Recommended
Recommended
More Related Content
Similar to Lean_Security.pptx
Similar to Lean_Security.pptx (20)
Recently uploaded
Recently uploaded (20)
Lean_Security.pptx
- 1. Lean Security A framework of security activities and design factors for DevSecOps Research performed under the guidance of: Dennis Verslegers Strategic Advisor Application Security Orange CyberDefense
- 2. Motivation
- 3. Approaches based on iterations over small units of work promoting fast feedback and room for experimentation is the best approach to build complex systems Security is too often treated as an afterthought Which security activities are relevant to DevSecOps and how do we approach them (differently)?
- 5. Integrate security assurance in DevOps without increasing delay Culture Automation Measurement Sharing Increasing regulatory compliance requirements Potential impact of breaches on market value and reputation Security is seen as an obstacle for DevOps adoption Mohan, Othmane, 2016 Tashi, 2009 Goel, Shawky, 2009 Sinanaj, Muntermann, 2015 Relies on experts Documentation driven Performed on finished product Convential sequential security activities create detering delays between critically short iterations and inflate development budgets Beznosov, Kruchten, 2004 Increased speed of response Auditability Repeatability Automation improves security Forsgren, Smith, Humble, Frazelle, 2019 Doing DevOps well enables you to do security well Forsgren, Smith, Humble, Frazelle, 2019
- 7. Integrate security assurance in DevOps without increasing delay RQ1a: Definition of DevOps? RQ1b: Definition of DevSecOps? RQ2: Which set of security activities and design factors relevant to DevOps processes can be distinguished from academic literature? RQ3: How do the identified security activities rank in terms of effectiveness and delay from a practitioner point of view? Literature review Literature review Thematic analysis Expert survey Expert survey 2 definitions 33 activities 87 design factors GSS session Prioritised list of activities Effectiveness Delay Financial IQR 1 1 1
- 9. CODE BUILD TEST DEPLOY OPERATE MONITOR Manage digital supply chain Automated Software Composition Analysis Automated Container Image Scanning Scan artifact and source code repositories Threat modeling Security Requirements Security SLA cloud providers Risk Analysis Automated Security Testing Automated Static Testing Integrate security tests with unit testing Run-Time application security testing Establish Security Mindset Perform Security Training Establish Security Satellites Perform Continuous Assurance Manual Security Testing Manual Penetration Testing Manual Security Verifications Secrets management Security Configuration Automation Automated Remediation Practice Incident Response Continuous Monitoring Security Controls Application behaviour Ci/CD security metrics System metrics Security SLAs Centralised dashboards Self-service capabilities for dev and ops Continuous feedback from prod to dev Secure the Ci/CD pipeline
- 10. Prioritised list of activities Effectiveness Delay Financial IQR 1 1 1 Effectiveness Delay Financial IQR 1 1 1 Relevance 8 of 10 experts Number of experts who perceive the activity as relevant to DevSecOps Inter-Quartile Range of the expert scores Rounded median score on effectiveness (higher = more effective) Rounded median score on delay (higher = less delay) Rounded median score on financial impact (higher = less impact)
- 11. Automated Security Testing Leverage SecaaS by using cloud provided self- managed, automated and scalable security services Integrate the security tools in an automated deployment pipeline Automate as many security controls and verifications as possible Ensure the team and management understands and supports the security validations integrated in the automated deployment pipeline Added by expert Fail fast when security validations do not pass Added by expert Integrate the validations in the Definition of Done Added by expert Ensure APIs (of security verifications) align with organisational processes allowing the implementation to remain easy to understand Added by expert Automated testing is geared towards finding implementation bugs but generally not suited to spot design flaws Added by expert
- 12. Usage and key takeaways
- 13. Integrate security assurance in DevOps without increasing delay Framework delay effectiveness financial & Tailor Model Assess DevSecOps roadmap Provides a toolbox of what (activities) and how (design factors) for DevSecOps
- 14. Establish a security engineering mindset
- 15. Integrate security assurance in DevOps without increasing delay Framework DevSecOps is not so much about doing different things as it is about doing things differently DEV OPS flow Feedback loops Continual experimentation and learning Share security learning experiences and create a security engineering mindset Shift security responsibility to the teams and create supporting mechanisms to get the job done Leverage security automation capabilities wherever possible Establish security measurements to gain insights and create learning opportunities Favor reducing delay over other aspects (cost, licensing, …)
- 16. SAMM Why + Objectives Lean security What + How
- 18. Develop a reference implementation leveraging the existing set of OWASP tools Combine the results of this research with research performed on the relationship between DevSecOps and compliance Develop a periodic table of the DevSecOps tooling landscape
- 19. Executive Master in IT Risk & Cyber Security Management @ Antwerp Management School https://www.lean-security.org
- 21. Thank you Research performed under the guidance of: Dennis Verslegers Strategic Advisor Application Security Orange CyberDefense