1. The document discusses strategies around automating security processes to keep pace with rapid software development cycles. It notes problems that arise when security cannot keep up, such as lack of business agility. 2. Automating security checks and integrating them into continuous integration/delivery pipelines is proposed as a solution. This includes running automated vulnerability scans on code check-ins and having security bugs break the build. 3. A cultural shift is needed where security is a shared responsibility and developers/operations staff understand security outputs. Continuous learning and improving processes will also help security scale effectively.

1. BATMAN
STRATEGIES
S E L E N I U M DAY – 3 1 J A N 2 0 2 0

2. Misys
BFL
Helping companies turn to towards
their intelligence and otherwise.
Consultant with companies to help
them in their agile, business transformation
and digital transformation journeys
Training and mentoring Architects and
Technology leaders
Enterprise Architecture Expert with the
Digital India Initiative
ExVice Chair TOGAF® Standing
Committee
Governing Board Member CCICI
WHAT DO I DO ?

3. DE COMPOSITION FALLACY
NOTHING + NOTHING = NOTHING
NOTHING + NOTHING = SOMETHING

4. “YOU’RE NOT THE DEVIL. YOU’RE PRACTICE.” – BATMAN

5. BUILD
Compiling source files
Packaging compiled files into compressed formats (such as jar,
zip)
Producing installers
Creating or updating of database schema or data
Reduce errors
Testing in time consuming and expensive
Does not require Human intervention
AUTOMATE
TEST
Too Many Test cases
Every other day there are new devices and scenarios
proliferating
Leave no stone unturned

6. DEVS CHURN CODE
CheckIn Continuous
Testing
Continuous
Deployment
Continuous
Monitoring
Configuration
Management
Containerization
Continuous
Integration
B AT M A N – A L L O V E R T H E P L A C E
GIT
JENKINS
SE
PUPPET DOCKER
JENKINS
AUTOMATE
ACROSS ENVIRONMENTS
MostlyTest Env
Docker 1.9 can be
used in prod
NAGIOS

7. PLAN DEV SVS BUILD TEST DEPLOY
CHECKIN
TRIGGER PULL
TEST FAILSFEEDBACK
CHECKIN
FEEDBACK
PUSHTO PRODUCTION
TEST PASS
IT IS ABOUT AUTOMATINGTHIS LOOP
USER STORIES
FEATURES
EPICS
USER STORIES
FEATURES
EPICS
JIRA IDE
GIT JENKINS PULSE PUPPET

8. THE DEATH OF ELAINE HERZBERG & ADVENT OF CARS

9. Credit:Getty Images/iStockphoto
WILL AITAKE CARE OFTHE EDGE CASES ?

10. The list of things that can go wrong for an
autonomous vehicle “is almost infinite,”
Luc Vincent, who heads R&D for Lyft’s self-driving car unit.

11. If you went down a narrow one way street that was blocked off by construction is it
okay to break the law and back down the one way street?
Could the car handle teenagers pranking and yelling conflicting commands?
Can the car understand hand signals from police or road-side workers?
Can the car recognize a fake street sign that someone put up or a damaged one?
https://www.linkedin.com/pulse/ais-phoenix-project-moment-daniel-jeffries/
EDGE CASESTHAT ARE EDGY

12. ENTERTEST CASES &TESTING ITSELF

13. “We have machines that learn in a very
narrow way,” said Bengio. “They need much
more data to learn a task than human
examples of intelligence, and they still make
stupid mistakes.” Yoshua Bengio, director of Mila (AI institute in Montreal)

14. TEST CASES WERE MINIMAL WHENTHINGS WERE
WATERFALL AND THE APPLICATION WAS USED
WITHIN A FIREWALL.
WITH A APPLICATION NOW USED BY MILLIONS
OF USERSTHE EDGE CASES ARE MIND BLOGGLING

