Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019

Continuous security
Kim van Wilgen
Amsterdam | April 2-3, 2019

Continuous security
Kim van Wilgen | Schuberg Philis
nl.linkedin.com/kimvanwilgen
kimvanwilgen@gmail.com
www.kimvanwilgen.com
@kimvanwilgen

@kimvanwilgen | www.kimvanwilgen.comContinuous security
Customer director
Schuberg Philis20
18
Head of
software
development
ANVA
20
17
Head of IT
Klaverblad
Verzekeringen
20
14
Hello world
19
80

Schuberg Philis
4
Mission critical
digital transformations
Financially
independent
Started in
2001
300
team members (Dec 2018)
EUR 60m
revenue
Market Quality leader
in Business Critical IT Outsourcing
Single KPI
100% customer satisfaction

Why focus on security?

Agile
Continuous
delivery
Containers
Immutable
infrastructures
Pipelines
Test automationT shaped
people
You build it
You run it
DevOps
Microservices and
serverless architectures
Self-
organization
War for talent
Exploration and rapid
prototyping
Emerging architectures

Focus shifted to speed…and nothing else

Shifting panels

Autonomy, self organization and key shaped people

Source: State of the cybersecurity report 2017

Security roleplay

Security all-in

Security should support delivery of value

“I never once spoke with the security team at Google.
Not because they weren’t doing their job, but exactly
because they were doing their job. They encoded
their expertise into self-service tools and libraries,
and we just used them ourselves”Randy Shoup, WeWork

XContinuous Delivery (CD) is a set of practices and principles in software
engineering aimed at building, testing and releasing software faster and
more frequently. They help reduce the cost, time and risk of delivering
changes, and ultimately value, to customers by allowing for more
incremental changes to applications in production.
Wikipedia, 2017

XContinuous Security (CS) is a set of practices and principles in software
engineering aimed at designing, developing, testing and running software
more securely. They help
reduce the cost, time and risk of delivering integrity, availability and
confidentiality to applications in production. Continuous security is
essential for delivering Continuous Delivery.

Let’s play!
“For the things we have to
learn before we can do
them, we learn by doing
them.”
― Aristotle

Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Context adaption
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Security tests are source code
Train for the basics
Gartner DevSecOps Top 10

#1: Have security champions

SecLeads and SecBuddies
Source: Rooske Eerden (de Tekenaar)

Security Satellite team
5 dev
(1 architect
2 devs
2 testers)
3 ops

#2: Don’t eliminate all risk

Risk and cost based security
Security is Confidentiality, Integrity and Availability

Alignment of security and business value

Integration in
the pipeline
#3:DevOps driven

DevSecOps, SecDevOps, DevOpS

X
“If you are doing DevOps without security, you are
doing it wrong”
Thiago de Faria – Head of solutions engineering, LINKIT

Shift left on security
VS

Automate first
• SAST
• DAST
• Proxy tools
• Dependency checks
• Custom scripts
Integration in the pipelines

SAST: sourcecode testing for security vulnerabilities
Leaders: Checkmarx, Veracode, Appscan, fortify, PT application
inspector, covarity
We use SonarQube and Jfrog XRAY
+ Find problems early in lifecycle, detailed feedback, scalable
- Limited scope, configuration out of scope, false positives &
negatives
SAST
Static Analyses Security Testing

DAST: running state security testing, simulates attacks against an
application or system (typically web-enabled applications and
services), analyzes results and, thus, determines whether it is
vulnerable.
Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7
We use ZAP
+ Tests the application at runtime, realistic view
- More complex, harder to track, needs a running instance (late
feedback, limitedly scalable, slow)
DAST
Dynamic Application Security Testing

Security by design

#4: Identify and remove: start small

I’ve added over a 100 security rules in SonarQube and
sent the top X screwups to the team. They are more aware
and will solve their own issues.
Dominik, member of the ANVA security satellite team

I enabled the dependency check. We had hundreds of
vulnerabilities. We solved them within a day with critical
upgrades and the removal of obsolete dependencies.

I ran Docker Bench. We found privileges were too
high and corrected them.

I’ve set up our internal learning platform with webgoat. We
can now practice attacks and grow awareness and
knowledge of defences.
Michiel, member of the ANVA security satellite team

#5: Context adaption

Learn and adapt first before you break the build

Application SecurityVerification Standard
Unrelevant / Sast / Dast
/ RAST / other
Train for risks we can’t
automate

Evil user stories
As a Malicious Hacker, I want to gain
access to this web application’s Cloud
Hosting account so that I can lock out
the legitimate owners and delete the
servers and their backups, to destroy
their entire business.

#6: Fix your vulnerabilities

Owasp dependency check
Eliminate known vulnerabilities
64
550 vulnerabilities

#7: Immutable infrastructure

X
One of the benefits of using containers, especially in
microservices-based applications, is they make it easier to secure
applications via runtime immutability—or never-changing—and
applying least-privilege principles that limit what a container can
do.
Tsvi Korren - Chief Solutions Architect at Aqua Security

• Patches are code changes and follow the pipeline
• Use systematic workload re-provisioning – difficult to persist across rebuilds
• Scan infrastructure scripts against the security policy
• Apply pervasive visibility
Immutable infrastructure mindset
Source: Gartner report on cloud security

#8: Detection of changes

#9:Treat security tests as source code

#10:Train for the basics

Automate security features
and scan against bugs and
vulnerabilities
Check for logical flaws
manually, educate and
raise context awareness

Infrastructure alone won’t keep you safe
10.6% of passwords is a
top 20 password

Security bootcamps

Context awareness

Hack yourself first too
Chaos Engineering: make rare
events regular

“Think as an offender will show the real threats of
your application and grow awareness from finding out
how easy it is.”
Troy Hunt, MVP for developer security
and creator of ‘Have I been PWNED”

Red teaming
“Did you check the cake for hard and sharp
objects before bringing this inside?”

Trusted source and lowering our fences

@kimvanwilgen | www.kimvanwilgen.com
References
and questions
www.kimvanwilgen.com
@kimvanwilgen
kimvanwilgen@gmail.com

https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
https://cybersecurity.isaca.org/static-assets/documents/State-of-Cybersecurity-part-2-
infographic_res_eng_0517.pdf
https://www.sans.org/reading-room/whitepapers/critical/continuous-security-implementing-critical-
controls-devops-environment-36552
10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371
https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb
https://www.thoughtworks.com/radar/techniques
https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/MMC-Cyber-Handbook_2016-
web-final.pdf
Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World, Gartner, 2018
Sources

Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019

More Related Content

What's hot

Similar to Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019

More from Codemotion

Recently uploaded

Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019

Editor's Notes