This document discusses how DevOps presents both opportunities and challenges for application security. It describes how release timelines and team sizes have changed from waterfall to agile to DevOps approaches. It advocates for security teams to build relationships with developers, share accountability for security, provide training and remediation coaching. It also recommends strategies like appointing security champions, integrating right-sized security practices into the DevOps pipeline through techniques like static analysis, and adjusting security programs to the faster pace of DevOps.

1. © 2016 VERACODE INC. 1© 2016 VERACODE INC.
DevOps – Security’s
Big Opportunity
Peter Chestna, Director of Developer Engagement
Veracode/CA

2. © 2016 VERACODE INC. 2
Who am I?
• 25+ Years Software Development Experience
• 10+ Years Application Security Experience
• Certified Agile Product Owner and Scrum Master
• At Veracode since 2006
• From Waterfall to Agile to DevOps
• From Monolith to MicroService
• Consultant on DevSecOps best practices
• Fun Fact: I love whiskey!
• Tell me where to drink local whiskey
@PeteChestna

3. © 2016 VERACODE INC. 3
Lack of App Security is
Damaging Companies

4. © 2016 VERACODE INC. 4
High Profile Breaches
All attacked through the app layer

5. © 2016 VERACODE INC. 5
Is this your current AppSec program?
@PeteChestna

6. © 2016 VERACODE INC. 6
Which outcome do you see?
@PeteChestna

7. © 2016 VERACODE INC. 7© 2016 VERACODE INC.
Times have
changed

8. © 2016 VERACODE INC. 8
Release Timelines & Team Sizes
Waterfall Agile DevOps
1-4 Releases
Per Year
12-24 Releases
Per Year
100+ Releases
Per Year
50+ people 6-12 people 6-12 people
@PeteChestna

9. © 2016 VERACODE INC. 9© 2016 VERACODE INC.
DevOps
Plan Dev QA Ops
Business Intent
App Knowledge
Ops Knowledge
Business Intent
App Knowledge
Ops Knowledge
Continuity
Waterfall
! ! ! ! = Handoff
Agile
!
@PeteChestna

10. © 2016 VERACODE INC. 10
Waterfall
Technology
Agile
DevOps
@PeteChestna

11. © 2016 VERACODE INC. 11
Agile - Process
Copyright 2005, Mountain Goat Software @PeteChestna

12. © 2016 VERACODE INC. 12© 2016 VERACODE INC.
What is
DevOps?

13. © 2016 VERACODE INC. 13
Definition of DevOps
@PeteChestna

14. © 2016 VERACODE INC. 14
What’s a DevOps Team?
DevOps Team
@PeteChestna

15. © 2016 VERACODE INC. 15
DevOps – Process: Where is security?
Security
@PeteChestna

16. © 2016 VERACODE INC. 16
Strategy
• Relationship &
Accountability
• Training &
Remediation Coaching
• Security Champions &
Right-sized testing
@PeteChestna

17. © 2016 VERACODE INC. 17
Strategy - Relationships
• Who is your peer in development?
• Do you understand how they are
goaled?
• What are their struggles?
• How often do you meet with them?
• Are they sympathetic to your goals
and struggles?
@PeteChestna

18. © 2016 VERACODE INC. 18
Strategy - Accountability
• Shared between development and
security
• Part of annual goals for both teams
• Measured and reported regularly
@PeteChestna

19. © 2016 VERACODE INC. 19
Strategy - Training
• Security teams can help developers by providing training,
either through eLearning or in-person instructor-led training
• Think about targeted training based on policy violations
@PeteChestna

20. © 2016 VERACODE INC. 20
Strategy - Training

21. © 2016 VERACODE INC. 21
Strategy - Remediation Coaching
For applications that used remediation coaching,
development teams fixed more than 2.5x the
average # of flaws per megabyte
@PeteChestna

22. © 2016 VERACODE INC. 22
• Eyes and ears of security
• Specialized training
• Basic security concepts
• Threat modeling
• Grooming guidelines
• Secure code review training
• Security controls
• CTF Exercises
• Escalate when necessary
Strategy – Security Champions
@PeteChestna

23. © 2016 VERACODE INC. 23
Training
(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation Guidance
Secure Code Reviews
Manual Penetration Testing
Red Team Activities
Runtime Application
Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat Modeling
Security Grooming
Secure Design
Strategy – Right-sized Security
@PeteChestna

24. © 2016 VERACODE INC. 24
CI
CD
1
Develop
4
Check in
Static
Analysis
3
Build
& Test
2
Backlog
Strategy –
Right-sized testing: protect the pipeline
Pass?
7
Synchronize
No Yes
7
Deploy to
QA/Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Stage
then
Prod
Per
Check-in
5
Build
CI/CD
Pipeline
3a
Manual
Testing*
@PeteChestna

25. © 2016 VERACODE INC. 25
Conclusions
• DevOps is inevitable – learn it
• Relationships and shared
accountability is key to securing
apps
• Train developers and help them fix
what they find
• Adjust to the speed of DevOps and
right-size your security requirements
@PeteChestna

26. © 2016 VERACODE INC. 26
Questions?
@PeteChestna