15. WHAT ARE WE MISSING HERE ?
Courtesy :Henrik Kniberg

16. SECURITY
ONLY AUTOMATION CANTAKE CARE OFTHIS DUAL MODE AGILE NEED
Courtesy : Marty Cagan

17. Browsers
Devices
Operating Systems
Rapid Rate of New Code Being Pushed
Machine do not show Fatigue or Human Errors
Leave No Stone Unturned
Catch Defects before they are shipped
WHY AUTOMATE ?
UNITTESTING
INTEGRATIONTESTING
END TO END TESTING

18. https://www.getzephyr.com/insights/role-unit-tests-test-automation
TEST AUTOMATION PYRAMID

19. UNIT
INTEGRATION
E2E
SPLIT UPYOURTEST CASES INTHE FOLLOWING MANNER
70 %
20 %
10 %

20. ENTER ROBOT EXIT HUMAN – IT DOES NOT WORKTHATWAY
Picture : pixabay

21. Reduce errors
Testing in time consuming and expensive
Difficult to set Multi Lingual Sites
Does not require Human intervention
Speed and Extensive coverage
Machines do not fatigue
RepetitiveTests
Time consuming and Manual difficult
Time Intensive
Mission Critical BusinessTest Cases
When Automation
Test Cases are needed ?
WHY AUTOMATE ANDWHENTO ?

22. WHERE MANUALTESTING EXCELS ?
New test cases not even tested once manually
Requirements Changing frequently
Need cognitive thinking to make sense of the use cases

23. NEED FOR EVERYTHING COUNTINOUS AND BOUNDARY LESS

24. NOT ONLY IN PRODUCT PIPELINES BUT ALSO IN INDUSTRYVALUE CHAINS

25. AGE OF BOUNDARYLESS INFORMATION FLOW

26. APIs EVERYWHERE

27. Courtesy : DZone
APIsWITHIN AVALUE CHAIN

28. GHOST RIDES SCAM

29. In 2017, the Equifax credit reporting agency
used Struts in an online portal, and due to
Equifax not identifying and patching a
vulnerable version of Struts, attackers were
able to capture personal consumer information
such as names, Social Security numbers, birth
dates and addresses of over 148 million US
consumers, nearly 700,000 UK residents, and
more than 19,000 Canadian customers.

30. VALUE CHAIN CUTTING ACROSS MANY DOMAINSTO ACHIEVE BUSINESS OUTCOME/VALUE

31. Continuous
Everything
Continuous
Production
Continuous
Integration
Continuous
Automation
Continuous
Governance
Continuous
Monitoring
Continuous
Testing
WHERE DOESTHIS LEAVE US WITH SECURITY ?
Continuous
Security

32. CAN SECURITY PACE WITHTHE RATE AT WHICH CODE IS PUSHED ?

33. DEV SECOPS / SEC DEV / RUGGED DEV OPS
= SECURITY AUTOMATION AT SCALE
ENTER

34. IMPACT OF SECURITY ON BUSINESS
Proliferation of Shadow IT
Business Agility impacted due to slow security cycles.
Security unable to keep pace with Business
Adhoc projects and rogue development
True DevOps requires maturity
Slow threat assessments
Not enough patching
Reactive security posture of the company
SECURITY OPERATIONS

35. CAUSAL LOOP FOR DEVOPSECOPS IS A HUMUNGOUSTASK

36. https://www.linkedin.com/pulse/dynamics-devops-adoption-dr-pallab-saha/
CAUSAL LOOP FOR DEVOPS

37. 1. We need to discover a solution that is valuable, usable, feasible and viable.
2. We need to deliver a solution that is reliable, scalable, performant and
maintainable.
& Of Course SECURE
WHATWE ARE NOT CAPTURING ARETHE UNDERLYING ISSUES

38. Value Risk - will they use/buy it?
Usability Risk - can they use it?
Feasibility Risk - can we build it?
Business Viability Risk - will this work for our business?
Security Risk – Is our solution vulnerable ?
SOLVE OR BRAINSTORM ONTHESE RISKS BEFOREYOUWRITE A LINE OF CODE

39. Gartner predicted that 25 percent of
top global 2000 organizations would
have adopted DevOps as a
mainstream strategy

