Advertisement
Check these out next
Divine and felonios cyber security devopsdays austin 2018
May. 15, 2018•0 likes•458 views
3 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Software
DevSecOps
John WillisFollow
VP of Devops and Digital Practices at SJ TechnologiesAdvertisement
Advertisement
Advertisement
Divine and felonios cyber security devopsdays austin 2018
- The Divine and Felonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
- https://github.com/botchagalupe/my-presentations
- The Felonious Nature of Cyber Security
- Actual Exploitation 2015 VZ DBIR
- Sonatype
- DevSecOps Community Survey 2018 - Sonatype
- • Discovered 3/6/2017 • Announced 3/9/2017 • CVE created 3/10/2017 • Equifax discovers 7/2017 • Equifax announced 9/2017 Anatomy of CVE-2017-5638 @botchagalupe
- • Discovered - 3/9/2017 • Action - 3/10/2017 • Remediation - 3/14/2017 Anatomy of CVE-2017-5638 @botchagalupe
- Anatomy of CVE-2017-5638 • As of fall 2017 (3,054) organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on 3/10/17 and subsequently exploited at Equifax between 5/17-9/17. • As of fall 2017 (46,557) organizations downloaded a version of Struts and/or its sub projects with known vulnerabilities despite perfectly safe versions being available. Data derived from Sonatype’s 2017 Software Supply Chain Report @botchagalupe
- Anatomy of CVE-2017-8046 (Fool Me Once) • Published 9/21/17 • CVE created 01/04/2018 • Discovered 2/18/17 • Corrected 3/6/18 @botchagalupe
- • For the 5 months prior to the September 2017 disclosure, developers downloaded the affected Spring components 411,046 times while they were believed to be good. • In the 5 months after the September 2017 disclosure, developers downloaded the affected Spring components which were then known to be vulnerable 367,351 times. Only an 11% dip. Data derived from Sonatype’s 2017 Software Supply Chain Report Anatomy of CVE-2015-8046 (Fool Me Once) @botchagalupe
- Security and the Goldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.
- Very Quick Talk About Devops
- @botchagalupe
- Devops Automated Deployment Pipeline Source: Wikipedia - Continuous Delivery @botchagalupe
- Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily @botchagalupe
- Devops Results Google • Over 15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree 2016 150 Million automated tests run daily… @botchagalupe
- 19 Summary • Agile took us from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
- Adversaries
- Knowing Adversities and Motivations
- Knowing Adversities and Motivations
- DevSecOps
- You Build It, You Secure It @botchagalupe
- DevSecOps as Supply Chain? 26 Source: Wikipedia - Continuous Delivery @botchagalupe
- Software Supply Chain 27 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
- Software Supply Chain 28 Delivery Team Version Control Build Test Release DevOps Example Stage Prod @botchagalupe
- Security in the Software Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
- Security in the Software Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
- Implementing DevOps in a Regulated Environment Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) @botchagalupe
- 33 Delivery Team Version Control Build Test Release DevSecOps Supply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring Configuration Monitoring
- Best Practices for DevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
- The Divine
- @botchagalupe
- The Felonious Nature of Cyber Security @botchagalupe
- 38 Bonus Material
- Kill Chain Example 39 Amazon AWS Amazon VPC
- DevSecOps Kaizen - Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
- 41 More Security Meta Points • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug…. @botchagalupe
- 42 DevSecOps and Cloud Configuration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
- 43 DevSecOps and Containers • Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port Restrictions • Secrets Management @botchagalupe
- 44 DevSecOps and Serverless • OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies @botchagalupe
Advertisement