Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RSAC 2019 - Security Learns to Sprint; DevSecOps

1,357 views

Published on

This talk will argue that DevOps could be the best thing to happen to application security since OWASP, if developers and operations teams are enabled to make security a part of their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security, security now needs to concentrate on creating tools, processes and opportunities for dev and ops that result in more-secure products, instead of trying to do it all themselves like they did in days past. We must build security into each of “The Three Ways”; automating and/or improving efficiency of all security activities to ensure we don’t slow down developers, speeding up feedback loops for security related activities so that we fix the bugs faster and sooner, and providing continuous learning opportunities in relation to security, for both teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no longer be used as a justification for project delays. If developers are sprinting, then we need to sprint too. So put on your running shoes; it’s time for DevSecOps!

Published in: Technology
  • Do This Simple 2-Minute Ritual To Loss 1 Pound Of Belly Fat Every 72 Hours  https://tinyurl.com/y6qaaou7
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Download The Complete Lean Belly Breakthrough Program with Special Discount. ■■■ http://scamcb.com/bkfitness3/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

RSAC 2019 - Security Learns to Sprint; DevSecOps

  1. 1. #RSAC SESSION ID: Tanya Janca Security Learns to Sprint: DevSecOps Senior Cloud Developer Advocate Microsoft @SheHacksPurple
  2. 2. #RSAC @SheHacksPurple What are we going to talk about today? DevOps
  3. 3. #RSAC @SheHacksPurple What are we going to talk about today? Security becoming a part of DevOps.
  4. 4. #RSAC @SheHacksPurple What are we going to talk about today? DevSecOps
  5. 5. #RSAC @SheHacksPurple How some security people see DevOps Slide Credit: Pete Cheslock
  6. 6. #RSAC @SheHacksPurple How I see DevOps: DevSecOps Slide Credit: DevSecCon
  7. 7. #RSAC @SheHacksPurple This is me. AKA: @SheHacksPurple I’m Tanya Janca.
  8. 8. #RSAC @SheHacksPurple This is me. I’m a Senior Cloud Developer Advocate at: What does THAT mean?
  9. 9. #RSAC @SheHacksPurple This is me. I’m a Senior Cloud Developer Advocate I work to make security features easier to use. I help developers use our products more securely. I provide feedback from the community to internal teams, so they can make our products more secure. I do security research and share it with the community. Security research, such as this presentation, OWASP DevSlop, and much more.
  10. 10. #RSAC @SheHacksPurple This is me. Application Security Evangelist
  11. 11. #RSAC @SheHacksPurple This is me. Application Security Evangelist
  12. 12. #RSAC @SheHacksPurple This is me. I’m obsessed with OWASP! Open Web Application Security Project An international non-profit that operates chapters, projects and conferences all over the globe, in efforts to help everyone create more secure software.
  13. 13. #RSAC @SheHacksPurple This is me. Founder and Leader of WIST Ottawa! Women In Security and Technology
  14. 14. #RSAC @SheHacksPurple @SheHacksPurple This is me. Software Developer (since the late 90’s) That’s over 20 years! AHHHHHHHHHHHH!
  15. 15. #RSAC @SheHacksPurple This is me. Goal: to change the way we make software so that the easiest way to do something is also the most secure way. Photo: DevSecCon, Singapore, 2018
  16. 16. #RSAC @SheHacksPurple Let’s do this.
  17. 17. Introduction: Application Security
  18. 18. #RSAC @SheHacksPurple
  19. 19. #RSAC @SheHacksPurple Poor AppSec is a Problem! Poor AppSec Causes 29- 40%~ of Breaches! Verizon Data Breach Investigation Report (DBIR) for 2017 and 2016.
  20. 20. #RSAC @SheHacksPurple Application Security Missing! AppSec is not covered in most post-secondary Comp-Sci and Soft-Eng programs And when it is, it’s often an after thought.
  21. 21. #RSAC @SheHacksPurple Security is Outnumbered! Photo: #WOCTechChat
  22. 22. #RSAC @SheHacksPurple Security is Outnumbered! Dev / Ops / Sec 100 / 10 / 1
  23. 23. #RSAC @SheHacksPurple Waterfall Never Worked Well And the accompanying security model was much, much worse. Photo: Winged Beast
  24. 24. #RSAC @SheHacksPurple WhatISDevSecOps? “Performing AppSec in a DevOps culture.” - Imran A Mohammed