40. CI / CD Solution is one
of the important tools for
DEVSECOPS

41. DEV SEC OPS -WHY
Pace of innovation meets – Pace of Security Automation
Scalable Architectures need Scalable Security
Vulnerabilities need to be healed at the rate at which software is getting churned.
Risk Identification and Remediation at the speed of delivery

42. Slow threat assessments
Can't patch fast enough
Reactive security posture
Lack of business agility
Slow to onboard new customers
Slow turn around time
Trailblazer dev projects gone wrong
Lack of SecOps agility
PROBLEMS ASTHEY STAND

43. DEVELOPMENT
ARCHITECTURE
QA
OPERATIONS
TRADITIONAL S/W DEVELOPMENT – NOT CONTINOUS

44. WHAT WE NEED ?
MONITORING
&
SECURITY
TO BE ADDEDTO
MAKE IT CONTINOUS

45. CLOUD ADDS TO THE COMPLEXITY
MOVING TO THE CLOUD
BABY STEPS
MORE THAN ONE
CLOUD
MULTI
CLOUD SCENARIO
SECURITY RESOURCES
& CHECKLISTS
COMPLIANCE AND
REGULATIONS
OPEX

46. DEVS
OPS
DESIGN
REVIEW
TEST
UNITTEST
MOCK TESTS
PERFORMANCE
SECURITY
MEMORY MANAGEMENT
NRFS
SECURITY
RESPONSIVE NESS
RUN STUFF
BREAK THE BUILD
REPEAT
HOW DEVELOPERS SEE OPS FOLKS ?

47. WHAT DEVELOPERS WANT ?
Ease of checking in and checking out
Able to play and experiment with emerging technologies
Ability to push code regardless of the platform
ABOVE ALL A GOOD NIGHTS SLEEP

48. DEVS
DEV
ITIL COMPLIANCE
REDUCE CARBON
FOOTPRINT
TEST
GO GREEN
SUPPORT DIFF ENVS
TICKETING
SECURITY
VIRTUALIZE
CMRB
PCI DSS
KEEPTHE LIGHTS ON
WRITE CODE
TEST SOME AND
RELEASE
HOW OPERATIONS FOLKS SEE DEVELOPERS
NETWORKS
OS
ACCESS CONTROL

49. WHAT MAKES SECURITY FOLKS RELAX
ALLVULNERABILITIES ARE DISCOVERED AND FIXED INTIME
ALL COMPLIANCES AND REGULATIONS ARE MET
ALL ATTACKS HAVE A PLANNED STRATEGY AND NO SURPISES
ABLE TO KEEP IN PACEWITHTHE SPEED OF DEVELOPMENT
AUTOMATED PROCESSES FOR STATIC AND DYNAMICTEST ( SAST , DAST , IAST )

50. WHAT WE NEED IS TOOLS AND PROCESS ?
MONITORING
&
SECURITY
TO BE ADDEDTO
MAKE IT CONTINOUS
CHECKS PRESENT
CHECKS PRESENT
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
Static application security testing (SAST)

51. MILLION DOLLAR QUESTION ?
WHO BROKETHE BUILD ?

52. DO NOT LET SECURITY BREAKYOUR BUILD
When Cl breaks (and it breaks) it impacts everyone and everything in the process.
Creating a significant delay in the release cycle.
Start implementing security before the Continuous integration stage.
If you have 365 developers and each developer breaks only a single build once a year (usually much
more), you have an average of one build break per day.

53. SECURITY CANNOT BE A BLOCKER IT HASTO KEEP PACE

54. SECURITY WISH LIST
OPERATIONAL CHECKS
AUTOMATIC FAULT DETECTION
AND CORRECTION
AUTOMATION REMIADIATION
AUTOMATIC AUDITING & FORENSICS
CODE LEVEL CHECKS
SECURE CODING PRACTICES
PRO ACTIVE CONTROLS IN THE CODE
BUILD LEVEL CHECKS
VULNERABILITY CHECKS
CONFIGURATION SCRUBBING
DEPLOY CHECKS
CONTINOUS VULNERABILITY SCANS
PICK ONLY AUTHENTIC IMAGES
GRANT JUST ENOUGH SERVER ACCESS

