Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps for Developers, How To Start (ETC 2020)

297 views

Published on

How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?

Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.

Published in: Software
  • Be the first to comment

DevSecOps for Developers, How To Start (ETC 2020)

  1. 1. Turtle Sec @pati_gallardo
  2. 2. Turtle Sec @pati_gallardo My first real tech job
  3. 3. Dev[Sec]Ops for Developers How To Start European Testing Conference 2020 Patricia Aas Turtle Sec @pati_gallardo
  4. 4. Patricia Aas - Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
  5. 5. @pati_gallardo 5 Quality @pati_gallardo
  6. 6. @pati_gallardo Accelerate, Nicole Forsgren PhD, Humble and Kim: “Our research shows that building security into software development not only improves delivery performance but also improves security quality. Organizations with high delivery performance spend significantly less time remediating security issues.” @pati_gallardo 6
  7. 7. @pati_gallardo “improves security quality” Security is a Quality Metric @pati_gallardo 7
  8. 8. @pati_gallardo Vulnerability @pati_gallardo 8
  9. 9. @pati_gallardo Bug Vulnerability Exploit If a bug can be exploited... ...then it is a vulnerability @pati_gallardo 9What is a Vulnerability?
  10. 10. @pati_gallardo Exploit Write Read Execute Information Leaks Intelligence Gathering Remote Code Execution Privilege Escalation Denial of Service Planting of Shellcode @pati_gallardo 10What does an Exploit do?
  11. 11. @pati_gallardo The Target The Exploit@halvarflake Weird State Weird State Exploitation: The Weird Machine Bug/ Vulnerability @sergeybratus @pati_gallardo 11
  12. 12. @pati_gallardo 12 There is an artificial line between security testing and other types of testing
  13. 13. @pati_gallardo 13 Vulnerabilities are Bugs
  14. 14. @pati_gallardo Culture @pati_gallardo 14
  15. 15. @pati_gallardo Looking for Zebras @pati_gallardo 15
  16. 16. @pati_gallardo “In medical school, you are taught that if, metaphorically, there is the sound of hoofbeats pounding towards you then it’s sensible to assume they come from horses not zebras [...] With House it’s the opposite. We are looking for zebras.” ‘Dr Lisa Sanders’ in ‘House M.D.’ @pati_gallardo 16
  17. 17. We tend to classify problems based on the problems we are used to. This stops us from understanding folks that deal with different classes of problems. @pati_gallardo 17
  18. 18. @pati_gallardo Cynefin Framework by Dave Snowden @pati_gallardo 18
  19. 19. Cynefin Framework by Dave Snowden https://cognitive-edge.com/blog/liminal-cynefin-image-release/ 19
  20. 20. Complex Complicated ObviousChaotic Discover Engineer Stabilize Automate Fixing things Cynefin Framework by Dave Snowden Crisis Emergent Novel Best Good 20
  21. 21. Cynefin Framework by Dave Snowden DevOps Complex Complicated ObviousChaotic Probe Prototyping Analyze Development Auto Deploy Creativity Skill Automation Not critical Critical Incident Response 21
  22. 22. Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden 22
  23. 23. Complex Complicated ObviousChaotic Cynefin Framework by Dave Snowden Security Act Fuzzing Probe Analyze Auto Debugging Exploit dev Metasploit 23
  24. 24. Complex Complicated ObviousChaotic Probe Making the Right System Analyze Making the System Right A/B Testing TDD Chaos Monkey Static Analysis Testing Cynefin Framework by Dave Snowden 24
  25. 25. @pati_gallardo Dev[Sec]Ops @pati_gallardo 25
  26. 26. @pati_gallardo Coding Building Testing Manual Security Gate Keeping Monitoring Simplified Pre-DevOps Deployment Workflow @pati_gallardo But you have to get out of the Critical Path? 26
  27. 27. @pati_gallardo - We have no “Security Team” 1 security person per 10 ops people per 100 developers* *Accelerate, Forsgren PhD, Humble and Kim Manual security review does not scale @pati_gallardo 27
  28. 28. @pati_gallardo Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing @pati_gallardo 28
  29. 29. @pati_gallardo Risk Modeling 29
  30. 30. @pati_gallardo 30 Company Killer What are you really afraid of? What kind of event could put you out of business?
  31. 31. @pati_gallardo 31 Pre-mortem Your worst headline is in the newspaper, how did this happen?
