MT
Uploaded byMatt Tesauro
ODP, PDF937 views

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Lifeconfidence2015

Matt Tesauro discusses the integration of DevOps practices into application security (AppSec), emphasizing the need for automation and iterative improvement in software testing processes. He highlights challenges faced in rapid software development cycles and the importance of a collaborative culture that embraces feedback and experimentation. The document outlines key strategies for optimizing AppSec pipelines, including establishing repeatable workflows, enhancing feedback mechanisms, and automating security testing to improve efficiencies and reduce risks.

Embed presentation

Downloaded 18 times
Matt Tesauro Pearson Lessons from DevOps: Taking DevOps practices into your AppSec Life
5 months with Pearson Application Security Lead Engineer Prior to Pearson Rackspace - Lead Engineer, Product Security AppSec consulting – VP Services, Praetorian – Consultant Trustwave’s Spiderlabs TEA - Senior Security Engineer DIR - Penetration Tester Texas A&M University – Systems Analyst, Sys Admin, Developer, DBA – Lecturer in MIS department Viatel - Internet App Developer
Other professional experience OWASP Live CD / OWASP WTE – Project lead 2008 to present, over 300K downloads – http://appseclive.org OWASP Foundation Board of Directors – International charity focused on improving software security Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences Application Security Training internationally B.S. Economics, M.S. in MIS – Strong believer in the value of cross- discipline study
The Problem – Cycle time for software is getting shorter – Continuous delivery is a goal – Scanning windows are not viable – First mover / first to market advantage
More Problems.. Traditional software development left little time to test DevOps, Agile and Continuous Delivery squeeze those windows even more New languelages and programming methods aren’t making this better – Growth of interpreted languages with loose typing hurts static analysis efforts – Few automated tools to test APIs especially RESTful APIs Little time for any testing, manual testing is doomed
The Solution - Automated software testing - Automated operational infrastructure - Automated security testing
“Don’t get set into one form, adapt it and build your own, and let it grow, be like water”.
A time to morn
Traditional Software Dev & Ops The old way... Very early and prescriptive requirements and design Long development cycles Waterfall Approach Groups work in Silos - Dev, SysAdmin, QA, Security Possible feedback from bug reports but little else Throwing code over the wall
Waterfall Development
Why DevOps came to be What's different about DevOps Web/Cloud companies needed - high availability - fast introduction of new features Easy for users to switch to a competing service + fist mover advantage No media to ship with SaaS models Cultural change – not just new cool tech aka CI/CD, Docker... Focus on clear business objectives Dev and SysAdmins share responsibility for uptime, deploys, downtime Emphasize people and process, repeatability Goal is better uptime and lower operational costs The DevOps Answer
"Notice that the stiffest tree is most easily cracked, while the bamboo or willow survives by bending with the wind."
The Phoenix Project 3 Ways of DevOps Strategies for Improving Operations
Workflow The 3 Ways of DevOps 1 2 3
Look at your purpose and those process which aid it ● Make sure the process is correct from beginning to the end Then look at ways to speed up that process ● Value Stream – the name a the process which provides value to the business ● Working from left to right – think of a time line: business / development => customer / operations ● Flow [rate] – the speed work goes through the process #1 - Workflow
An example workflow Software release process ● Code written ● Code committed to a code repository ● Unit test the code ● Package the code for deployment ● Integration testing ● Deploy code to production #1 - Workflow
The AppSec Pipeline
Key Features of AppSec Pipelines • Designed for iterative improvement • Provides a reusable path for AppSec activities to follow • Provides a consistent process for both the team and our constituency • One way flow with well-defined states • Relies heavily on automation • Has the ability to grow in function organically over time • Gracefully interconnects with the development process
Spending time optimizing anything other than the critical resource is an illusion. - Edward Deming
Key Goals of AppSec Pipelines • Optimize the critical resource – App Sec personnel • Automate all the things that don’t require a human brain • Drive up consistency • Increase tracking of work status • Increase flow through the system • Increase visibility and metrics • Reduce any dev team friction with application security
Pipeline - Intake • “First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
Pipeline – the Middle • Inbound request triage • Ala Carte App Sec • Dynamic Testing • Static Testing • Re-Testing mitigated findings • Mix and match based on risk • Key Concepts • Activities can be run in parallel • Automation on setup, configuration, data export • Focus people on customization rather than setup
