A SecDevOps approach is recommended for organizations developing technical solutions to better respond to future vulnerabilities and threats. This involves baking security into the entire software development lifecycle from development through operations on premises, in the cloud, and hybrid environments. Implementing innovative programming techniques and platforms like cloud-native tools can help mature an organization's security defenses and adjust to new threats.
A SecDevOps Approach to Responding to Future Vulnerabilities
1. A Recommendation for
Innovative Solutions in
Software Development
When Responding to
Future Vulnerabilities
and Threats
6 June 2021
2. mjusti99@peraton.com
Welcome
Max Justice
CEO, Maximum Justice Cybersecurity
MBA, CISSP, PMP, ITIL Foundations, Lean 6σ blackbelt, Blockchain Expert ….
Ph.D Student, Northcentral University
TIM-8340 v3: Secure Software Development
Dr. Brian Holbert
6 June 2021
m.justice5408@o365.ncu.edu
Max.justice@nasa.gov
2
max@maximumjusticecybersecurity.com
3. Agenda
Objective - A Recommendation for a SecDevOps Approach When Responding to Future
Vulnerabilities and Threats 4
Your Why - It’s All About Mitigating Risks to Vulnerabilities &Threats 5
Who Needs SecDevOps - Organizational Description 6
Where’s the Beef - New Threats and Vulnerabilities to Your Organization 7
The Value Add - Adjusting & Responding to the New Threats & Vulnerabilities 8
A Maturity Model - Maturing Your Security Defenses with SecDevOps 9
Innovation Starts Here - New Programing Techniques for Secure & Improved S/W Development 10
On-Prem, the Cloud & Hybrid – New & Innovative Platforms for Secure & Improved S/W Development 11
We Are Go for Liftoff - Implementing New Programing and Platforms in SecDevOps 12
Conclusion / Take Away 13
References 15
3
4. A Recommendation for a SecDevOps Approach When
Responding to Future Vulnerabilities and Threats
A SecDevOps Approach
Any Organization Which Builds / Implements Technical Solutions
The Capabilities and Responses for Dealing With Future Vulnerabilities and Threats
On Prem, in the Cloud, and in Hybrid Solutions
Through Out the Organization’s SSDLC
To Avoid Loss of Life, Production, Operations and Delivery
Baking in Security into the Development & Operational Processes
4
5. It’s All About Mitigating Risks to Vulnerabilities &Threats
Ask 3 Questions to Understand Why Your Organization Should
Use Secure Software Development (DevSecOps) Methodology
5
We Need to Ask 3 Questions
1) Are we on target to reduce our Risk?
2) Do we understand mitigating our Risk is the highest priority?
3) Have we implemented most cost-effective Risk Mitigation Solution?
6. Organizational Description
Understand Who Needs to Use
A DevSecOps Methodology
6
The Organizational Profile
Develops or Operates Technical
Solutions
Needs the Solution to Provide Confidentiality, Available and Have
Integrity - While Being Scaleable, Reliable, Secure, Fast, Responsive,
and Fault-Tolerant
Requires Continuous Integration / Continuous Delivery
Ref: Samant, D. (2020) A User’s Guide to DevSecOps Success. Technology & Innovation. Business 2 Community. Retrieved from
https://www.business2community.com/cloud-computing/a-users-guide-to-devsecops-success-02300986
7. New Threats and Vulnerabilities to Your Organization
Threats & Vulnerabilities Organizations
are Facing?
7
Social Engineering
Ransomware
DDoS Attacks
MitM
Third Party Software & The Supply Chain
Cloud, On-Prem & Hybrid Computing
Who Are They - Internal Threat, Malicious Insider, State-sponsored ATP, Terrorist,
Industrial Spies/Espionage, Organized Crime, Hackers, Hacktivist
What Are They – AI / ML, Code, Bad Actors, Internal Threat
Cassetto, O. (2019). 21 Top Cyber Security Threats and How Threat Intelligence Can Help. Information Security. Exabeam. Retrieved from
https://www.exabeam.com/information-security/cyber-security-threat/#21
Graphic curtesy of
Ref: Sherwin Wulf, L. (2021). Leveraging Research to Elevate Brand Awareness & Generate Leads. Market Connections. Retrieved from
http://www.marketconnectionsinc.com/managing-the-unpredictable-human-element-of-cybersecurity-2/
8. Adjusting & Responding to the New Threats & Vulnerabilities
How Your Organization Can Adjust to New Threats & Vulnerabilities
8
SecDevOps – Managing and Implementing Secure Development
and Operation Activities
Leverage Industry Controls – NIST, CIS, OWASP, MITRE
Threat Intelligence – Anti-malware programs comparing code to
a database of previously detected signatures
Good Cyber-hygiene – Train, Practice, Test, Policy
SIEM & Monitoring Tools - data collection and analysis solutions
SOAR (Gartner, 2017) - a category of cybersecurity solutions. -
Security orchestration, automation, and response
Cassetto, O. (2019). 21 Top Cyber Security Threats and How Threat Intelligence Can Help. Information Security.
