The document discusses Aetna's journey towards implementing DevOps practices in a regulated environment. It describes Aetna's traditional "waterfall" development process and how it is evolving to integrate security practices into its continuous integration/delivery (CI/CD) process. This includes automating static code analysis, container vulnerability scanning, and identifying and remediating AWS security risks. The benefits of DevSecOps include more consistent security controls, reduced defects, increased security and speed to market. Challenges include evolving culture across 3,500+ developers and integrating security tools in a way that provides continuous feedback.

1. Quality health plans & benefits
Healthier living
Financial well-being
Intelligent solutions
DJ Schleen
February 13, 2017
Implementing DevOps in a
Regulated Environment
@dschleen

2. © 2017 Aetna Inc. 2

3. © 2017 Aetna Inc. 3

4. © 2017 Aetna Inc.
Let’s bust out some walls and install some
windows…
4

5. © 2017 Aetna Inc.
The Aetna Landscape
The seeds of DevOps are germinating everywhere
• 3,500+ Developers
• 1,500+ Applications
• Multiple deployment platforms and development languages
• Robust software security program and training programs
• Formerly a “waterfall” organization, but evolving people and
resources to support DevOps
• Mature DevOps practices in some facets of the organization and
subsidiaries
• Evolving legacy apps to support microservice design principles and
containerization
5

6. © 2017 Aetna Inc.
The Aetna Journey
• The evolution of our SDLC from Waterfall to DevOps
• Integration of our Software Security Program into our CI/CD Process,
Specifically:
─ Automated Static Code Analysis
─ Container Vulnerability Scanning
─ Identifying and remediating AWS Security Risk
• How we measure ourselves and map security controls to compliance
• Observations and benefits of DevOps/DevSecOps
• Constantly learning, improving, and re-evaluating
6

7. © 2017 Aetna Inc.
Aetna’s Traditional Approach
7
Requirements Design Development Test Production
1. Set project
expectations:
secure from the
start (per
archetype)
2. Define security
blueprints:
Archetype specific
patterns and
secure-by-design
components
Identification &
proactive protection
against security
vulnerabilities in
production
Conduct application
security testing on
deployed
configurations
PREVENTATIVE DETECTIVEStatic Analysis
Dynamic Assessment
Security Libraries &
Frameworks
Threat Modeling
Ex: All data input
by users must be
validated
Assets
Attack
Vectors
Threats
Threat-Based Pen Test
Open Source Analysis
Application Risk
Classification
Security Requirement
Definition
Software Security Training (Role-Based Curriculum)
PRODUCTION
Continuous Perimeter
Assessment
Web Application
Firewalls
Secure Coding Guidelines
Automated Attack/Bot
Defense
Secure Application Design

8. © 2017 Aetna Inc.
• Automation/Tool Integration
• Transparency
• Increased Collaboration
• Consistent Adoption
• Continual Feedback
• Remediation Efficiency
• Release Gating
• Resiliency & Scalability
(Microservices/Containers)
8
DevOps and Security – an Unprecedented
Opportunity

9. © 2017 Aetna Inc. 9
Role Based Software Security Training
DevOps/Security Program Integrated
Requirements
& Design
Dev CI
Interval
Triggered
Assessments
Production
Static Analysis
(CI)
Dynamic
Assessment
Container Security
Scanning (CI)
Static Analysis (IDE)
Threat-Based Pen
TestOpen Source
Governance(CI)
Application Risk
Classification
Security Requirement
Definition
Security Mavens (Security-Trained Developers and Operations)
Perimeter
Assessment
Web Application
Firewalls
Automated
Attack/Bot Defense
Container Security
Management
Preventative Detective
Detailed manual assessments
triggered automatically at
appropriate interval; detached
from release cycle
Lightweight threat
modeling approach
AEFW/Secure Libraries
Iterative, Automated, Efficient
Secure Coding
Standards
Threat Modeling Application Red
Team
Continuous Monitoring, Analytics, and KPI Gathering
SCM

10. © 2017 Aetna Inc.
Check In
Commit
or Pull
Request
Successful
Build
Security
Scan
Feedback
Code
Feature
Static Code Analysis and Gated Check-ins
10
Goal: Improve Code Security
• Move to a fully integrated and
automated state
• Push SCA to the build platform and
triggered with commits/merges
• Use thresholds to “stop the
bleeding”
• Measure defect density (1 high
vulnerability in 10000 LOC)
• Automate threshold reduction as
vulnerabilities in code decreased
• Be as unobtrusive as possible to
developers
• Mandatory Security Control
Thresholds

11. © 2017 Aetna Inc.
Container Vulnerability Scanning
Goal: Ensure our Containers are current and vulnerability free
• Use CIS Docker Benchmarks as a guideline
• Initially attempted to script and automate the audit checks
• Identified commercial software to provide:
─ Automated CIS Docker Benchmark checks
─ Container and repository vulnerability scanning
─ Security policy enforcement
─ Runtime policy enforcement
─ Real-time threat intelligence
─ Specific guidance for HIPPA Compliance
• Mandatory for any container host deployed enterprise wide
11

12. © 2017 Aetna Inc.
AWS Infrastructure Risk
Goal: Identify and Reduce AWS Infrastructure Risk
• Use CIS AWS Foundations Benchmarks as a guideline
• Initially scripted and automated the checks via AWS CLI
• Moved to a vendor provided platform that streamlines and optimizes
vulnerability and risk management for AWS
• Continuously monitor our configured AWS accounts
• Automatically identify security misconfigurations
• Rapidly mitigate risk through guided remediation
• Mandatory for any Aetna or Affiliate AWS account
12

13. © 2017 Aetna Inc. 13
• Gather relevant and
measureable KPIs – Example:
Defect Density
• Trend your performance to see
where you’ve been and project
where you are going
• Use information to strengthen
the confidence in the process
• Whenever applicable, map
process and infrastructure
checks to compliance
requirements (HIPPA, PCI)
Turn Information into Understanding

14. © 2017 Aetna Inc.
Observations and Benefits of DevSecOps
• Consistent application of security controls across all builds,
applications & releases
• Decrease in Defect Density from 1.0 to 0.1
• Increase in the security integrity of applications
• Increase in remediation efficiency through continuous feedback
• Release gating/security gating
• Rapid deployment/increased speed to market
• Increase in efficiency & scalability (microservices)
14

15. © 2017 Aetna Inc.
Challenges Moving to DevOps
• Evolving the culture and habits of 3,500+ developers
• Multiple “flavors” of DevOps in different parts of the organization
• Security tool integration in a manner that supports objectives for
actionable continuous feedback
• What is the best approach for integrating threat modeling and
manual assessments into the lifecycle without impacting CD
objectives?
15

16. © 2017 Aetna Inc.
Takeaways
• Find out where DevOps is happening in your organization
• Identify where security controls can be injected
• Enhance the process with Security, don’t be an impediment
• Turn information into understanding and measure success
• Learn, Expand, Improve, Repeat
16

17. © 2017 Aetna Inc.
Thank you
@dschleen

18. © 2017 Aetna Inc. 18