Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Nsc42 - the security phoenix devsecops - risk-present_0_3 share

16 views

Published on

the security phoenix devsecops - focus on risk and governance

Published in: Education
  • Be the first to comment

  • Be the first to like this

Nsc42 - the security phoenix devsecops - risk-present_0_3 share

  1. 1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes Whitehall Media Enterprise Security Risk Management @FrankSEC42 A risk based prospective of DEV-SEC-OPS https://uk.linkedin.com/in/fracipo
  2. 2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Security Ops Security Phoenix – Trust and Risk based approach Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Governance & Education
  3. 3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein
  4. 4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? CHALLENGE: How do we integrate risk MNGM into DEV-OPS?
  5. 5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core component of Security Phoenix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng
  6. 6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Phoenix & Risk – what you get 6 1. Risk management & Trust - Trust & Verify & Risk 2. Visualize, triage/risk assess, fix Vulnerability at scale and pace (DEV & Ops) in POD + Risk 3. Security Design Risk, Governance and Education for Risk
  7. 7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Team Structure 7 Appl Secu Job Queu Defects Bugs Am i still compliant with Overall Build vs FIX Targets ? Code 3rd parties Components (FOSS + Libraries) Deployment to prod Relies on the License to Operate Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds License to operate Build vs Fix Vuln Thresholds RiskManagement
  8. 8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo SDLC Stages and actions 8 SDLC Stages
  9. 9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Phoenix & Risk – what you get 9 1. Risk management & Trust - Trust & Verify & Risk 2. Visualize, triage/risk assess, fix Vulnerability at scale and pace (DEV & Ops) in POD + Risk 3. Security Design Risk, Governance and Education for Risk
  10. 10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo DEVELOPMENT RISK 10 1. Library Update – timeline and risk 2. Code Defects – timeline and risk 3. Deviation from standards 4. Testing Defects (vulnerabilities in test) BUILD/TE ST Security Build/TEST Risk:
  11. 11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Production Risks 11 1. Library Update – timeline and risk 2. OS/Patching/Apps – timeline and risk 3. Deviation from regulation 4. Rinse and Repeat Production Security OPS Risk: Hardware OS/Container Apps (3rd Party) Frameworks Libraries (3rd) / FOSS Code/Build
  12. 12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Operate - Size of the problem 12 Source:: https://snyk.io/wp-content/uploads/The-State-of-Open-Source-2017.pdf How long it takes to fix a vulnerability? 16-94 days Vulnerabilities disclosure: 5.9 years MAX time from inclusion to disclosure 0 days MIN time from inclusion to disclosure 2.5 years AVER time from inclusion to disclosure Vulnerabilities FIX: 94 days MAX time from disclosure to fix 0 days MIN time from disclosure to fix 16 days AVER time from disclosure to fix
  13. 13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 13 Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Productio n Security SET Targets For Prod & DEV Vuln
  14. 14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 14 Example of a dashboard for Vulnerability Visualization DEV Security Productio n Security
  15. 15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Risk at various stages 15 DEV Security Productio n Security
  16. 16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triage, Prioritize & Risk assess 16 1. L1 – Basic – False positives 2. L2 – Medium – Location/CVE Risk 3. L3 – Adv – Environment/Exploitability 4. Nirvana – Auto Enrichment, Risk Score & prioritization BUILD/TE ST Security Triage Vulnerabilities – maturity levels
  17. 17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Secure Operate 17 Nirvana – number based risk score Tools that are available in the market DEV Security Productio n Security
  18. 18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triage, Prioritize & Risk assess 18 BUILD/TE ST Security Triage Vulnerabilities – maturity levels
  19. 19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triage, Prioritize & Risk assess 19 For Advanced Consider: 1. Vulnerabilities score (LMH) 2. Network Location 3. Exploitability 4. Prod/Non Prod 5. Risk Lvl BUILD/TE ST Security BYORS Risk = (1.5*High+1*medium+0.5*Low) Risk = Likelihood × Impact Criticality = Probability × Severit Basic Formula CWSS = BaseFindingSubscore * AttackSurfaceSubscore * EnvironmentSubscore Advanced Formula
  20. 20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Phoenix & Risk – what you get 20 1. Risk management & Trust - Trust & Verify & Risk 2. Visualize, triage/risk assess, fix Vulnerability at scale and pace (DEV & Ops) in POD + Risk 3. Security Design Risk, Governance and Education for Risk
  21. 21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 21 1. Threat Modelling 2. Craft DEV Training based on the scanner (faults) data 3. Education on the job – risk assessment & management 4. Make the training entertaining (CTF and Rewards) Security Education Education:
  22. 22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 22 - Trust And Verify & risk management - Risk visualization and prioritization - Vulnerability & risk assessment every day life - Automation vs people aspect – is a transformation - Education on risk and assessment Security at scale and pace Security is everybody’s job
  23. 23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Mentoring Research Events Networking Twitter: @csaukchapter LinkedIn: https://www.linkedin.com/groups/3745837/ CSA-UK - We need you 23 Join!
  24. 24. Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42
  25. 25. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  26. 26. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 26
  27. 27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 27 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42

×