Exabeam. Retrieved from https://www.exabeam.com/information-security/cyber-security-threat/#21
Neiva, C., Lawson, C., Bussa, T. & Sadowski, G. (2017) Innovation Insight for Security Orchestration, Automation and Response. Gartner Research.
Gartner. Retrieved from https://www.gartner.com/en/documents/3834578/innovation-insight-for-security-orchestration-automation
9. Maturing Your Security Defenses with SecDevOps
9
Strengthening Your Security Defenses
Build
Deploy
Educate & Guide
Culture & Organization
Processes
Monitoring
Logging
Hardening
Patch Management
Dynamic Apps
Static Apps
Test-Intensity
Consolidation
App Testing
Dynamic Infrastructure
Static Infrastructure
Pagel, T. (2021) DSOMM: OWASP DevSecOps Maturity Model. OWASP. Retrieved from https://owasp.org/www-project-devsecops-maturity-model/
10. Innovative Programing Techniques for Improved S/W
Development
10
New Programing Techniques for Improved S/W Development?
There are many type of
Programing Techniques
This SecDevOps Model
is the
Recommended Innovation to Programing
Lemasov, E. (2021). DiatomEnterprises: Full-Service Development Company. Diatom Enterprises. Retrieved from https://diatomenterprises.com/our-process/
Based on The DoD Software Lifecycle Model
DoD Cyber Exchange (2021). DevSecOps. DoD Cyber Exchange. Defense Information Systems Agency
(DISA). Retrieved from https://public.cyber.mil/devsecops/
11. Innovative Platforms for Secure & Improved S/W
Development
11
New & Innovative Platforms for Secure & Improved S/W Development?
Cloud-Native DevSecOps tools and the Data they Generate
Data-Backed Support for the Automation of Container Scanning
Support for Advanced DevSecOps Automation
DevOps to DevSecOps Transformation
DevSecOps to NoOps Transformation
Kelly, W. (2021). 5 Reasons AI and ML are the Future of DevSecOps. Anchore. Retrieved from https://anchore.com/blog/5-reasons-ai-and-ml-are-the-future-of-devsecops/
Low Code
No Code
Agile
DevOps
SecDevOps
NoOps
12. Implementing New Programing and Platforms in SecDevOps
12
Where Your Organization Can Implement New Programing and
Platforms in SecDevOps
The Cloud – AWS, Google, MS Azure,
Oracle, SAP, IBM, and many others
Apps – Clutch, AppFutura, Behance,
Facebook, LinkedIn, Phabricator,
Techreviewer, Decoded, AllAboutApps,
and to many to list
Devices – Android, Mac, MS, Intel,
AMD, IBM and many others
13. There is always a risk with change; changing culture, systems
and processes. Don’t loose understanding what it’s all about.
