Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019

2,233 views

Published on

"DevSecOps is driving the use of security testing throughout the application lifecycle, from initial development to product monitoring. Application security testing is unlike other forms of security in that it directly impacts the daily routines of developers. John Maski, the former director of DevSecOps at AT&T, discusses securing CI/CD pipelines in enterprise environments and “shifting left” with security. He reveals best practices gained from moving AT&T’s primary DevOps practice to a DevSecOps practice using static and dynamic application security testing. You’ll discover why strong executive sponsorship, a cultural shift, and solid cross-organization teaming are critical and how they can be the way forward to your own DevSecOps success.
 "

Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating AppSec into your DevSecOps on AWS David Wayland Director, Information Security Fortune 500 Financial Corporation S e s s i o n I D
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Who Am I? What are we talking about? Application Security Drivers How did we get here? AppSec in your DevSecOps Final Words
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Who am I & Why should you care 20 years in the Application Development Space 15 years as a Production Java & .NET Developer 5 years as a Technical Instructor for System Administration & Application Development 5 years Consulting to Fortune 500, 100, and Global 50 companies 15 years architecting and building deployment automation 8 years of DevSecOps experience 4 as an application developer and technical lead 4 as the head of application security
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating AppSec in your DevSecOps Automation is the key Shifting Application Security to the Left is the goal DevSecOps is decreasing the time to implement production changes The threat environment is increasing rapidly We will talk about proven processes and tools to secure your DevSecOps
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Security Drivers Cost Significant Financial & Reputational harm will be caused by ANY data breach $5.4 Million per incident, on average* $188 - $277 per compromised record* Threat Environment Dynamic & evolving! Vulnerabilities Most vulnerabilities that are exploited were published for more than a year** * Veracode, Addressing the Scalability Challenge with Cloud-Based Application Security ** Verizon, Data Breach Investigation Report (DBIR)
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Application & Process Journey Waterfall Agile DevOps DeploymentTimes Monolithic SOA Microservices Today 2000
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Security Reality Increased Threat Environment Decreased Deployment Time
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Application Security Reality Verizon, 2016 Data Breach Investigations Report Time to Compromise Time to Exfiltration
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Environment Considerations DevSecOps application security is environment agnostic CI/CD Pipelines May be environment specific Ensuring a Secure Landing Zone is the beginning of your journey
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Secure Landing Zone You are only as secure as the environment you are operating within Automate the creation of your Landing Zone to ensure it is secure Ensuring foundational security provides the baseline for Application Security
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps Left 100x$*x$ * https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20100036670.pdf
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps – The Shift Left that must occur Developer $0 Left 100x$*x$ * https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20100036670.pdf
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Competing Imperatives Development Team Schedule Application Security Team Security of the Application: No Must-Fix Vulnerabilities Functionality Enhancements Stability
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Application Security developer training Application Security MUST “speak developer” Security requirements must be clear, concise, and pertinent Training must be tailored to the developer There must be an understanding of the security concerns If they only understand two (2) things, let them be: Trust Boundaries Data Sanitization
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Code Development Developer training Specific to the companies security requirements Clearly identify what is a Must Fix vulnerability IDE Integration “Intellisense” for security vulnerabilities Ability to provide immediate feedback and training CI Automated SAST scan on commit Vulnerabilities Reduction in introduced Immediate identification Expedited remediation Schedule Reduced risk to schedule Cost Minimal cost to refactor code Results
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Build Automation Static Scanning All files associated with the application Every build of the application SAST Compiled application source code SCA Third-party & Open Source components Vulnerabilities Application specific 3rd party & Open Source component Identification of vulnerabilities Remediation of vulnerabilities Licensing Component licensing & compliance Reduction of risk Results
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Test, Release, Deploy Static Scanning All files associated with the application Every build of the application SAST Compiled application source code SCA Third-party & Open Source components DAST Production-like application URL Vulnerabilities Application specific 3rd party & Open Source component Identification of vulnerabilities Remediation of vulnerabilities Licensing Component licensing & compliance Reduction of risk ResultsAutomation
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Operate & Monitor Secure Landing Zone Integrated Identity Integrated Logging Integrated Infrastructure Security Secure CI/CD Pipelines Automated Account Structure Secure Infrastructure as Code Automated account deployments Elimination of manual processes Security built in to the pipeline Logging & Monitoring Centralized logging Tool specific monitoring Results
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Operate & Monitor Automation Automated Perimeter Monitoring All IP Ranges associated with the environment All known Domains Fuzzy search for new domains/IPs Non-credentialed dynamic scan of identified sites Vulnerabilities External facing site vulnerabilities Elimination of risk through reduction in “drive by” vulnerabilities Reputation “External Risk Management Reports” will come back clean Results
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps: Plan Update Continually revise: Reference architectures Documentation Developer training Review vulnerabilities and identify trends Create customized training to address weak areas Monitoring Utilize monitoring of non-production environments to address potential production issues Identify trends
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrating AppSec in your DevSecOps ✓ Automation allows for velocity and integration ✓ Shifting Security to the Left reduces schedule impacts ✓ Developer training decreases introduced vulnerabilities ✓ Secure Landing Zones and Pipelines are the goal and key to success
  26. 26. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. David Wayland eMail: david.wayland@gmail.com LinkedIn: https://www.linkedin.com/in/davidwayland

×