  25. 25. DevOps The Main Goals
  26. 26. #RSAC @SheHacksPurple ImprovedDeployment Frequency Security emergencies can be fixed NOW.
  27. 27. #RSAC @SheHacksPurple LowerFailureRates Resiliency
  28. 28. #RSAC @SheHacksPurple
  29. 29. #RSAC @SheHacksPurple LowerFailureRates Confidentiality Integrity Availability Resiliency =
  30. 30. #RSAC @SheHacksPurple FasterTimetoMarket Security doesn’t win if the business doesn’t also win.
  31. 31. “DevOps is the best thing to happen to Application Security since OWASP. ” -Tanya Janca
  32. 32. DevOps The Three Ways
  33. 33. #RSAC @SheHacksPurple Left -> Right = speed
  34. 34. #RSAC @SheHacksPurple Requirements Design Code Testing Release
  35. 35. #RSAC @SheHacksPurple Photo: #WOCTechChat What does this mean for Dev & Ops?
  36. 36. #RSAC @SheHacksPurple The “Photo” Slide, #1 • Assisting in tuning SAST and DAST tools • Reusing known good code • Using up-to-date images • Using the Security Pipeline • Making negative unit tests • Severe security bugs break the build • We cannot do it without them on board What does this mean for Dev & Ops? https://aka.ms/learn-to-sprint-RSA
  37. 37. #RSAC @SheHacksPurple Ensure Dev and Ops are not waiting on you. We CANNOT be a bottleneck. Make processes that WORK. Photo: #WOCTechChat What does this mean for Security?
  38. 38. #RSAC @SheHacksPurple What does this mean for Security? Breaking security activities into smaller pieces Photo: #WOCTechChat
  39. 39. #RSAC @SheHacksPurple The “Photo” Slide, #2 • Ensure Dev & Ops are not waiting on you • Tuning security tools so they do not produce false positives • Breaking security activities into smaller pieces so that they fit into the “sprints” • Make processes that work , and match pace • Providing secure templates and code samples that a known-secure (sec code library) What does this mean for Security? https://aka.ms/learn-to-sprint-RSA
  40. 40. #RSAC @SheHacksPurple Create a parallel security pipeline. For more in-depth testing. Photo: #WOCTechChat What does this mean for Security?
  41. 41. #RSAC @SheHacksPurple Write your own code libraries, for your business’ specific needs. Photo: #WOCTechChat What does this mean for Security?
  42. 42. #RSAC @SheHacksPurple The “Photo” Slide, #3 • Create a security pipeline • Buy licenses for dev and ops for sec tools • This does not mean doing 100% of the work yourself, it means making it possible for Dev & Ops to perform security as part of their daily work. • Writing your own tools and libraries, see RepoKid from Netflix • Enable Dev and Ops, in every way you can. https://aka.ms/learn-to-sprint-RSA What does this mean for Security?
  43. 43. #RSAC @SheHacksPurple FasterFeedback Right -> Left = Feedback
  44. 44. #RSAC @SheHacksPurple FasterFeedback =PushingLeft! Requirements Design Code Testing Release
  45. 45. #RSAC @SheHacksPurple Fixing costs of quality & security issues rises significantly as the development cycle advances CODING PRODUCTIONQA & SECURITYBUILD Source: Ponemon Institute Research $80/defect $240/defect $960/defect $7,600/defect DevOps and the “Shift Left” principle
  46. 46. #RSAC @SheHacksPurple What does this mean for dev & ops? Providing feedback to the security team about what they are concerned about. The security team listening and taking action. Participating in security activities. Photo: #WOCTechChat
  47. 47. #RSAC @SheHacksPurple What does this mean for Security? Providing feedback earlier, and more often. Pushing Left Photo: #WOCTechChat
  48. 48. #RSAC @SheHacksPurple Side Tangent: The SecDevOpronomicon
  49. 49. #RSAC @SheHacksPurple What else does this mean for Security? Photo: #WOCTechChat
  50. 50. #RSAC @SheHacksPurple What does this mean for Security? The “Photo” Slide, #4 • Automate as much as humanly possible, then teach dev and ops to understand the results • Tune the tools, so they don’t waste anyone’s time • Add security into each phrase of the SDLC, including requirements and design • Insist that the build breaks if a large security vulnerability is introduced, security is a part of quality • Rename functions you want to phase out • Check out Netflix’s RepoKid!
  51. 51. #RSAC @SheHacksPurple What does this mean for Security? Positive testing determines that your application works as expected. If an error is encountered during positive testing, the test fails. Negative testing ensures that your application can gracefully handle invalid input or unexpected user behavior. Photo: #WOCTechChat
