Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad

Target Audience: Everyone involved in software development (developers, team leaders, CISOs in software-oriented companies)
Focus: technical
Talk language: English

Abstract
*********
Let’s face it: There is no such thing as a big-bang launch any more. We all want to be agile and react quickly to the wishes and demands of our customers in software development. The downside of this approach is that security has a hard time keeping pace, thereby often being completely neglected. That’s why we need to bridge the gap between security and agility. In this talk, we’ll have a look at how security can become an integral part of the development process, and more than just a penetration test at the end. We’ll see how we can overcome immediate pain and get strategic focus in software security.

About the Speaker:
*********************
Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

  • Be the first to comment

  • Be the first to like this

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad

  1. 1. Klassifikation: Öffentlich Welcome to the SBA Live Academy #bleibdaheim #remotelearning Today: Software Security – Towards a Mature Lifecycle and DevSecOps by Thomas Konrad This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts. Please be sure to turn off your video in your control panel.
  2. 2. Classification: Customer 2SBA Research gGmbH, 2020 $ whoami Thomas Konrad $ id uid=123(tom) gid=0(SBA Research) gid=1(Vienna, Austria) gid=2(Software Security) gid=3(Penetration Testing) gid=4(Software Development) gid=5(Security Training) gid=6(sec4dev Conference & Bootcamp)
  3. 3. Classification: Public 3Photo by Quino Al on UnsplashSBA Research gGmbH, 2020
  4. 4. Classification: Public 4Photo by NASA on UnsplashSBA Research gGmbH, 2020
  5. 5. Classification: Public 5Photo by Braden Collum on UnsplashSBA Research gGmbH, 2020
  6. 6. Classification: Public 6 Security Costs Money, Right? Perspectives on (software) security. SBA Research gGmbH, 2020
  7. 7. Classification: Public 7 Time Is Money SBA Research gGmbH, 2020
  8. 8. Classification: Public 8 Risk vs. Security Controls SBA Research gGmbH, 2020 SQLi XSS CSRF UserAccountSecurity AccessControl XXE Deserial. ComponentswithVulns TLS Logging Crypto
  9. 9. Classification: Public 9 So You Want More Money? No. I want to use the limited resources more efficiently. SBA Research gGmbH, 2020 Photo by Fabian Blank on Unsplash
  10. 10. Classification: Public 10 Gartner Application Security Hype Cycle SBA Research gGmbH, 2020
  11. 11. Classification: Public 11 Solution Approaches Steps towards the future of software security. SBA Research gGmbH, 2020
  12. 12. Classification: Public 12SBA Research gGmbH, 2020 We need to shift security left in the software development lifecycle. Photo by Suzanne D. Williams on Unsplash
  13. 13. Classification: Public 13 Backwards Security Integration SBA Research gGmbH, 2020 How can I recover? How do I react? How do I identify problems? How do I protect? What do I have to protect and why? Ad-hocSecurity integration Security test before go-live Incident / CISO intervention
  14. 14. 14 Shifting Left Image source: https://www.cigital.com/blog/what-is-the-secure-software-development-lifecycle/ SBA Research gGmbH, 2020 Classification: Public
  15. 15. 15 Threat Model Example: Account Security Threat modeling as part of the design process Threat Severity1 C/I/A Countermeasures Password guessing High C/I/- (Temporary) user lockout, password policy, MFA, transparency (device lists and notifications, with Device Tokens) Account lockout Medium -/-/A Selective lockout (with Device Tokens) Misuse of known passwords (public lists, other apps, ...) Medium C/I/- MFA Someone dumps the DB on the Internet Medium C/I/- Proper hashes (Argon2) Enumerating valid user names Low C/-/- (Generic error messages, constant timing on all requests containing the user name) 1 The severity really depends on the classification of your data. Don’t see them as absolute and unchangeable values. SBA Research gGmbH, 2020 Classification: Public
  16. 16. Classification: Public 16SBA Research gGmbH, 2020 We need to bridge the gap between security and agility. Photo by Sonja Guina on Unsplash
  17. 17. Classification: Public 17 What is DevSecOps? SBA Research gGmbH, 2020 DevSecOps is thinking about security from the start. https://www.redhat.com/en/topics/devops/what-is-devsecops, 2018 State of DevOps Report
  18. 18. Classification: Public 18 What is DevSecOps? SBA Research gGmbH, 2020 DevSecOps is security automation and measurement. https://www.redhat.com/en/topics/devops/what-is-devsecops, 2018 State of DevOps Report
  19. 19. Classification: Public 19 What is DevSecOps? SBA Research gGmbH, 2020 DevSecOps is sharing between teams. https://www.redhat.com/en/topics/devops/what-is-devsecops, 2018 State of DevOps Report
  20. 20. Classification: Public 20 What is DevSecOps? SBA Research gGmbH, 2020 DevSecOps is evolving from immediate pain to strategic focus. https://www.redhat.com/en/topics/devops/what-is-devsecops, 2018 State of DevOps Report
  21. 21. Classification: Public 21 “Are security teams involved in technology design and deployment?” Yes 39%No 61% Team Respondents Yes 64% No 36% C-Suite Respondents 2018 State of DevOps Report, Puppet + Splunk
