DevSecOps for Developers, How To Start (ETC 2020)

1. Turtle Sec @pati_gallardo

2. Turtle Sec @pati_gallardo My ﬁrst real tech job

3. Dev[Sec]Ops for Developers How To Start European Testing Conference 2020 Patricia Aas Turtle Sec @pati_gallardo

4. Patricia Aas - Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo

5. @pati_gallardo 5 Quality @pati_gallardo

6. @pati_gallardo Accelerate, Nicole Forsgren PhD, Humble and Kim: “Our research shows that building security into software development not only improves delivery performance but also improves security quality. Organizations with high delivery performance spend signiﬁcantly less time remediating security issues.” @pati_gallardo 6

7. @pati_gallardo “improves security quality” Security is a Quality Metric @pati_gallardo 7

8. @pati_gallardo Vulnerability @pati_gallardo 8

9. @pati_gallardo Bug Vulnerability Exploit If a bug can be exploited... ...then it is a vulnerability @pati_gallardo 9What is a Vulnerability?

10. @pati_gallardo Exploit Write Read Execute Information Leaks Intelligence Gathering Remote Code Execution Privilege Escalation Denial of Service Planting of Shellcode @pati_gallardo 10What does an Exploit do?

11. @pati_gallardo The Target The Exploit@halvarﬂake Weird State Weird State Exploitation: The Weird Machine Bug/ Vulnerability @sergeybratus @pati_gallardo 11

12. @pati_gallardo 12 There is an artiﬁcial line between security testing and other types of testing

13. @pati_gallardo 13 Vulnerabilities are Bugs

14. @pati_gallardo Culture @pati_gallardo 14

15. @pati_gallardo Looking for Zebras @pati_gallardo 15

16. @pati_gallardo “In medical school, you are taught that if, metaphorically, there is the sound of hoofbeats pounding towards you then it’s sensible to assume they come from horses not zebras [...] With House it’s the opposite. We are looking for zebras.” ‘Dr Lisa Sanders’ in ‘House M.D.’ @pati_gallardo 16

17. We tend to classify problems based on the problems we are used to. This stops us from understanding folks that deal with different classes of problems. @pati_gallardo 17

18. @pati_gallardo Cyneﬁn Framework by Dave Snowden @pati_gallardo 18

19. Cyneﬁn Framework by Dave Snowden https://cognitive-edge.com/blog/liminal-cyneﬁn-image-release/ 19

20. Complex Complicated ObviousChaotic Discover Engineer Stabilize Automate Fixing things Cyneﬁn Framework by Dave Snowden Crisis Emergent Novel Best Good 20

21. Cyneﬁn Framework by Dave Snowden DevOps Complex Complicated ObviousChaotic Probe Prototyping Analyze Development Auto Deploy Creativity Skill Automation Not critical Critical Incident Response 21

22. Complex Complicated ObviousChaotic Act Put out ﬁres Probe Analyze Auto Investigate Remediate Change Incident in Prod Cyneﬁn Framework by Dave Snowden 22

23. Complex Complicated ObviousChaotic Cyneﬁn Framework by Dave Snowden Security Act Fuzzing Probe Analyze Auto Debugging Exploit dev Metasploit 23

24. Complex Complicated ObviousChaotic Probe Making the Right System Analyze Making the System Right A/B Testing TDD Chaos Monkey Static Analysis Testing Cyneﬁn Framework by Dave Snowden 24

25. @pati_gallardo Dev[Sec]Ops @pati_gallardo 25

26. @pati_gallardo Coding Building Testing Manual Security Gate Keeping Monitoring Simpliﬁed Pre-DevOps Deployment Workﬂow @pati_gallardo But you have to get out of the Critical Path? 26

27. @pati_gallardo - We have no “Security Team” 1 security person per 10 ops people per 100 developers* *Accelerate, Forsgren PhD, Humble and Kim Manual security review does not scale @pati_gallardo 27

28. @pati_gallardo Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing @pati_gallardo 28

29. @pati_gallardo Risk Modeling 29

30. @pati_gallardo 30 Company Killer What are you really afraid of? What kind of event could put you out of business?