  52. 52. #RSAC @SheHacksPurple What does this mean for Security? Inviting Dev and Ops to participate in Security Activities. Incidents Threat Modelling Security Sprints Etc. Photo: #WOCTechChat
  53. 53. #RSAC @SheHacksPurple What does this mean for Security? Use Metrics to track trends Create unit tests out of PenTest Results Photo: #WOCTechChat
  54. 54. #RSAC @SheHacksPurple What does this mean for Security? The “Photo” Slide, #5 • If a PenTest is done, check all apps for those vulns • Use tools like OWASP DefectDojo to provide feedback on metrics and trends to Dev & Ops • Invite Dev & Ops to participate in Security activities, for feedback and teaching • Don’t be afraid to try new things and get creative, writing your own tools likely is to provide your best results. • Add negative use cases as unit tests, not just positive use cases (Morgan Roman, @Hackimedes) https://aka.ms/learn-to-sprint-RSA
  55. 55. #RSAC @SheHacksPurple ContinuousLearning Full Circle
  56. 56. #RSAC @SheHacksPurple What does this mean for dev & ops? Photo: #WOCTechChat
  57. 57. #RSAC @SheHacksPurple Photo: #WOCTechChat What does this mean for Security?
  58. 58. #RSAC @SheHacksPurple Photo: #WOCTechChat What does this mean for Security?
  59. 59. #RSAC @SheHacksPurple What does this mean for Security? The “Photo” Slide, #6 • Offer security training to Dev & Ops. Pay for it. • Share information widely when you fix or find new security issues, • Run Security Exercises or Incident Simulations • Provide and analyze metrics from security testing, look for patterns or systemic issues • Checkout Netflix Chaos Monkey • Never forget that your focus is to enable Dev and Ops to get their jobs done, securely. https://aka.ms/learn-to-sprint-RSA
  60. 60. #RSAC @SheHacksPurple What does this mean for Security? Photo: #WOCTechChat
  61. 61. #RSAC @SheHacksPurple What does this mean for Security? Photo: #WOCTechChat
  62. 62. #RSAC @SheHacksPurple What does this mean for Security? The “Photo” Slide, #7 • Share information widely when you fix something • EVERYTHING goes into a knowledge base. ** • Ensure you perform blameless post mortems • Talk about security incidents after they are over • Teaching developers and ops what the output from security tools actually mean • Create formal lessons and learning opportunities; lunch and learns, white papers, formal training, job shadowing https://aka.ms/learn-to-sprint-RSA
  63. 63. Security becoming a part of DevOps. Culture Change!
  64. 64. #RSAC @SheHacksPurple Reinforce Culture Change Celebrate Security Wins Photo: #WOCTechChat
  65. 65. #RSAC @SheHacksPurple Reinforce Culture Change Work More Closely: Security + Dev + Ops Photo: #WOCTechChat
  66. 66. #RSAC @SheHacksPurple Reinforce Culture Change No More Blaming Photo: #WOCTechChat
  67. 67. #RSAC @SheHacksPurple Reinforce Culture Change Create Security Champions Photo: #WOCTechChat
  68. 68. #RSAC @SheHacksPurple Call To Action
  69. 69. Conclusion We got this.
  70. 70. #RSAC @SheHacksPurple What we learned today 70 AppSec + DevOps = DevSecOps Security Learning Opportunities Prioritization of Security Throughout the SDLC Faster Security Feedback Speeding Up Security Activities
  71. 71. #RSAC @SheHacksPurple Apply What You Have Learned Today 71 Next week you should: – Add security verification to CI/CD Pipelines – Critical security bugs break the build In the first three months following this presentation you should: – Create Negative Unit Tests from existing positive unit tests – Lessons on top 3 security bugs – High security bugs break the build Within six months you should: – Regular lessons on AppSec, including a security exercise or simulation – Improvements of security processes for speed and removal of obstacles – Creation of parallel security pipeline – Medium security bugs break the build
  72. 72. #RSAC @SheHacksPurple https://www.owasp.org/index.php/OWASP_DevSlop_Project DevSlop.co Resources: OWASP DevSlop Has Your Back!
  73. 73. #RSAC @SheHacksPurple Resources The Microsoft DevOps Journey https://stories.visualstudio.com/
  74. 74. #RSAC @SheHacksPurple Resources Links for Getting Started in Application Security https://aka.ms/GettingStartedWithAppSec
  75. 75. #RSAC @SheHacksPurple Resources Security is Everybody’s Job!
  76. 76. Thank you https://aka.ms/learn-to-sprint-RSA Tanya Janca @SheHacksPurple

×