  32. 32. @pati_gallardo External Entity Data Store Trust Boundary Data Flow Trust Boundary Trust Boundary Data Store Process Backend Process External Entity Browser/App Data Flow Data Flow Diagram Data Flow 32
  33. 33. @pati_gallardo Hacks 33
  34. 34. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 34
  35. 35. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 35
  36. 36. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 36
  37. 37. @pati_gallardo Bootstrapping Tooling @pati_gallardo 37
  38. 38. Use your issue tracker Use your chat Use your monitoring Use your dashboards Integrate into your tools Live Off the Land @pati_gallardo Bootstrapping Tooling 38
  39. 39. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 39
  40. 40. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 40
  41. 41. Bootstrapping Manpower @pati_gallardo 41
  42. 42. Use the devs to build integrations Find ways to justify it Dual purpose: Stability and Security Have Devs Build It @pati_gallardo Bootstrapping Manpower 42
  43. 43. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 43
  44. 44. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 44
  45. 45. Bootstrapping Security Reviews @pati_gallardo 45
  46. 46. Trunk-based development Small commits Add security to peer-review Add threat modeling to peer-review Feature toggles Use feature toggles for A/B testing Bootstrapping Security Reviews Trunk-based Development 46@pati_gallardo
  47. 47. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 47
  48. 48. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 48
  49. 49. @pati_gallardo Bootstrapping Incident Response @pati_gallardo 49
  50. 50. Have a Hotline security@example.com https://example.com/.well-known/security.txt 50@pati_gallardo
  51. 51. External Vulnerability Report Flow Bug Report Vulnerability Report Social Media QA Security Marketing Triage No bug Bug Vulnerability 51@pati_gallardo
  52. 52. Use Existing Crisis Process for Incident Response 52@pati_gallardo
  53. 53. @pati_gallardo@pati_gallardo You Know How To Handle A Crisis 53
  54. 54. Separate priority in bug-tracker Separate channel in Slack Security Engineer side-duty Simple procedure How will people get paid in off-hours? Bootstrapping Incident Response Security Improvements to Existing Crisis Process 54@pati_gallardo
  55. 55. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 55
  56. 56. TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 56
  57. 57. @pati_gallardo Bootstrapping Automation @pati_gallardo 57
  58. 58. Add IDE plugins Add dependency scanner in CI/CD Add scanners in CI/CD Dynamic scan in a non-blocking pipeline All results in dev visualization Automate as Much as Possible Bootstrapping Automation 58@pati_gallardo
  59. 59. Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing 59@pati_gallardo
  60. 60. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 60
  61. 61. TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 61
  62. 62. @pati_gallardo Bootstrapping Auditability @pati_gallardo 62
  63. 63. Fully Automated Pipeline Configuration Management Know what you’re running Auditable Bootstrapping Auditability Infrastructure as Code 63@pati_gallardo
  64. 64. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 64
  65. 65. @pati_gallardo Incremental Security @pati_gallardo 65
  66. 66. @pati_gallardo Teach everyone what to look for Use their Tooling and their Dashboards Fast, stable, automated tests in the Critical Path Use the existing Crisis Process for Incidents Have slower tests off the Critical Path Incremental, Layered, Security 66
  67. 67. @pati_gallardo Learn @pati_gallardo 67
  68. 68. Complex Complicated ObviousChaotic Act Put out fires Probe Analyze Auto Investigate Remediate Change Incident in Prod Cynefin Framework by Dave Snowden 68
  69. 69. 1. Preparation6. Lessons Learned 5. Recovery 4. Eradication 2. Identification 3. Containment Phases of Incident Response¹ ¹Incident Handler’s Handbook, SANS Institute https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 @pati_gallardo 69
  70. 70. 70 Practice “We don't rise to the level of our expectations, we fall to the level of our training.” Greek lyrical poet, Archilochus Accident or Breach? Does it matter? @pati_gallardo
  71. 71. @pati_gallardo Turtle Sec @pati_gallardo
  72. 72. Turtle Sec Questions? Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo

×