The security phoenix - from the ashes of DEV-OPS Appsec California 2020

1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes APPSEC California 2020 @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo PUBLIC

2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Scanners Triage and Visualizers Security Phoenix – People & Trust + Verify Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Maturity Matrix & Education PUBLIC Security Phoenix – Visibility Problem Security Phoenix – The cake and traceability problem

3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein PUBLIC

4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) PUBLIC DEV-OPS+ SEC

5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core pillars of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng PUBLIC

6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 6 PUBLIC Why do we worry about security? The Problem Landscape

7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 PUBLIC 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it

9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 9 PUBLIC From Dev to prod and cakes The Visibility Problem

13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 13 PUBLIC The software security cake The Problem Traceability Problem

15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Road to Production: the cake analogy 15 The Objective of the various areas are • Ingredients • Recipe • Stock List (asset Register) Design Operate The Objective of the various areas are • Sell The cake • Restock the cake on the shelf Build/Test The Objective of the various areas are • Combine ingredients (libraries+Code) • Bake the cake • Test the cake Security Design Act as Health Inspector • Verify Ingredients are not mouldy • Verify Recipe does not contain poison • Stock List (asset Register) – verify the component used in the cake are genuine Act as Health Inspector • That the cake is made up of genuine ingredients (from asset register) • Test the cake for mould Security Build & Test Act as Health Inspector • Verify Cake on the shop are made of genuine ingredients (from asset register) • Verify expiry data of Cake • Test the cake for mould Secure Operate PUBLIC

16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 16 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC

17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Vulnerability management Lifecycle Discover 01 02 03 04 05 06 Vuln Mngmn Lifecycle Software Asset Register Scan Code/Infra/network Triage/ Assess Triage & identify False Positives Tweak Scan Profiles Prioritize Visualize Prioritize vuln (Start Easy) Network Location Exploitability … Graph – Up/down trending of prj Build vs FIX Time to Fix Remediate/ Risk Verify Fix Code and redeploy in test Test implemented Fix

18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 18 PUBLIC The Software Asset Register The Appsec Lifecycle & Shift Left

19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Asset Register Part A 19 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC

20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Git to People: Who does what where Visualizer 20 DEV Security Production Security git ls-tree -r -z --name-only HEAD -- update- tools-mac.sh | xargs -0 -n1 git blame --line- porcelain HEAD |grep "^author "|sort|uniq - c|sort -nr For Every Repo List of committers E-Mail/HR DB Build vs FIX & Tickets App scan? PUBLIC

21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 21 PUBLIC How to Embed DEV-SEC-OPS The People & Technology part

22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC

23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part B 23 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC

24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 24 PUBLIC Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Production Security SET Targets For Prod & DEV Vuln

25. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part C 25 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC

27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 27 PUBLIC Example of a dashboard for Vulnerability Visualization DEV Security Production Security

28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects - Part D fix 28 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC

29. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triaging Vulnerabilities 29 DEV Security Production Security Security Scanners Potential Defects Triage Real Defects Vuln Scoring Is it a false positive? PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch SupportFunctions PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch Support Functions OS Framework Library Code 3rd Party DefectTypes Prioritized Vulnerabilities Can they be fixed? RiskWork Ticket Yes No Threat Modelling Prioritized Vulnerability (with Context) Compensating Control Increased Impact/ Probability NoYesMitigation BIA - Impact Exploitability - Likelyhood PODs DEV Sec Champion Risk person Lead Appsec Sec Arch SupportFunctions How exploitable? Maturity Level Maturity level PUBLIC

31. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 31 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code >> Set Thresholds: Bild vs Fix, Vulnerability trending People & Education PUBLIC

32. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 32 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate PUBLIC

33. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 33 Developer can operate fast and deploy if they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes PUBLIC

34. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 34 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education: PUBLIC

35. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 35 PUBLIC Bringing all together Maturity Model & Recap

37. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To Achieve High Maturity what do you do 37 PUBLIC DEV Security Production Security Mat urity Task How much 1 No Peer Review 1 No Code Scanning 1 No library update 1 No risk management 1 No visibility on vulnerabilities 1 No knowledge of pods 1 No team to pod mapping 1 No Documentation of Fixes 2 Peer Revew 2 Team to Pod to Stash recorded 2 Onboarded application on code scanners 2 Libray scanning 2 triage of vulnerabilities (base) - Consider only high medium and low 2 Manual Evaluation of team and Allocation of Licence to Operate 2 No SLA 2 No Documentaiton 2 Adoption Dashboard 3 Peer Review with Toolset 3 Updated Teams and asset register 3 Basic Triage of vulnerabilities 3 Code Scan with Pipeline Break & Basic SLA 3 Adoption Dashboard (advanced) Per A.C. and Per Region 3 Risk Assessment from code scanning with record in Risk management Register 3 Automated Licence to operate: Code Scanning, Libraries, Internal Training 4 Fix time of vulnerabilities recorded 4 T-Shirt Sizing of fixes and Adaptation of SLA based on fixes 4 Visualization of pod to fix 4 segmentation dev and prod 4 Fix ticket in Jira & Build vs Fix Concept 4 Fuzzing (basic with generic per app) 5 Automated Licence to operate: Code Scanning, Libraries, Internal Training, Build Vs Fix 5 Automated Fuzzing & Library of tests Level 1 Level 2 Level 3 Level 4 Level 5 Intial Manage d Defined Quantitatively Managed Optimized Security Design AS-IS->TO- BE Security Design Governance AS-IS TO-BE Security Build & Test AS-IS TO-BE Security Operate AS-IS-> TO-BE Appsec Security Education AS-IS TO-BE Application Security Risk Management AS-IS TO-BE Reporting Frequency KCI Mat rutiy Build/Test Prereq -> 0 Who is working on which repository Monthly 1 Team On-boarded on scanners (per pod) Monthly 1 Code Scanning Frequency per project (min 1 per week) Monthly 1 Dashboard for Scanners created Monthly 2 Number of vulnerabilities ticket recorded Weekly 2 Dashboard for vulnerabilities - Onboarded Projects Weekly 2 Vulnerability Fixed (quarter) Monthly/ Quarterly Checks 3 Project imported in Kennar and Enriched Vulnerabilities (kennar) Monthly 3 Projects breaching the Build vs Fix target Monthly/ Quarter Checks 4 Fixes per thematic in SLA Monthly 4 SLA for Fixes (breached/achieved) Monthly 4 Team Achieving Licence to operate and Out of the licence Monthly 5 Build vs fix Monthly 5 Licence to operate Monthly Overall Maturity Maturity Steps KCI

38. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 38 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC

39. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 39 Learning & Education PUBLIC

40. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 40 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Does develops have a single solution? Security is everybody’s job PUBLIC

41. Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42 PUBLIC

42. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20 https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info: Francesco.Cipollone@cloudsecurityalliance.org.ukPUBLIC

44. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 44 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 PUBLIC