55. Command and
Control
Low trust
Organizations
Empowered
High trust
Organizations

56. DEVOPS IS FOR HORSESTOO NOT ONLY UNICORNS

57. IFYOU CAN DO IT FOR SAPYOU CAN DO IT FOR ANYTHING

59. PROBLEMS & SOLUTIONS
IN FRONT OF US

60. SECURINGYOUR PIPELINES

61. PUSHTHE RESPONSIBILTYTOTHE DEVELOPERS

62. AIM FOR LESS FALSE POSITIVES
AIM FOR HIGH QUALITY
AIM FOR SPEED OF DELIVERY

63. SECURITY NEEDS MORETHAN JUST LIP SERVICE
Typically the ratio of DEVto OPSto SEC is 100/ 10 / 1

64. APPLICATION SECURITY
ACCOUNTS FOR
ABOUT
29 ~ 40 % OF ALL BREACHES

65. Automatic has issues as
Security Issues if found cannot be
stopped

66. AUTOMATE AUTOMATE AUTOMATE AS MUCH AS POSSIBLE
GETTHE DEVS ANDTHE OPSTO READ AND INTERPRETTHE RESULTS
ADD REQUIREMENTS INTHEVERY BEGINNING AT DESIGN AND REQUIREMENTS
BUILD BREAKS IFVULNERABILITIES NOTICED INTHE CHECKIN

67. THE NETFLIX WAY
Aardvark and Repokid
PRINCIPLE OF LEAST PRIVILEGE

68. Positive testing determines that your application works as expected. If an error is
encountered during positive testing, the test fails.
Negative testing ensures that your application can gracefully handle invalid input or
unexpected user behavior.

69. Invite both sides of the table to the meeting DEV and OPS
Incidents
Threat Modelling
Security Sprints Etc.

70. MEASURE MEASURE & MEASURE

71. FEED BACK PENETRATION RESULTS INTO UNITTEST

72. CREATE A CULTUREWHICH IS HIGH ONTHE SECURITY DNA
Make it public when you fix things and update on internal wiki
Share Point or CMDB for all fixes on Security
Do not make it personal fix the issue not the person
Arrange for tech talks to spread the know how of the fixes
Educate DEV and OPS to read security tool analysis well
Shadow resources who could build capabilities

73. The further right the project is on the DevOps scale the
further
left it should start implementing security checks

74. COST OF NOT FIXING ATTHE RIGHTTIME
SHIFT LEFTTO GAIN
Courtesy :Tanya Janca, Senior Cloud Developer Advocate, Microsoft

75. MOVE SECURITY UPTHE CHAIN IN REVERSE ORDER
Courtesy :Tanya Janca, Senior Cloud Developer Advocate, Microsoft

76. CONTINOUS LEARNING IS KEY

77. ACTION ITEMS POST THIS CONFERENCE

78. Add security verification to Cl/CD Pipelines
Critical security bugs break the build
In the first three months following this presentation you should:
Create Negative Unit Tests from existing positive unit tests
Lessons on top 3 security bugs
High security bugs break the build
Within six months you should:
Regular lessons on AppSec, including a security exercise or simulation
Improvements of security processes for speed and removal of obstacles
Creation of parallel security pipeline
Medium security bugs break the build
NEXT STEPS FORYOU

79. LIST OFTOOLS OUTTHERE

80. https://www.esecurityplanet.com/network-security/security-automation-and-orchestration-soar.html
https://www.youtube.com/watch?v=sJ2ott9yAlE
REFERENCES
https://www.youtube.com/watch?v=pDY639JsT7I
https://www.linkedin.com/pulse/ais-phoenix-project-moment-daniel-jeffries/
https://www.agilealliance.org/glossary/automated-build
https://blog.rapid7.com/2017/07/06/soc-automation-best-practices/
https://www.youtube.com/watch?v=iKA_chn8P4c
https://www.youtube.com/watch?v=uFpsO4jnV_Q
https://www.youtube.com/watch?v=RJafMxfQ_IY

81. www.eturnti.com
kiran@eturnti.com
kirandivakaran@gmail.com
twitter : @eturnti
Kiran Divakaran