Pipeline – the End • Source of truth for all AppSec activities • ThreadFix is used to • Dedup / Consolidate findings • Normalize scanner data • Generate Metrics • Push issues to bug trackers • Report and metrics automation • REST + tfclient • Source of many touch points with external teams
Why we like AppSec Pipelines • Allow us to have visibility into WIP • Better understand/track/optimize flow of engagements • Average static test takes ... • Great increase in consistency • Easier re-allocation of engagements between staff • Each step has a well defined interface • Knowing who has what allows for more informed “cost of switching” conversations • Flexible enough for a range of skills and app maturity
If you want to hear more... AppSec EU 2015 – talk slides & video
Making things repeatable Remove all haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, Jenkins, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers #1 - Workflow Each Step Repeatable
Making things repeatable in AppSec Make tests easily repeatable You will be re-testing after dev fixes so repeatable tests help retesting You can hand them to devs to test as they write mitigation Make tests easy to understand You will likely be handing work off between App Sec staff or to devs Make tests abstract and combine-able Ala carte tests for mixing and matching Think about the Unix pipe | and its power #1 - Workflow Each Step Repeatable
"I fear not the man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
Work left to right but don't pass on failures For AppSec, Defects == False Positives Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is #1 - Workflow Never Pass on Defects If you can automate code review, you still must triage 1 false positive == 100 valid bugs If results aren't actionable, you've failed Best security ROI is findings early in the dev lifecycle
Your fix cannot be my new problem Ensure no single-step optimizations degrade overall performance Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this #1 - Workflow Local optimizations with a global view Now go faster Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? Increase the flow of work
Workflow Improve Feedback The 3 Ways of DevOps 1 2 3
Open yourself to upstream and downstream information Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly within your company Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system #2 – Improve Feedback
Customers are also inside your business Customer is more then the 'consumer' at the end of the process - Each step is the customer of the previous step - Understand what the next steps need from you to succeed Remember, feedback isn't guaranteed - encourage it by responding Make feedback & responding quick, easy and readily available #2 – Improve Feedback Understand and respond to your customers Embed knowledge when needed Go all in Keep specialized knowledge out of people's heads and into the system - Check it into source control – automatically versioned. Moving left to right, keep needed info in the stage that requires it
Workflow Improve Feedback Continual Experimentation and Learning The 3 Ways of DevOps 1 2 3
Create a culture of innovation and experimentation The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation & experimentation Two essential things must be understood by the business and all involved - We can learn from the failed experiments and risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice #3 – Continual Experimentation & Learning
Findings directly to bug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues • ThreadFix is nice for metrics and pumping issues into issue trackers - http://code.google.com/p/threadfix/
For the reticent: nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
Automating Infrastructure • Declarative configuration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
Cookbooks, Stacks, Playbooks, ... • Most have methods to bundle / share automation routines • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra good karma points.
Grouping & Tagging • Tagging your servers applies the required set of automation • A base set of for all servers • Each server can have multiple tags • Map tags to security requirements Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache Works for Clouds Too!
Inspector – you need one • For each group and/or tag • Review the recipe, do a PR aka Pull Request • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security, Scalability, Compliance • Vuln scanners – manual or auto • Jenkins Job + Lynis (open source)
Agent – one mole to rule them all • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Create your own or find a vendor Mozilla MIG
Turn Vuln scanning on its head • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
• Automate, automate, automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • Finding blocks become templates for next time • Learn to talk “dev” Key Take Aways
The Phoenix Project The Practice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
Questions? Thank You