  22. 22. Classification: Public 22 How To Make DevSecOps Work #1: Start with simplification. • Tool re-use is easier in a common tech stack. • More flexibility for dev staff to work on different projects. • Fewer moving parts to maintain, upgrade, learn. SBA Research gGmbH, 2020 Partially taken from the 2018 State of DevOps Report by Puppet + Splunk
  23. 23. Classification: Public 23 How To Make DevSecOps Work #2: Push existing pockets of success. • Give a well-working team resources to build security automation. • Advertise to others how this buys them time to do more fun stuff. • Make source code available to other teams. SBA Research gGmbH, 2020 Partially taken from the 2018 State of DevOps Report by Puppet + Splunk
  24. 24. Classification: Public 24 How To Make DevSecOps Work #3: Offer self-service security tools. • A dedicated, cross-project, well-integrated team for security automation. • Pick people with good social skills. • Get external help where necessary. SBA Research gGmbH, 2020 Partially taken from the 2018 State of DevOps Report by Puppet + Splunk
  25. 25. Classification: Public 25 How To Make DevSecOps Work #4: Work with both empowerment and accountability. • Mutually enforcing DevSecOps pillars of automation and measurement. • Build dashboards with performance indicators. • Play it open. SBA Research gGmbH, 2020 Partially taken from the 2018 State of DevOps Report by Puppet + Splunk
  26. 26. Classification: Public 26 How To Make DevSecOps Work #5: Create and promote a culture of continuous learning. • Understanding security means understanding technology in detail. • Make teams work together in new ways. • Stop the blaming culture. • Offer security training. SBA Research gGmbH, 2020 Partially taken from the 2018 State of DevOps Report by Puppet + Splunk
  27. 27. Classification: Public 27SBA Research gGmbH, 2020 Let’s face it: You are not going to fix your company’s culture overnight. Take your time but be dedicated. Photo by Les Anderson on Unsplash
  28. 28. Classification: Public 28 Skill Levels of a Developer 1. Write messy, insecure code 2. Write clean code 3. Write testable code 1. High cohesion 2. loose coupling 4. Write actual tests 5. Hack the own code 6. Write secure code SBA Research gGmbH, 2020
  29. 29. Classification: Public 29SBA Research gGmbH, 2020
  30. 30. Classification: Public 30 Which Types Of Test? • Write a simple integration test! • For functional and unit tests, test the right parts SBA Research gGmbH, 2020
  31. 31. Classification: Public 31 What Shall I Automate First? 1. Upon every push 1. Test for known vulnerabilities in external libraries and frameworks. 2. Scan your containers for known vulnerabilities. 2. On a regular basis 1. Scan your infrastructure. 2. Do SAST / IAST / DAST. SBA Research gGmbH, 2020
  32. 32. Classification: Public 32 Dynamic Tests: Known-Good Requests GET /profile/profile-picture?thumbnail-width=200 Input Validation Original or scaled? Read from filesystem Ask scaling microservice × ×SBA Research gGmbH, 2020
  33. 33. Classification: Public 33 Results Are Just Symptoms • Repeatedly fixing the same vulnerabilities? o Consider changing the architecture and technology! o Update common requirements! o Update architecture recommendations! o Add it to the threat model! o Update secure coding guidelines! o Implement a test in the common test suite! o Talk about it! • Selective fixes are just security painkillers! SBA Research gGmbH, 2020
  34. 34. Classification: Public 34 What Performance Indicators Shall I Collect? • Number of vulnerabilities/LoC over time • Time to fix • Number of security-related tickets/LoC • ... Make sure the numbers are contextually specific! SBA Research gGmbH, 2020
  35. 35. Classification: Public 35SBA Research gGmbH, 2020 Photo by Austin Distel on Unsplash There will be vulnerabilities and there will be attacks. The question is how we deal with them.
  36. 36. Classification: Public 36 Key Takeaways Steps you can do to push yourself forward. SBA Research gGmbH, 2020
  37. 37. Classification: Public 37 Key Takeaways, 1/2 • DevSecOps is a culture thing, and culture things take time. • It’s all about integrating security earlier. • Security is hard. Consider that when assigning roles. • The difference between a good team and a bad team is how they deal with difficult situations. SBA Research gGmbH, 2020
  38. 38. Classification: Public 38 Key Takeaways, 2/2 • Steps towards DevSecOps o #1: Start with simplification. o #2: Push existing pockets of success. o #3: Offer self-service security tools. o #4: Work with both empowerment and accountability. o #5: Create and promote a culture of continuous learning. SBA Research gGmbH, 2020
  39. 39. Classification: Public 39 Thomas Konrad SBA Research gGmbH Floragasse 7, 1040 Wien +43 664 889 272 17 tkonrad@sba-research.org Twitter: @_thomaskonrad SBA Research gGmbH, 2020
  40. 40. Klassifikation: Öffentlich 40 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org
  41. 41. Klassifikation: Öffentlich 41 #stayhome #remotelearning Coming up @ SBA Live Academy April 14, 5 pm CET, live: „Passwords: Policy and Storage with NIST SP800-63b“ by Jim Manico! Join our MeetUp Group! https://www.meetup.com/Security-Meetup-by-SBA- Research/

×