SSL, TLS, FTPS, IP Whitelisting
• Password Vault services
• Authentication and Authorization as a service
• Active traffic monitoring to uncover anomalous system access
• CDNs and robust edge servers

25. Q&A