It’s about
Good is practiced by all and
implemented by Leadership
Understanding You Future Vulnerabilities and Threats
Win/Win/Win
If we are to improve trust in the system, it is imperative
using sound and timely tools, techniques and analysis
Conclusion / Take Away
13
14. I look forward to talking
to you again in the future
Next time,
bring friends
14
15. Aryal, M. (2016). Cyber War On Cyber Security Threats, Data Breaches. Security. ICT Frame. Retrieved from https://ictframe.com/cyber-war-on-cyber-security-threats-data-breaches/
Cassetto, O. (2019). 21 Top Cyber Security Threats and How Threat Intelligence Can Help. Information Security. Exabeam. Retrieved from https://www.exabeam.com/information-
security/cyber-security-threat/#21
Cole, E. (2021). #63: The Top Cybersecurity Trends and Predictions for 2021. Life of a CISO. Secure Anchor Consulting. Retrieved from https://secure-anchor.com/podcast/
Divitec. (2021). Software Development. Divitec. Retrieved from http://divitec.org/wp-content/uploads/2018/08/34eb35_9e7aa43363764f7c97431ea29c0c064amv2.png
DoD Cyber Exchange (2021). DevSecOps. DoD Cyber Exchange. Defense Information Systems Agency (DISA). Retrieved from https://public.cyber.mil/devsecops/
Kelly, W. (2021). 5 Reasons AI and ML are the Future of DevSecOps. Anchore. Retrieved from https://anchore.com/blog/5-reasons-ai-and-ml-are-the-future-of-devsecops/
Lemasov, E. (2021). DiatomEnterprises: Full-Service Development Company. Diatom Enterprises. Retrieved from https://diatomenterprises.com/our-process/
Neiva, C., Lawson, C., Bussa, T. & Sadowski, G. (2017) Innovation Insight for Security Orchestration, Automation and Response. Gartner Research. Gartner. Retrieved from
https://www.gartner.com/en/documents/3834578/innovation-insight-for-security-orchestration-automation
Pagel, T. (2021) DSOMM: OWASP DevSecOps Maturity Model. OWASP. Retrieved from https://owasp.org/www-project-devsecops-maturity-model/
Samant, D. (2020) A User’s Guide to DevSecOps Success. Technology & Innovation. Business 2 Community. Retrieved from https://www.business2community.com/cloud-computing/a-
users-guide-to-devsecops-success-02300986
Sherwin Wulf, L. (2021). Leveraging Research to Elevate Brand Awareness & Generate Leads. Market Connections. Retrieved from http://www.marketconnectionsinc.com/managing-the-
unpredictable-human-element-of-cybersecurity-2/
References
15
Editor's Notes
This presentation was created for organizations looking for a way to reduce their risks by establishing and preforming secure software development by implementing innovative solutions when responding to future vulnerabilities and threats
Audience:
Dr. Brian Holbert, Northcentral University
Today’s Agenda
Not only are we going to cover this slide quicker than the Domino’s delivery person, we are going to cruse through this presentation in under 30 minutes or less, or it’s free.
A Recommendation for a SecDevOps Approach When Responding to Future Vulnerabilities and Threats
It’s All About Mitigating Risks to Vulnerabilities &Threats
Organizational Description
New Threats and Vulnerabilities to Your Organization
Adjusting & Responding to the New Threats & Vulnerabilities
Why Your Organization Needs SecDevOps
Maturing Your Security Defenses with SecDevOps
New Programing Techniques for Secure & Improved S/W Development
New Platforms for Secure & Improved S/W Development
Implementing New Programing and Platforms in DevSecOps
Conclusion / Take Away
References
Dominos Pizza Car image curtesy of Bloomberg. https://www.bloomberg.com/features/2017-dominos-pizza-empire/
Today we are going to cover the who, what, where, when, why and how organizations need to implement a security software development methodology in order to effectively respond to future vulnerabilities and threats.
Who - Any Organization Which Builds / Implements Technical Solutions
What - The Capabilities and Responses for Dealing With Future Vulnerabilities and Threats
Where - On Prem, in the Cloud, and in Hybrid Solutions
When - Through Out the Organization’s Secure Software Delivery Lifecyle
Why - To Avoid Loss of Life, Production, Operations and Delivery
How – by Baking in Security into the Development & Operational Processes
Its very important for the organization to understand their why, It’s All About Mitigating Risks to Vulnerabilities &Threats.
To understand the why, organizations need to Ask 3 Questions to Understand Why Your Organization Should Use Secure Software Development (DevSecOps) Methodology
Are we on target to reduce our Risk?
Do we understand mitigating our Risk is the highest priority?
Have we implemented most cost-effective Risk Mitigation Solution?
