Nsc42 security knights slayer of dragons 0-5_very_short_15m_share

1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Security Knights slayer of dragons ECS - Enterprise Security Computing (London) @FrankSEC42 DEV-OPS & SEC Architecture – Defenders of the appsec realm https://uk.linkedin.com/in/fracipo

3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Solution to reach there Pillars & Problems Evolution of the knights & dragons Context @FrankSEC42 Take Away

4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 4 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein

5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo How Things Have Changed 5 So what’s the challenge? How do we defend the castle from dragons?

6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Why Fixing vulnerabilities is important 6 Why is important to fix vulnerabilities? How Big is the problem?

7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Vulnerabilities is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Yes…because we all get affected by it

9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Size of the problem 9 Source:: https://snyk.io/wp-content/uploads/The-State-of-Open-Source-2017.pdf How long it takes to fix a vulnerability? 16-94 days Vulnerabilities disclosure: 5.9 years MAX time from inclusion to disclosure 0 days MIN time from inclusion to disclosure 2.5 years AVER time from inclusion to disclosure Vulnerabilities FIX: 94 days MAX time from disclosure to fix 0 days MIN time from disclosure to fix 16 days AVER time from disclosure to fix

10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The Crisis 10 So Is security Still important in a dev-sec-ops world? Let’s see how to blend the architecture, governance and security ops in this new dragon slayer world

11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Solution: DEV-OPS + SEC + BIZ at pace and at speed 11 Problem – governance and speed 1. Trust & Verify 2. License to operate/code 3. Day in Day fix Vulnerabilities >> Set Thresholds: Bild vs Fix, Vulnerability trending >> Blend Architects and Engineering

12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Solution Pillars 3+2 12 Design & Governance Application Security Security Education Phase 1 Phase 2 Production Security • 4 Solution Pillars 3 + 2 • Focus on phases to address the problem Risk management Framework Phase 3

13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The DEV-SEC-OPS Revolution: Trust & Verify 13 Trust your developers but verify! To go at pace you should trust your community of developers…but verify that they are doing security

14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Framework 14 Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds

15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo License to operate 15 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate DEV Security Productio n Security

16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The DEV-SEC-OPS Revolution: Trust & Verify 16 Developer can operate fast and deploy as long as they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Make security everybody’s responsibility but provide resource to guide (during transformation) 4. Blend Architects with Engineering community

17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 17 Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod SET Targets For Prod & DEV Vuln Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Productio n Security

18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo OWASP dependency-check • http://jeremylong.github.io/DependencyCheck/ OWASP dependency-track • https://github.com/stevespringett/dependency-track OWASP dependency-check-sonar-plugin • https://github.com/stevespringett/dependency-check-sonar-plugin Maven Security Versions • https://github.com/victims/maven-security-versions Vulnerable Libraries 18 How to fix vulnerable Libraries? Use 3rd party tools or OWASP/Open source reference libraries DEV Security Productio n Security

19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – The Verify Part 19 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate 1. Verify that team does security training 2. Verify that team reduces vulnerabilities 3. Verify that team applies governance DEV Security Productio n Security

20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 20 Dashboard for code defect and thresholds Key to Verify & maintain the license to operate DEV Security Productio n Security

21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Definition of security Impacting Change 21 Governanc e Functional Change OPS Test Small Change/ FIX/ Patching Small Change/ Bugfix/ Patching Sandbox/Prototyping Deployment Environment Functional Change - Any Change impacting the core functionalities of an application DEV-OPS PhaseDesign Phase Governance Delegated to the Champion(s) and Application owner(s) Governance on the Security DesignAuthority & Security Architects Iterations DEV Initial Design (Iterations) Functional Change

22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 22 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Make the training entertaining (CTF and Rewards) Security Education

23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 23 - Trust And Verify - Vulnerability Management every day life - Architect + Engineering = Success - Data Driven Education - Governance at scale Security at pace Security is everybody’s job

24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: https://www.linkedin.com/groups/3745837/ CSA-UK - We need you 24 Join!

25. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FrankSEC42

26. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:

28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 28 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42