More Related Content

ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
PPTX
AppSec Pipeline - Velcocity NY 2015
byMatt Tesauro
 
ODP
Dev ops hackformers-matt-tesauro
byMatt Tesauro
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
PPTX
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
PDF
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
ODP
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 
Making security-agile matt-tesauro
byMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
byMatt Tesauro
 
Dev ops hackformers-matt-tesauro
byMatt Tesauro
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
byMatt Tesauro
 
AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
byMatt Tesauro
 
Taking AppSec to 11 - BSides Austin 2016
byMatt Tesauro
 
Building an Open Source AppSec Pipeline
byMatt Tesauro
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
byMatt Tesauro
 

What's hot

ODP
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
PDF
AppSec Pipelines and Event based Security
byMatt Tesauro
 
ODP
DevOps, CLI, APIs, Oh My! Security Gone Agile
byMatt Tesauro
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
byMatt Tesauro
 
PPTX
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
PDF
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
PDF
AppSec is Eating Security
byAlex Stamos
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
PDF
Automating OWASP Tests in your CI/CD
byrkadayam
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
Building a Modern Security Engineering Organization
byZane Lackey
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
PPTX
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
PPTX
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
PDF
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
byNETWAYS
 
PDF
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
byMatt Tesauro
 
AppSec Pipelines and Event based Security
byMatt Tesauro
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
byMatt Tesauro
 
Building a Secure DevOps Pipeline - for your AppSec Program
byMatt Tesauro
 
DevOps AppSec Pipeline Velcocity NY 2015
byAaron Weaver
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
byMatt Tesauro
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
AppSec is Eating Security
byAlex Stamos
 
Continuous Security: Using Automation to Expand Security's Reach
byMatt Tesauro
 
Automating OWASP Tests in your CI/CD
byrkadayam
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
Building a Modern Security Engineering Organization
byZane Lackey
 
SecDevOps: The New Black of IT
byCloudPassage
 
HouSecCon 2019: Offensive Security - Starting from Scratch
bySpencer Koch
 
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
byPuppet
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
byweaveraaaron
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
byNETWAYS
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
byDenim Group
 

Similar to Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Lifeconfidence2015

PDF
Practical DevSecOps: Fundamentals of Successful Programs
byMatt Tesauro
 
PDF
Tenants for Going at DevSecOps Speed - LASCON 2023
byMatt Tesauro
 
PPTX
Winnipeg ISACA Security is Dead, Rugged DevOps
byGene Kim
 
PPTX
DevOps - Understanding Core Concepts
byNitin Bhide
 
PPTX
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
PDF
When Things Go Bump in the Night
byahamilton55
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
PPTX
DevOps - Understanding Core Concepts (Old)
byNitin Bhide
 
PPTX
Owasp summit slides day 2
byDinis Cruz
 
PDF
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
PDF
DevOps for Defenders in the Enterprise
byJames Wickett
 
PPTX
JavaOne 2015 Devops and the Darkside CON6447
bySteve Poole
 
PPTX
One Does Not Simply Walk Into Devops
byUri Cohen
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PDF
The Lost Tales of Platform Design (February 2017)
byJulien SIMON
 
PPTX
Serverless - DevOps Lessons Learned From Production
bySteve Hogg
 
PDF
Gartner starting and scaling dev ops
byTapabrata Pal
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
Practical DevSecOps: Fundamentals of Successful Programs
byMatt Tesauro
 
Tenants for Going at DevSecOps Speed - LASCON 2023
byMatt Tesauro
 
Winnipeg ISACA Security is Dead, Rugged DevOps
byGene Kim
 
DevOps - Understanding Core Concepts
byNitin Bhide
 
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
When Things Go Bump in the Night
byahamilton55
 
DevSecOps Fundamentals and the Scars to Prove it.
byMatt Tesauro
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
bylior mazor
 
DevOps - Understanding Core Concepts (Old)
byNitin Bhide
 
Owasp summit slides day 2
byDinis Cruz
 
Devops, Secops, Opsec, DevSec *ops *.* ?
byKris Buytaert
 
DevOps for Defenders in the Enterprise
byJames Wickett
 
JavaOne 2015 Devops and the Darkside CON6447
bySteve Poole
 
One Does Not Simply Walk Into Devops
byUri Cohen
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
The Lost Tales of Platform Design (February 2017)
byJulien SIMON
 
Serverless - DevOps Lessons Learned From Production
bySteve Hogg
 
Gartner starting and scaling dev ops
byTapabrata Pal
 
DevSecOps - It can change your life (cycle)
byQualitest
 

More from Matt Tesauro

PDF
AI, AppSec, and You: A Practitioner's Diary
byMatt Tesauro
 
PDF
DefectDojo at Global AppSec San Fran 2024
byMatt Tesauro
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
PDF
Landmines in the API Landscape
byMatt Tesauro
 
PDF
The Final Frontier, Automating Dynamic Security Testing
byMatt Tesauro
 
PDF
Intro to DefectDojo at OWASP Switzerland
byMatt Tesauro
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
byMatt Tesauro
 
PDF
Running FaaS with Scissors
byMatt Tesauro
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
ODP
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 
AI, AppSec, and You: A Practitioner's Diary
byMatt Tesauro
 
