Quick background about Francesco…me…as you might have noticed my favorite colors are black and red.
I’m a Cybersecurity Cloud Expert and CISO/Advisor. I’m an active Public Speaker, as you can see, researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2.
I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks I help international organization of different industries and sizes financial services, banking, Telco and thig gives me different prospective on the security problem
One important theme that I put in all the presentation is that that Security is everybody job and we will see why Also
The key to success in security is to make it frictionless
So what is DEV-OPS? Opening: So, what are we talking about? DEVOPS and Security. What the hek is devops? DEVOPS is a mythological beast… where you merge the development community with the operational community to have a single animal that is responsible of the lifecycle of their own application Is continuous integration between DEVelopment and OPerationS (continuous integration)
Why is so actual today? Because of the speed of delivery
So how do we add another element in this picture (Sec) … Security Phoenix is where DEV-OPS reborn as a mythological animal with security at heart
So what are the different part of a phoenix?
With at their head people and education (head)
Design (wing) Build & Test (wing) Operate is at the heart (heart)
Guided by governance and risk management (tail)
Can a bird fly without wings or with just one wing? Maybe but really badly Can a bird fly without a head? Don’t think so Can a bird have direction without a tail
But ultimately security is about our people as they are our herald! Security is everybody’s job Let’s see why
Why Is security Important
Major breaches over the years…let’s think about the dark knights
We can’t scale! We need more security people !
I’ll let this image sink in for a second. Those are just the major breaches over the years. Most of them were due to mistakes like unpatched systems, exposed databases, password guessing, brute force.
What all those breaches have in common? Complex Nation state act – no Complex and intricated cyber attacks – Sometimes
Missing the basics (e.g. patching ) and human error is the answer you are really searching for.
By doing the basic right you will be better off than 80% of other organizations
This explains why security is everyone's responsibility? Because we all get affected by it!
Done badly the existing governance and controls get forced onto the new world
Done correctly security becomes almost transparent
So how do we do it correctly? With Security Phoenix! Security Function is reborn!
Let’s analyze the phoenix
What would you get out of the pillar?
Trust of the developers – Embedding security in the DEV-OPS pods. Key enabler for doing this at scale? Trust & Verify and License to operate
How to fix vulnerability at scale? The concept of Triage and Visualization
Upskill and fill the gap in security:
Keep people accountable: Security Governance
Shift Left & Design – not talking much here
So let’s see the people aspect: Trust & Verify and license to operate
Problem that we are trying to solve>How to fix the problem at scale and at pace
Ultimately is all about our people & Education People are the first line of defiance for your business
What are the key concept of Security Phoenix? Trust the team but verify (dashboards, build vs fix) License to operate: if you deploy quality code you have the license Fixing vulnerabilities as everyday life (sprint) Set thresholds (reduction of vulnerabilities and build vs fix)
This new mode of operation shall rely on the ability of the team to demonstrate they can operate securely and at pace
Transformation – License to Operate -> Trust your DEV-OPS but verify
As long as the DEV-OPS team operate under the license
Apply governance (light and heavy weight)
Make security everybody’s responsibility but provide resource to guide (during transformation)
The Whole concept relies on license to operate: if you promote good code, you good to go
How to verify: Thresholds for reduction of vulnerabilities (Dashboards) Thresholds for Build VS fix Security Learning
Code Scanners -> Output in Phoenix DB -> Thresholds Code Scanners -> Output in Jira ticket -> Threshold in Phoenix DB -> Build vs FIX tickets Learning platform -> Output in Phoenix DB -> team doing training?
Teams triage and remediated locally to the pod
People aspect: Risk management & BUZ – not yet automated If something can’t be updated/remediated than risk assessment (not covered here) Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
The Pod Structure
Dev + Engineers – DEV + OPS Sec Champions to show what good looks like App Owner to guide the business for new feature
Sec Arch – To oversee the Design Part of application and review changes
Monitoring – Appsec (day in day out Vuln Fixes Dashboard and trending – what vulnerability to fix first Build vs FIX - ensure the thresholds are healthy
Trust your developers and apply a ‘license to operate’ -> this can be removed
Apply governance (light and heavy weight) – faster for team that are compliant with security more scrutiny for team that are not
Visualize and keep everyone accountable – give the product owner the ability to see if new vulnerabilities are getting introduced
Make security resource available to the developers and document the fixes – produce internal reference for what security looks like for your org
The Whole concept relies on license to operate: if you promote good code, you good to go
How to verify: Thresholds for reduction of vulnerabilities (Dashbaords) Thresholds for Build VS fix
Scanners output in jira Teams triage and remediated locally to the pod
If something can’t be updated/remediated than risk assessment (not covered here) Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
Let’s see the visualization aspect behind the element discussed
Thresholds example (DEV)
Theme: Visualization helps both the teams working on the code and the application owner providing governance The tools ultimately are not as intelligent as a developer but only provide suggestion on how to prioritize vulnerabilities
Scanners architecture Different Scan at different stages
Divide DEV/Prod Scanners individual dashboards for false positives Aggregate the vulnerabilities in aggregators (e.g. Kennar)
Scanners dashboards to mark false positives or risk accept but make sure there is a process behind it
Triage of the vulnerabilities inside the scanners or feed into auto generation of thickets
For operation – Scan/Monitor & Bugfix (nothing else than a change)
Key thing here: Prioritize what to fix! Fixes will be in competition with feature! Is not all about security
OS & App – Scan and monitor – Rebuild frequently so you don’t have to worry
FOSS – open source components! Watch for Contributor account take over (refer to Netflix)
Libraries & Open source components – Scan & rebuild with new libraries - Rebuild App with latest (release cadence) – RISK management if you can’t update or no update is available
Code – From your DEV Pipeline – Those are your security code defect (internal or external bug bounty to detect which one is more dangerous
For open source vulnerabilities it takes a long time to fix
Why is that? Because rebuilding is not always immediate
You say 0 days? I say normally a patch is between 16 and 94 days to be fixed…
That leaves a lot of exposure to yourself
So Let’s see the last aspect: Design and Education
Security governance in dev-sec-ops – Challenging Definition of change: Small Changes vs security impacting changes Change control & Security education – security review closer to the Application PODs Initial design assessment
Improvements: Pre approved services Patterns Standards into automation
Educate the Users -> Report vulnerability Educate the Users -> Aware of social engineering Hands on and hands-off training (OWASP great resource)
Security is hard and roles of the architect is changing
No 1 solution fits all, tailor this model to your organization!
Key concepts: Trust And Verify Vulnerability Management every day life Automation vs people aspect – is a transformation Data Driven Education Governance at scale Closing: Ultimately there is no 1 solution that fits all and look at the security transformation as a people transformation. You can’t automate people but you can make people’s life easier using tool. Don’t let the tool use you but use the tool to prioritize the work
Every 2 weeks 1.30 PM UK Time
Cyber Security Awards 2020
Cloud Security Influencer of the Year
Submission – 10 of May 2020 (TBD)
Ceremony 4 July