4. “How do I Shift”
• How do I fix?
• How do I ensure coverage?
“I’m Shifting”
• How do I test?
• How do I ensure I won’t get
slowed down?
The Changing Conversation
5. The Security Guys
• CISO
• Head of IT Security
• AppSec Manager
The “DevOps” Guys
• Delivery Manager
• Application Lead
• Automation Lead
• “the guy who optimises stuff
and makes it go faster”
The Changing Personas
10. The Dangers of Moving Fast
• Changes being made so quickly, and so often, that it is difficult
to understand and review them for risk
• Lack of stage gates which means there are no natural points to
insert reviews, tests or other controls
• Not enough time to do exhaustive testing or reviews
• Constantly changing risk profile
11. The Benefits of Moving Fast
• Frequent delivery drives teams to automate and standardize
workflows, especially build-and-deploy pipelines, increasing
control over and transparency into change.
• Most changes are incremental and small, which makes it
easier to understand and test, and safer to release each change.
12. Fast and Incremental, Slow and Exhaustive
“The faster teams move, and the more they rely on automation, the more
tradeoffs they need to make. Because not enough time is available to run
deep, exhaustive scans or other security tests in continuous testing,
organizations need to scan first for the most critical vulnerabilities. Then they
need to target recently changed code for incremental testing and rely on
smoke tests to catch other critical mistakes. Rules and tests that take too long to
run or are too noisy need to be tuned or cut out, leaving holes in test
coverage.
This means that periodic pen testing, in-depth manual reviews,
configuration, auditing, deep scanning and fuzzing are still needed to find
errors that escape tight automated loops.”
13. Three Steps to Shifting Left
• Establish an Inventory Baseline
• What does your forward process look like?
• Assess Continuously and Feedback Findings
• Visibility of findings
• Automate Testing Process
• Optimise process
• Amplify feedback loops
17. Becoming Selective in Test Scoping
• Some code is more security
critical than other
• Ensure adequate controls over
’security sensitive’ code
• Manual/peer review changes
• Use test harnesses to allow
fast, automated security
scans
21. #1 : Prescribe a Policy for OSS Use
• Prescribe a policy for the use of OSS based on:
• Risk appetite
• Business criticality
• Time to market
• Organisational maturity
• Provide a recommended architecture of
commonly used and pre-approved components
• Educate your security team in the use of OSS
components and risk determination
22. #2 : Control Your Repositories
• Use a caching binary repository server (such as
Nexus)
• Maintain a blacklist of known bad (and hence
banned) components
• Maintain a whitelist of known good (and hence
approved) components
• Quarantine unknown components until assessed
• In extremis disable access to public internet
repositories
24. The Changing Skillset Required
• Learn how to code!
• Learn the ‘tools of the trade’ (Git, Ansible, etc.)
• Learn the basics with a test application i.e. WebGoat.Net
• Trawl developer communities (StackOverflow, etc.) for
security related topics and contribute
• Contribute security patches to an OSS project
• Experience a ‘Day in the Life’ of a Developer
34. Building and Optimising your Pipeline
• Policy and regulatory requirements?
• Velocity of pipeline?
• Risk appetite?
• Technical debt?
• Risk history?
• Nature of the change?
39. Do No (More) Harm
• Establish a baseline
• Declare an amnesty
• Accept no more flaws
40. What Happens When a Scan Fails?
Fall Back
• Go back to the last
known good scan
• Blue/green releases
Fall Forward
• If your velocity is
sufficient wait for
the next release
• Ensure your
feedback loop is
tight
Exception
• Proceed at risk
• Understand the risk
41. An Informed Risk Acceptance Process
• Scan or risk history
• Plain old (uncommon) common sense
• Points/credits system
• Machine Learning (tm) methods
• Exception process
45. The Breakdown of the Monolith
• Discover and monitor inter-service
communications
• Segment and isolate applications and
services
• Automate policy management and
configuration
https://www.darkreading.com/endpoint/rethinking-application-security-with-microservices-
architectures-/a/d-id/1325155?