Ref: Cole, E. (2021). #63: The Top Cybersecurity Trends and Predictions for 2021. Life of a CISO. Secure Anchor Consulting. Retrieved from https://secure-anchor.com/podcast/
The Organizational Profile
Develops or Operates Technical Solutions
Needs the Solution to Provide Confidentiality, Available and Have Integrity - While Being Scaleable, Reliable, Secure, Fast, Responsive, and Fault-Tolerant
Requires Continuous Integration / Continuous Delivery
shifting gears from an organization’s existing processes to a DevSecOps model of design and deployment can be daunting
Start by getting to grips with what has changed. One of the most apparent differences is that with CI/CD, security checks and policy-driven privacy rules need to be now integrated into the coding pipeline and other tools. This is why you’ll often hear people talking about “baking in” security into the DevOps process (to result in DevSecOps). Automation levels will be far higher than previously, which will enable much greater speed and agility. The surface attack area will need to be re-examined too, and different tools deployed to protect against a new threat landscape.
Different approaches currently exist for managing complexity and providing end-to-end visibility. The approach your organization opts for will depend on several factors, including its size, skills, and resource availability.
Ref: Samant, D. (2020) A User’s Guide to DevSecOps Success. Technology & Innovation. Business 2 Community. Retrieved from https://www.business2community.com/cloud-computing/a-users-guide-to-devsecops-success-02300986
Social Engineering – Phishing, Spear Phishing, Whaling, Homographic
Ransomware – Malware, Spyware, Drive-by Downloads
DDoS Attacks – Botnets, Smurf Attack, Trojan, (Wiper) Malware, TCP Syn Flood
MitM – Session Hijacking, Replay Attack, IP Spoofing, Eavesdropping
Third Party Software & The Supply Chain – Rogue software
Cloud, On-Prem & Hybrid Computing – Internal Threat, Password Attack, Spoofing
Who Are They - Internal Threat, Malicious Insider, State-sponsored ATP, Terrorist, Industrial Spies/Espionage, Organized Crime, Hackers, Hacktivist
What Are They – AI / ML, Code, Bad Actors
Cassetto, O. (2019). 21 Top Cyber Security Threats and How Threat Intelligence Can Help. Information Security. Exabeam. Retrieved from https://www.exabeam.com/information-security/cyber-security-threat/#21
Graphic curtesy of
Ref: Sherwin Wulf, L. (2021). Leveraging Research to Elevate Brand Awareness & Generate Leads. Market Connections. Retrieved from http://www.marketconnectionsinc.com/managing-the-unpredictable-human-element-of-cybersecurity-2/
The Value Add - How An Organization Can Adjust to New Threats & Vulnerabilities
SecDevOps – Managing and Implementing Secure Development and Operation Activities
Leverage Industry Controls – NIST, CIS, OWASP, MITRE
Threat Intelligence – Anti-malware programs comparing code to a database of previously detected signatures
Good Cyber-hygiene – Train, Practice, Test, Policy –
100% asset/inventory management
100% patching
ensuring no critical data is on external facing systems
use two or multifactor authentication
Ref: Cole, E. (2021). #63: The Top Cybersecurity Trends and Predictions for 2021. Life of a CISO. Secure Anchor Consulting. Retrieved from https://secure-anchor.com/podcast/
SIEM & Monitoring Tools - data collection and analysis solutions
SOAR (Gartner, 2017) - a category of cybersecurity solutions. - Security orchestration, automation, and response
Cassetto, O. (2019). 21 Top Cyber Security Threats and How Threat Intelligence Can Help. Information Security. Exabeam. Retrieved from https://www.exabeam.com/information-security/cyber-security-threat/#21
Neiva, C., Lawson, C., Bussa, T. & Sadowski, G. (2017) Innovation Insight for Security Orchestration, Automation and Response. Gartner Research. Gartner. Retrieved from https://www.gartner.com/en/documents/3834578/innovation-insight-for-security-orchestration-automation
Image courtesy of Aryal, M. (2016). Cyber War On Cyber Security Threats, Data Breaches. Security. ICT Frame. Retrieved from https://ictframe.com/cyber-war-on-cyber-security-threats-data-breaches/
Based on The DoD Software Lifecycle Model
DoD Cyber Exchange (2021). DevSecOps. DoD Cyber Exchange. Defense Information Systems Agency (DISA). Retrieved from https://public.cyber.mil/devsecops/
SecDevOps Model Courtesy of
Lemasov, E. (2021). DiatomEnterprises: Full-Service Development Company. Diatom Enterprises. Retrieved from https://diatomenterprises.com/our-process/
Cloud-Native DevSecOps tools and the Data they Generate
As enterprises rely more on cloud-native platforms for their SecDevOps toolchains, they also need to put the tools, frameworks, and processes to make the best use of the backend data that their platforms generate. Artificial intelligence and machine learning will enable DevSecOps teams to get their data under management faster while making it actionable for technology and business stakeholders alike.