31. @pati_gallardo 31 Pre-mortem Your worst headline is in the newspaper, how did this happen?

32. @pati_gallardo External Entity Data Store Trust Boundary Data Flow Trust Boundary Trust Boundary Data Store Process Backend Process External Entity Browser/App Data Flow Data Flow Diagram Data Flow 32

33. @pati_gallardo Hacks 33

34. Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 34

35. 1. Live Off the Land 2. Have Devs Build It 3. Trunk-based Development 4. Use Existing Crisis Process 5. Automate as Much as Possible 6. Infrastructure as Code 6 Dev[Sec]Ops Hacks @pati_gallardo 35

37. @pati_gallardo Bootstrapping Tooling @pati_gallardo 37

38. Use your issue tracker Use your chat Use your monitoring Use your dashboards Integrate into your tools Live Off the Land @pati_gallardo Bootstrapping Tooling 38

41. Bootstrapping Manpower @pati_gallardo 41

42. Use the devs to build integrations Find ways to justify it Dual purpose: Stability and Security Have Devs Build It @pati_gallardo Bootstrapping Manpower 42

45. Bootstrapping Security Reviews @pati_gallardo 45

46. Trunk-based development Small commits Add security to peer-review Add threat modeling to peer-review Feature toggles Use feature toggles for A/B testing Bootstrapping Security Reviews Trunk-based Development 46@pati_gallardo

49. @pati_gallardo Bootstrapping Incident Response @pati_gallardo 49

50. Have a Hotline security@example.com https://example.com/.well-known/security.txt 50@pati_gallardo

51. External Vulnerability Report Flow Bug Report Vulnerability Report Social Media QA Security Marketing Triage No bug Bug Vulnerability 51@pati_gallardo

52. Use Existing Crisis Process for Incident Response 52@pati_gallardo

53. @pati_gallardo@pati_gallardo You Know How To Handle A Crisis 53

54. Separate priority in bug-tracker Separate channel in Slack Security Engineer side-duty Simple procedure How will people get paid in off-hours? Bootstrapping Incident Response Security Improvements to Existing Crisis Process 54@pati_gallardo

56. TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 56

57. @pati_gallardo Bootstrapping Automation @pati_gallardo 57

58. Add IDE plugins Add dependency scanner in CI/CD Add scanners in CI/CD Dynamic scan in a non-blocking pipeline All results in dev visualization Automate as Much as Possible Bootstrapping Automation 58@pati_gallardo

59. Coding IDE Plugins Static Analysis Building Testing Scanning Monitoring Alerts Dashboards Dynamic Analysis Dependency Checks Warnings Commit hooks Simulations Fuzzing 59@pati_gallardo

61. TurtleSec Tooling Incident Response Automation Auditability Security Reviews Manpower @pati_gallardo 61

62. @pati_gallardo Bootstrapping Auditability @pati_gallardo 62

63. Fully Automated Pipeline Conﬁguration Management Know what you’re running Auditable Bootstrapping Auditability Infrastructure as Code 63@pati_gallardo

65. @pati_gallardo Incremental Security @pati_gallardo 65

66. @pati_gallardo Teach everyone what to look for Use their Tooling and their Dashboards Fast, stable, automated tests in the Critical Path Use the existing Crisis Process for Incidents Have slower tests off the Critical Path Incremental, Layered, Security 66

67. @pati_gallardo Learn @pati_gallardo 67

68. Complex Complicated ObviousChaotic Act Put out ﬁres Probe Analyze Auto Investigate Remediate Change Incident in Prod Cyneﬁn Framework by Dave Snowden 68

69. 1. Preparation6. Lessons Learned 5. Recovery 4. Eradication 2. Identiﬁcation 3. Containment Phases of Incident Response¹ ¹Incident Handler’s Handbook, SANS Institute https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901 @pati_gallardo 69

70. 70 Practice “We don't rise to the level of our expectations, we fall to the level of our training.” Greek lyrical poet, Archilochus Accident or Breach? Does it matter? @pati_gallardo

71. @pati_gallardo Turtle Sec @pati_gallardo

72. Turtle Sec Questions? Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo