Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps - Building Continuous Security Into IT & App Infrastructures


Published on

Security teams must adapt security controls to the growing use of DevOps processes such as cloud services, Continuous Integration and Continuous Deployment. Many of them are adopting an approach of Security delivered as a service, or DevSecOps.

In this webcast, SANS Senior Analyst John Pescatore joins Chris Carlson, VP Product Management for Qualys Cloud Agent Platform, discuss how DevSecOps helps security teams work with DevOps to embed continuous security into IT and application infrastructure, and how to get started and build a DevSecOps program for improved and automated auditing, compliance, and control of applications.

The presentation covers:
• How and why security teams are partnering with app developers and sysadmins to build continuous security capabilities that are embedded into the fabric of IT and application infrastructures
• The key elements of DevOps and modern cloud architecture models driving quality and rapid technical innovation, and how they successfully drive business value
• Why applying DevOps and cloud architecture models to security delivers business value such as lower overall risk, capital expense, and operating costs
• Methods to build DevSecOps into both cloud-first and cloud migration infrastructure deployments and achieve common business benefits in either environment
• The initial steps security teams can take right away to engage application and DevOps counterparts in DevSecOps, and milestones to achieve for quick wins with business value as well as control in active projects.
• Case studies on three industry leaders in how security is applied to DevOps to support secure digital transformation projects.

Watch the on-demand webcast:

Published in: Technology
  • Be the first to comment

DevSecOps - Building Continuous Security Into IT & App Infrastructures

  1. 1. 1 DevSecOps - Building Continuous Security Into IT & App Infrastructures John Pescatore, SANS Chris Carlson, Qualys
  2. 2. 2 Protecting Your Company From the Company It Keeps  Business is increasingly interconnected and interdependent via software  The bad guys have figured that out. So have the regulators  The “app cloud” exacerbates that trend, additional levels of “parties”  Software security/quality is a key factor in business success
  3. 3. 3 What a Long Strange Trip It Has Been… Sometimes the light's all shinin' on me, Other times I can barely see.
  4. 4. 4 The Basics of Cyber Risks Risk = Threat x Vulnerability +/- Action •Vulnerabilities are at the center •Threat actors will act •Threat delivery continually evolves •Effectiveness and timeliness of business security action separates high loss/low loss •Fewer Vulnerabilities •Faster mitigation action
  5. 5. 5 First there was DevOps • Amazon: “DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. ” • Not really much new, but key concepts: combine and faster
  6. 6. 6 So, What is SecOps? • SecOps: “Integrating security processes with IT acquisition, development, administration and operations practices to reduce vulnerabilities and more quickly mitigate exposures.” • Overcoming people/organizational barriers • Integrating processes, then tools and data flow Source:
  7. 7. 7 SecOps – Continuous Processes Shield Eliminate Root Cause Monitor/ Report Policy Assess Risk Baseline Vuln Assessment/Pen Test Security Configuration Mitigate • FW/IPS • Anti-malware • NAC • Patch Management • Config Management • Change Management • Software Vuln Test • Training • Network Arch • Privilege Mgmt Discovery/Inventory • SIEM • Security Analytics • Incident Response Threats Regulations Requirements OTT Dictates
  8. 8. 8 Delivering Security Efficiency and Effectiveness • Decrease the cost of dealing with known threats • Decrease the impact of residual risks • Decrease the cost of demonstrating compliance • Reduce business damage due to security failures • Maintaining level of protection with less EBITDA impact • Increase the speed of dealing with a new threat or technology • Decrease the time required to secure a new business application, partner, supplier • Reducing incident cost ○ Less down time ○ Fewer customer defections • Security as a competitive business factor Efficiency Effectiveness
  9. 9. 9 Digital Transformation is driving Business + IT + Security
  10. 10. 10 #1 Engage Customers #2 Empower Employees #3 Optimize Operations #4 Transform Products & Enable New Business Models Source: leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft- study/microsoft-digital-transformation-infographic-asia Digital Transformation – Priorities
  11. 11. 11 #1 Cyber Threats & Security Concerns #1 Lack of Digitally-Skilled Workforce #2 Lack of Supporting Government Policies and ICT Infrastructure #3 Uncertain Economic Environment #3 Lack of Leadership to Ideate, Plan, and Lead Digital Transformation Strategy Digital Transformation – Barriers
  12. 12. 12 Not a Challenge – An Opportunity! Business Transformation IT Transformation IT Transformation Security Transformation
  13. 13. 13 DevSecOps =/ DevOps + Security
  14. 14. 14 If DevOps is about Speed Agility Automation
  15. 15. 15 False Approach ~ False Start ~ Failure
  16. 16. 16 Security + DevOps = Revolt or Left Out? Source: flaming-torches/
  17. 17. 17 Food Safety is a Security Problem in Manufacturing Pipeline Source: 90-tech-update-metal-detection-xray-inspection-
  18. 18. 18 Shift Time Shift Technique Shift Tools Shift Approaches
  19. 19. 19 Shift Time It’s not about doing the same things earlier … ... but an opportunity to do different and better things earlier
  20. 20. 20 Case Study: Financial Services Mobile Wallet
  21. 21. 21 Security Born in the Cloud: New builds in AWS every 60 days Automated Regression & Test-Driven Development Docker containers abstracts applications from OS DevOps Qualys Case Study: Financial Services Mobile Wallet Commercial/Open Source vulnerabilities are detected & fixed on same release cadence Automated regression finds patch issues faster OS vulnerabilities are patched separate from Applications 1 2 3
  22. 22. 22 Qualys Case Study: Financial Services Mobile Wallet
  23. 23. 23 Shift Techniques Instead of thinking like a security person – perimeter, gates, limiting access, closed… ... Think like a developer: Automation API Integration Continuous Visibility Measure + Refine
  24. 24. 24 Qualys Case Study: One of Largest Ecommerce Companies
  25. 25. 25 Prevent Software Check-Ins that use Vulnerable Libraries Apply Technique Tag Vulnerable Libraries in Source Control 1 Shift Technique Automatically open tickets for Developers on security issues Apply Technique Vulnerabilities in Production are Treated as Defects Shift Technique 2 Excessive Remediation Times are escalated to CEO Apply Technique Open Vulnerabilities Reported to Business Unit VPs Shift Technique 3 Qualys Case Study: One of Largest Ecommerce Companies
  26. 26. 26 Shift Tools Find/Implement the right tools for the DevOps Processes… ... But: You may not need to procure new tools APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans
  27. 27. 27 Qualys Case Study: Financial Investment Services
  28. 28. 28 Qualys Case Study: Financial Investment Services SolutionChallenge 400+ Web Apps in production Web Security Assessment found they had a lot of “easily” mitigated app vulnerabilities Integrated the production Web Security Assessment tool into DevOps processes via API Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues Continuously assess Web Apps in the dev process so issues are not re-introduced Hard for developers to fix security issues in production 1 2 3
  29. 29. 29 Integrate Production Security Tool into DevOps Image Source: games-and-mobile-web/ Selenium Qualys WAS Jira Issues Selenium Qualys WAS Jira Issues
  30. 30. 30 How can you get started?
  31. 31. 31 Next Week • Take an accounting of current security tools – are they DevOps friendly with APIs, automation, or self- service UIs? • Identify development teams using DevOps – engage and discuss DevSecOps • Visible vs. Safe project • Cloud vs. On-premise Next Quarter • Integrate security tools into one development lifecycle • Security process(es) to overcome tool integration • Measure outcomes – # vulns identified/fixed before release • Host a vendor Summit – present your project roadmap and Evangelize DevSecOps Next 6 Months • Consolidate / select new security tool sets ($$ savings) • Implement self-service and API-based DevSecOps programs • Expand to more projects – foundational • Present at conferences and user groups on DevSecOps
  32. 32. 32 Resources • SANS : • SAFECode: • SANS Difference Makers - • Qualys: • Questions: • @John_Pescatore • @Qualys
  33. 33. 33 Acknowledgements Thanks to our sponsor: And also to our speakers and to our attendees: Thank you for joining us today © 2017 The SANS™ Institute –