DefectDojo at Global AppSec San Fran 2024
byMatt Tesauro
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
byMatt Tesauro
 
Landmines in the API Landscape
byMatt Tesauro
 
The Final Frontier, Automating Dynamic Security Testing
byMatt Tesauro
 
Intro to DefectDojo at OWASP Switzerland
byMatt Tesauro
 
Taking the Best of Agile, DevOps and CI/CD into security
byMatt Tesauro
 
Running FaaS with Scissors
byMatt Tesauro
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
OWASP WTE - Now in the Cloud!
byMatt Tesauro
 

Recently uploaded

PDF
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
PDF
contusion pulmonar y antibiotico en el atls
byMARIAPETRONILAMONTAO
 
PDF
09920-2 JE40CP MB 48.4GY02.021 Schematic Acer Aspire 4741.pdf
bydakjuel1
 
PPTX
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
PPTX
apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Dete...
byapidays
 
PDF
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
PDF
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PDF
apidays Australia 2025 | Designing with workflows: Using Arazzo and OpenAPI f...
byapidays
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PPTX
Anomalies in Relational Database Management systems.pptx
byamutham12
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PDF
IoT/OT Security: Penetration Testing for an Expanding Attack Surface.pdf
byCybernetic Global Intelligence
 
PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PDF
apidays Australia 2025 | APIs in Government: A blueprint to automating Busine...
byapidays
 
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
contusion pulmonar y antibiotico en el atls
byMARIAPETRONILAMONTAO
 
09920-2 JE40CP MB 48.4GY02.021 Schematic Acer Aspire 4741.pdf
bydakjuel1
 
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Dete...
byapidays
 
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
apidays Australia 2025 | Designing with workflows: Using Arazzo and OpenAPI f...
byapidays
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
Anomalies in Relational Database Management systems.pptx
byamutham12
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
IoT/OT Security: Penetration Testing for an Expanding Attack Surface.pdf
byCybernetic Global Intelligence
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
apidays Australia 2025 | APIs in Government: A blueprint to automating Busine...
byapidays
 

Matt tesauro Lessons from DevOps: Taking DevOps practices into your AppSec Lifeconfidence2015