There’s also the prospect that AI and machine learning offer DevOps teams a different view of development tasks and enable organizations to create a new set of metrics
Wins and losses in the cloud-native application market may very well be decided by which development teams and independent software vendors (ISVs) turn their data into actionable intelligence. Creating actionable intelligence gives their stakeholders and developers views into what their developers and sysadmins are doing right security and operations wise.
2. Data-Backed Support for the Automation of Container Scanning
As the automation of container scanning becomes a standard requirement for commercial and public sector enterprises, so will the requirements to capture and analyze the security data and the software bill of materials (SBOM) that come with containers advancing through your toolchains.
The DevSecOps teams of the future are going to require next-generation tools to capture and analyze the data that comes from the automation of vulnerability scanning of containers in their DevSecOps toolchains. AI and ML support for container vulnerability scanning offer a delicate balance of autonomy and speed to help capture and communicate incident and trends data for analysis and action by developers and security teams.
3. Support for Advanced DevSecOps Automation
It’s a safe assumption that automation is only going to mature and advance in the future with no stopping. It’s quite possible that AI and ML will take on the repetitive legwork that powers some operations tasks such as software management and some other rote management tasks that fill up the schedules of present-day operations teams.
While AI and ML won’t completely replace their operations teams, these technologies may certainly shape the future of operations team duties. While there’s always the fear that automation may replace human workers, the reality is going to be closer to ops teams becoming more about automation management.
4. DevOps to DevSecOps Transformation
The SolarWinds, Colonial Pipeline, Equifax, Experian and other breaches are the perfect examples why organizations must transform from DevOps to DevSecOps to protect their toolchains and software supply chain. Not to mention, cloud migrations by commercial and government enterprises are going to require better analytics over development and operational data their teams and projects currently produce for on-premise applications.
5. DevSecOps to NoOps Transformation
Beyond DevSecOps lies NoOps, a state where an enterprise automates so much that they no longer need an operations team, While the NoOps trend has been around for the past ten years, it still ranks as a forward-looking trend for the average enterprise.
However, there are lessons you can learn now from NoOps in how it conceptualizes the future of operations automation that you can start applying to your DevOps and DevSecOps pipelines, even today.
Kelly, W. (2021). 5 Reasons AI and ML are the Future of DevSecOps. Anchore. Retrieved from
https://anchore.com/blog/5-reasons-ai-and-ml-are-the-future-of-devsecops/
Image Courtesy of
Divitec. (2021). Software Development. Divitec. Retrieved from http://divitec.org/wp-content/uploads/2018/08/34eb35_9e7aa43363764f7c97431ea29c0c064amv2.png
There is a plethora of platforms where an Organization Can Implement New Programing and Platforms in SecDevOps
The Cloud – AWS, Google, MS Azure, Oracle, SAP, IBM, and many others
Apps – Clutch, AppFutura, Behance, Facebook, LinkedIn, Phabricator, Techreviewer, Decoded, AllAboutApps, and to many to list
Devices – Android, Mac, MS, Intel, AMD, IBM and many others
Image Courtesy of
Divitec. (2021). Software Development. Divitec. Retrieved from http://divitec.org/wp-content/uploads/2018/08/34eb35_9e7aa43363764f7c97431ea29c0c064amv2.png
My contribution to you: A thoughtful consideration of the ideas and concepts presented through new thoughts and insights relating directly to the Establishment of SecDevOps methodology in your organization
Win – Buy Understanding and taking the proactive actions and mitigating your risks by implementing defensive and protective measures and helping your staff, stakeholders and customer practice the right amount of cyberhygene because cybersecurity is everyone’s responsibilities
We must remember, what gets measured gets measured. What gets measured can be improved. Measure your ability to practice good cyber-hygiene or the basics of good cybersecurity (Cole, 2021)
100% asset/inventory management
100% patching
ensuring no critical data is on external facing systems
use two or multifactor authentication