Download as PDF, PPTX
Uploaded byJohn Willis
Divine and felonios cyber security devopsdays austin 2018
1) The document discusses the divine and felonious nature of cyber security and introduces DevSecOps. 2) It provides examples of vulnerabilities like CVE-2017-5638 and how many organizations downloaded vulnerable software versions. 3) DevSecOps is presented as integrating security practices and automation into the entire software development lifecycle to help address cyber security issues.
More Related Content
Similar to Divine and felonios cyber security devopsdays austin 2018
Divine and felonios cyber security devopsdays austin 2018
- 1. The Divine andFelonious Nature of Cyber Security ( Introduction to DevSecOps ) John Willis @botchagalupe
- 2.
- 4. The Felonious Nature of Cyber Security
- 5. Actual Exploitation 2015VZ DBIR
- 6.
- 7. DevSecOps Community Survey2018 - Sonatype
- 8. • Discovered 3/6/2017 •Announced 3/9/2017 • CVE created 3/10/2017 • Equifax discovers 7/2017 • Equifax announced 9/2017 Anatomy of CVE-2017-5638 @botchagalupe
- 9. • Discovered -3/9/2017 • Action - 3/10/2017 • Remediation - 3/14/2017 Anatomy of CVE-2017-5638 @botchagalupe
- 10. Anatomy of CVE-2017-5638 •As of fall 2017 (3,054) organizations downloaded the exact version of Struts2 that was publicly disclosed as vulnerable on 3/10/17 and subsequently exploited at Equifax between 5/17-9/17. • As of fall 2017 (46,557) organizations downloaded a version of Struts and/or its sub projects with known vulnerabilities despite perfectly safe versions being available. Data derived from Sonatype’s 2017 Software Supply Chain Report @botchagalupe
- 11. Anatomy of CVE-2017-8046 (FoolMe Once) • Published 9/21/17 • CVE created 01/04/2018 • Discovered 2/18/17 • Corrected 3/6/18 @botchagalupe
- 12. • For the5 months prior to the September 2017 disclosure, developers downloaded the affected Spring components 411,046 times while they were believed to be good. • In the 5 months after the September 2017 disclosure, developers downloaded the affected Spring components which were then known to be vulnerable 367,351 times. Only an 11% dip. Data derived from Sonatype’s 2017 Software Supply Chain Report Anatomy of CVE-2015-8046 (Fool Me Once) @botchagalupe
- 13. Security and theGoldilocks Zone • The fallacious nature of cyber security relates to the standard legacy security model specifically on the idea of perimeter security. • This concept involves the implementation of a state-full firewall at a routed point within the network that very rarely gets looked at unless an operational change is required. • The problem with having only premier security is that applications have changed significantly in the last ten years and the infrastructure they run upon is playing by the same old rules.
- 14. Very Quick Talk AboutDevops
- 15.
- 16. Devops Automated DeploymentPipeline Source: Wikipedia - Continuous Delivery @botchagalupe
- 17. Devops Results Google • Over15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree • Over 75M test cases run daily @botchagalupe
- 18. Devops Results Google • Over15,000 engineers in over 40 offices • 4,000+ projects under active development • 5500+ code submissions per day (20+ p/m) • Over 75M test cases run daily • 50% of code changes monthly • Single source tree 2016 150 Million automated tests run daily… @botchagalupe
- 19. 19 Summary • Agile tookus from months to days to deliver software • Devops took from months to days to deploy software • Now security is the bottleneck @botchagalupe
- 20.
- 21. Knowing Adversities andMotivations
- 22. Knowing Adversities andMotivations
- 24.
- 25. You Build It,You Secure It @botchagalupe
- 26. DevSecOps as SupplyChain? 26 Source: Wikipedia - Continuous Delivery @botchagalupe
- 27. Software Supply Chain 27 Delivery Team Version Control BuildTest Release DevOps Example Stage Prod @botchagalupe
- 28. Software Supply Chain 28 Delivery Team Version Control BuildTest Release DevOps Example Stage Prod @botchagalupe
- 29. Security in theSoftware Supply Chain 29 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
- 30. Security in theSoftware Supply Chain 30 Delivery Team Version Control Build Test Release DevOps Example Delivery Team Version Control Build Test Release DevSecOps Example Stage Prod @botchagalupe
- 31. Implementing DevOps ina Regulated Environment Requirements & Design Development CI Interval Trigger Assessment Production Application Risk Classification Security Requirement Definition Secure Libraries Static Analysis/IDE SCM Open Source Governance(CI) Secure Coding Standards Perimeter Assessment Dynamic Assessments Threat-Based Pen Test Web Application Firewalls Automated Attack/ Bot Defense Container Security Management Security Mavens (Security-Trained Developers and Operations) Role Based Software Security Training Continuous Monitoring, Analytics and KPI Gathering Preventative Detective Container Security Compliance (CI) Threat modeling Static Analysis (CI) @botchagalupe
- 33. 33 Delivery Team Version Control Build Test Release DevSecOpsSupply Chain Stage Prod The New Goldilocks Zone (DevSecOps) Security Training Security Requirements Threat Modeling Architecture Review OWASP Top 10 IDE Plugins Code Examples Fail the Build Static Code Analysis Security Policy Testing Configuration Analysis Vulnerability Scanning Code and App Analysis Automated Pen Testing Static Code Analysis Security Policy Testing Configuration Analysis Security Monitoring Configuration Monitoring
- 34. Best Practices forDevSecOps • Train development teams to develop secure code • Track security issues the same as software issues • If infrastructure is now code, then security should be code. • Integrate security controls in the software pipeline • Automate security test in the build process • Detect known vulnerabilities during the pipeline • Monitor security in production for known states • Inject failure to ensure security is hardened Gene Kim, Jez Humble, Patrick Dubois, and John Willis. The DevOps Handbook; It Revolution Press, LLC.;2016.@botchagalupe
- 35.
- 36.
- 37. The Felonious Natureof Cyber Security @botchagalupe
- 38.
- 39. Kill Chain Example 39 AmazonAWS Amazon VPC
- 40. DevSecOps Kaizen -Full Life Cycle 1.Key Outcomes 2.Countermeasures 3.Storyboard 4.Kanban Board 5.Post Retrospective 1 2 3 4 5
- 41. 41 More Security MetaPoints • Have security create templates, recipes, playbook • Create a Wiki for Security • All Issues managed in a common issue system • Create a Github Repo for OWASP code examples • Create interactive visual environments for security • Visualize all the things…. • A bug is a bug is a bug…. @botchagalupe
- 42. 42 DevSecOps and CloudConfiguration • IAM and resource policies (S3 Bucket, SQS, etc.) • Permissive policies (e.g. wildcards) • Security Group ingress and egress rules • Liberal rules (e.g. 0.0.0.0/0, port range 1-65535 is open) • Encryption • Encryption that is not enabled or enforced for applicable resources • Automatic Key Rotation • KMS keys that don't have rotation enabled, • Invalid SSL configurations • ELBs with invalid SSL configurations
- 43. 43 DevSecOps and Containers •Base Image Policies • Signed images • Capabilities policies • Vulnerability Image Scans • Port Restrictions • Secrets Management @botchagalupe
- 44. 44 DevSecOps and Serverless •OWASP top 10 are still relevant • Proper Permissions • Data, Keys and Secrets • Still can have vulnerable code dependancies @botchagalupe