The document outlines the rise of SecDevOps, emphasizing its role in enhancing security and operational practices in software development. It presents research findings on the benefits and performance improvements related to the adoption of SecDevOps methodologies while also highlighting barriers to success in terms of vulnerability remediation and organizational challenges. Best practices and tooling solutions are recommended to foster a proactive security culture and streamline processes.

1. Embracing the Rise of
SecDevOps
Tenable Research Engineers

2. Embracing the Rise of
SecDevOps
Thomas Cappetta
Tenable Research
Vulnerability Research Engineer

3. - Cyber Security, DevOps, Cloud Computing
- CISSP
- Constantly Studying DevOps & Offensive Security
- Mentoring & Leadership
• Active: 3yrs. Asst. Coaching Youth Sports (volunteer)
• Previous: Identifying, Leading, & Mentoring Organizational Talent within SecOps & Engineering.
• Previous: Eagle Scout
About Cappetta
2

4. ● ... a set of business methodologies, operational procedures, &
cultural practices proven to increase security, improve software
quality, improve release frequency, & provide immediate
insight into organizational exposures…
SecDevOps Defined
3

5. “According to State of DevOps Reports by Puppet… ”
High-Performing organizations which implement DevOps practices:
• Deploy code 30 times more frequently
• Have 50 percent fewer failures
• Automated:
• 33 % more of their configuration management
• 27 % more of their testing
• 30 % more of their deployments
• 27 % more of their change approval processes
Benefits
5

6. 6
Respondent Demographics

7. 7
DevOps vs. Security Researchers

8. Goal:
§ Disposable infrastructure
§ Automated Application Deployments
§ Continuous Patch Updates
§ Automated Release Testing
§ Autonomous Customer Service
§ Great Organizational Culture
Best Practices
8

9. Barriers to Success
9

10. ● “a median of five days to gain access to a functioning exploit. In contrast, we learned,
defenders take a median 12 days to assess for a vulnerability.” – Tenable Research
● “According to WhiteHat Security stats, the average time to fix a website vulnerability
after it has been reported is 150-180 days.” – Tenable Research 2015
Barriers To Success – Tenable Research
10

11. ● EdgeScan-
● Layer 7 - Average time to close a discovered vulnerability is 67 Days
● Layer Network - Average time to close a discovered vulnerability is 62 Days
● Denim Group
● A 2013 industry study from White Hat Security revealed that the “Mean Time to Fix” for web
application flaws categorized as “serious” averaged 193 days across all industries.
● In the same study, for one industry (Education) the figure jumped to 342 days of exposure
Barriers To Success – Exposure Remediation
11

12. ● “The most common code vulnerability evident in static security testing during the
software development process is Unpatched Libraries” - WhiteHatSec
• Cyber Security is often viewed as an expense
• Regular Code Deployments require Smaller Feature branches
• Retrofitting Tooling into Pre-existing Monolithic Applications
Barriers To Success – Generic
12

13. • Changes don’t meet expectations
• Insecure Configurations
• Unknown Assets & Exposures
• Complex business workflows & Technical Debt
Barriers To Success - Generic
13

14. • Automating the wrong things first
• Continuous Delivery != Continuous Deployment
• Lack of Metrics
• Stale Test Automation
• So Many Tools…
Barriers To Success - DevOps
14

15. What’s the Challenge?
15

16. Branching -
Simplified vs.
Complex
Features vs.
Epics
Barriers to Success – Git Workflow
16

17. • Constantly Evolving Exposures
• Unknown External / Environmental Threats
• Compartmentalized Organizations
• Remediation Delay
• Zero-Days
• Constantly Evolving Tooling
Barriers To Success – Threat Landscape
17

18. 18

19. best practices
19

20. Cyber Exposure Life-Cycle
20

21. - Invest in Tooling & Processes
- Automate Repeatable Processes
Process / Procedure Changes
21

22. Tooling / Processes: synopsys.com
22

23. • SecDevOps – Process & Tooling automation providing early
detection/remediation of cyber exposure
• BDD / Gherkin – Functional / Behavioral Use-Cases
• Regular Code Deployments & smaller change sets
• Infra/App as Code - disposable infrastructure
Solution(s)
23

24. • Inspec – Configuration Mgmt. Verification
• BDD-Security – Behavioral Security Testing
• T-Pot – HoneyPot sensors to monitor threat landscape
• Automation Breaks – Audit, Monitor, & fix it
Solution(s)
24

25. • Collaboration / Prioritization – eg. JIRA / Slack / SalesForce
• Invest in Research & Training by looking ahead
• Inspire Innovation, accept failure w/o judgement, & celebrate
success
Culture
25

26. Technical References
26
Sans Secure DevOps Toolchain

27. Sample: Managing Credentials
27

28. ● Willingness to embrace failure in conquest of Excellence
● Enormous Appetites for Technical Expertise & Depth
● Willingness to empower innovation & invest in Research
● Ability to Influence the passion of employees
Culture
28

29. 29

30. Tooling Process Maps
30
xebialabs.com

31. HoneyPot Automation – T-Pot
31

32. - Inspec
infrastructure
Inspec Your Assets
32

33. https://blog.chef.io/2018/05/23/automatically-generating-
inspec-controls-from-terraform/
https://lollyrock.com/articles/inspec-terraform/
https://learn.chef.io/modules/try-inspec#/
Chef marketplace
https://kitchen.ci/
Inspect your AWS Cloud
33

34. Personal Toolkit
34
https://github.com/cappetta/SecDevOps-Toolkit
https://github.com/cappetta/circleci_terraform