Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share

5 views

Published on

Security Architecture in DEVOPS
Title:

Security Architect, slayer of dragons defenders of the realms and protectors of the cybersecurity automation

Synopsis:
The talk will take the audience on a journey from the origin of the security architecture, the challenge of cloud security and the role of an architect in the dev-sec-ops world.
The talk explains the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance
We will explore:
Security Gates and why they do not always work in dev-ops
Automation how-tos:
How to deploy cybersecurity at scale
Why is important to know how to deal with people
Automation in the pipeline is the king

If time is available the talk will explore some additional lesson learned

rough length: compressed version 30 min normally 50 min or workshop format

Audience Take Away:
How to build a cybersecurity programme with architecture at the heart
how to do traditional security governance
how to mix governance and agile development as well as dev sec ops
how to extract patterns from existing design
the value of design principle patterns and why they are key to go fast.
how and when to use tools (SAST/DAST) and when to engineer

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share

  1. 1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Security Knights slayer of dragons ECS - Enterprise Security Computing (London) @FrankSEC42 DEV-OPS & SEC Architecture – Defenders of the appsec realm https://uk.linkedin.com/in/fracipo
  2. 2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What’s in it for me? 2 What’s in in for me?
  3. 3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Solution to reach there Pillars & Problems Evolution of the knights & dragons Context @FrankSEC42 Take Away
  4. 4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 4 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein
  5. 5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo How Things Have Changed 5 So what’s the challenge? How do we defend the castle from dragons?
  6. 6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Why Fixing vulnerabilities is important 6 Why is important to fix vulnerabilities? How Big is the problem?
  7. 7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Vulnerabilities is everybody’s responsibility? Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … Yes…because we all get affected by it
  8. 8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 8 Image Credit Information is Beautiful
  9. 9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Size of the problem 9 Source:: https://snyk.io/wp-content/uploads/The-State-of-Open-Source-2017.pdf How long it takes to fix a vulnerability? 16-94 days Vulnerabilities disclosure: 5.9 years MAX time from inclusion to disclosure 0 days MIN time from inclusion to disclosure 2.5 years AVER time from inclusion to disclosure Vulnerabilities FIX: 94 days MAX time from disclosure to fix 0 days MIN time from disclosure to fix 16 days AVER time from disclosure to fix
  10. 10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The Crisis 10 So Is security Still important in a dev-sec-ops world? Let’s see how to blend the architecture, governance and security ops in this new dragon slayer world
  11. 11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Solution: DEV-OPS + SEC + BIZ at pace and at speed 11 Problem – governance and speed 1. Trust & Verify 2. License to operate/code 3. Day in Day fix Vulnerabilities >> Set Thresholds: Bild vs Fix, Vulnerability trending >> Blend Architects and Engineering
  12. 12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Solution Pillars 3+2 12 Design & Governance Application Security Security Education Phase 1 Phase 2 Production Security • 4 Solution Pillars 3 + 2 • Focus on phases to address the problem Risk management Framework Phase 3
  13. 13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The DEV-SEC-OPS Revolution: Trust & Verify 13 Trust your developers but verify! To go at pace you should trust your community of developers…but verify that they are doing security
  14. 14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Framework 14 Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds
  15. 15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo License to operate 15 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate DEV Security Productio n Security
  16. 16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The DEV-SEC-OPS Revolution: Trust & Verify 16 Developer can operate fast and deploy as long as they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Make security everybody’s responsibility but provide resource to guide (during transformation) 4. Blend Architects with Engineering community
  17. 17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 17 Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod SET Targets For Prod & DEV Vuln Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Productio n Security
  18. 18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo OWASP dependency-check • http://jeremylong.github.io/DependencyCheck/ OWASP dependency-track • https://github.com/stevespringett/dependency-track OWASP dependency-check-sonar-plugin • https://github.com/stevespringett/dependency-check-sonar-plugin Maven Security Versions • https://github.com/victims/maven-security-versions Vulnerable Libraries 18 How to fix vulnerable Libraries? Use 3rd party tools or OWASP/Open source reference libraries DEV Security Productio n Security
  19. 19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – The Verify Part 19 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate 1. Verify that team does security training 2. Verify that team reduces vulnerabilities 3. Verify that team applies governance DEV Security Productio n Security
  20. 20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 20 Dashboard for code defect and thresholds Key to Verify & maintain the license to operate DEV Security Productio n Security
  21. 21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Definition of security Impacting Change 21 Governanc e Functional Change OPS Test Small Change/ FIX/ Patching Small Change/ Bugfix/ Patching Sandbox/Prototyping Deployment Environment Functional Change - Any Change impacting the core functionalities of an application DEV-OPS PhaseDesign Phase Governance Delegated to the Champion(s) and Application owner(s) Governance on the Security DesignAuthority & Security Architects Iterations DEV Initial Design (Iterations) Functional Change
  22. 22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 22 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Make the training entertaining (CTF and Rewards) Security Education
  23. 23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 23 - Trust And Verify - Vulnerability Management every day life - Architect + Engineering = Success - Data Driven Education - Governance at scale Security at pace Security is everybody’s job
  24. 24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: https://www.linkedin.com/groups/3745837/ CSA-UK - We need you 24 Join!
  25. 25. Every Fortnight 1.30 PM UK Time #MentoringMonday Call @FrankSEC42
  26. 26. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  27. 27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 27
  28. 28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 28 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42

×