  • 1.
    Matt Tesauro Pearson Lessons fromDevOps: Taking DevOps practices into your AppSec Life
  • 2.
    5 months withPearson Application Security Lead Engineer Prior to Pearson Rackspace - Lead Engineer, Product Security AppSec consulting – VP Services, Praetorian – Consultant Trustwave’s Spiderlabs TEA - Senior Security Engineer DIR - Penetration Tester Texas A&M University – Systems Analyst, Sys Admin, Developer, DBA – Lecturer in MIS department Viatel - Internet App Developer
  • 3.
    Other professional experience OWASPLive CD / OWASP WTE – Project lead 2008 to present, over 300K downloads – http://appseclive.org OWASP Foundation Board of Directors – International charity focused on improving software security Multiple speaking engagements internationally at AppSec, DHS, ISC2, SANS… conferences Application Security Training internationally B.S. Economics, M.S. in MIS – Strong believer in the value of cross- discipline study
  • 4.
    The Problem – Cycletime for software is getting shorter – Continuous delivery is a goal – Scanning windows are not viable – First mover / first to market advantage
  • 5.
    More Problems.. Traditional softwaredevelopment left little time to test DevOps, Agile and Continuous Delivery squeeze those windows even more New languelages and programming methods aren’t making this better – Growth of interpreted languages with loose typing hurts static analysis efforts – Few automated tools to test APIs especially RESTful APIs Little time for any testing, manual testing is doomed
  • 6.
    The Solution - Automatedsoftware testing - Automated operational infrastructure - Automated security testing
  • 7.
    “Don’t get setinto one form, adapt it and build your own, and let it grow, be like water”.
  • 8.
  • 9.
    Traditional Software Dev& Ops The old way... Very early and prescriptive requirements and design Long development cycles Waterfall Approach Groups work in Silos - Dev, SysAdmin, QA, Security Possible feedback from bug reports but little else Throwing code over the wall
  • 10.
  • 11.
    Why DevOps cameto be What's different about DevOps Web/Cloud companies needed - high availability - fast introduction of new features Easy for users to switch to a competing service + fist mover advantage No media to ship with SaaS models Cultural change – not just new cool tech aka CI/CD, Docker... Focus on clear business objectives Dev and SysAdmins share responsibility for uptime, deploys, downtime Emphasize people and process, repeatability Goal is better uptime and lower operational costs The DevOps Answer
  • 12.
    "Notice that thestiffest tree is most easily cracked, while the bamboo or willow survives by bending with the wind."
  • 13.
    The Phoenix Project 3Ways of DevOps Strategies for Improving Operations
  • 14.
    Workflow The 3 Waysof DevOps 1 2 3
  • 15.
    Look at yourpurpose and those process which aid it ● Make sure the process is correct from beginning to the end Then look at ways to speed up that process ● Value Stream – the name a the process which provides value to the business ● Working from left to right – think of a time line: business / development => customer / operations ● Flow [rate] – the speed work goes through the process #1 - Workflow
  • 16.
    An example workflow Softwarerelease process ● Code written ● Code committed to a code repository ● Unit test the code ● Package the code for deployment ● Integration testing ● Deploy code to production #1 - Workflow
  • 17.
  • 18.
    Key Features ofAppSec Pipelines • Designed for iterative improvement • Provides a reusable path for AppSec activities to follow • Provides a consistent process for both the team and our constituency • One way flow with well-defined states • Relies heavily on automation • Has the ability to grow in function organically over time • Gracefully interconnects with the development process
  • 19.
    Spending time optimizinganything other than the critical resource is an illusion. - Edward Deming
  • 20.
    Key Goals ofAppSec Pipelines • Optimize the critical resource – App Sec personnel • Automate all the things that don’t require a human brain • Drive up consistency • Increase tracking of work status • Increase flow through the system • Increase visibility and metrics • Reduce any dev team friction with application security
  • 21.
    Pipeline - Intake •“First Impression” • Major categories of Intake • Existing App • New App • Previously tested App • App to re-test findings • Key Concepts • Ask for data about Apps only once • Have data reviewed when an App returns • Adapt data collected based on broad categories of Apps
  • 22.
    Pipeline – theMiddle • Inbound request triage • Ala Carte App Sec • Dynamic Testing • Static Testing • Re-Testing mitigated findings • Mix and match based on risk • Key Concepts • Activities can be run in parallel • Automation on setup, configuration, data export • Focus people on customization rather than setup
  • 23.
    Pipeline – theEnd • Source of truth for all AppSec activities • ThreadFix is used to • Dedup / Consolidate findings • Normalize scanner data • Generate Metrics • Push issues to bug trackers • Report and metrics automation • REST + tfclient • Source of many touch points with external teams
  • 24.
    Why we likeAppSec Pipelines • Allow us to have visibility into WIP • Better understand/track/optimize flow of engagements • Average static test takes ... • Great increase in consistency • Easier re-allocation of engagements between staff • Each step has a well defined interface • Knowing who has what allows for more informed “cost of switching” conversations • Flexible enough for a range of skills and app maturity
  • 25.
    If you wantto hear more... AppSec EU 2015 – talk slides & video
  • 26.
    Making things repeatable Removeall haphazard and ad hoc work from the process Repeat until stable, I like doing the first couple times manually with a 'run book' Scripting languages are your friends Config Mgmt – Puppet, Chef, Salt, Ansible, Jenkins, CFEngine, … Creating deployable artifacts from a branch/release aka .rpm / .deb / .msi Make sure what you do can be done on 1 server or 10,000 servers #1 - Workflow Each Step Repeatable
  • 27.
    Making things repeatablein AppSec Make tests easily repeatable You will be re-testing after dev fixes so repeatable tests help retesting You can hand them to devs to test as they write mitigation Make tests easy to understand You will likely be handing work off between App Sec staff or to devs Make tests abstract and combine-able Ala carte tests for mixing and matching Think about the Unix pipe | and its power #1 - Workflow Each Step Repeatable
  • 28.
    "I fear notthe man who has practiced ten thousand kicks once, but I fear the man who has practiced one kick ten thousand times."
  • 29.
    Work left toright but don't pass on failures For AppSec, Defects == False Positives Test early and often Increase the rigor of testing as you work left to right When a failure occurs, end that flow and start a new one after corrections The further right you are, the more expensive failure is #1 - Workflow Never Pass on Defects If you can automate code review, you still must triage 1 false positive == 100 valid bugs If results aren't actionable, you've failed Best security ROI is findings early in the dev lifecycle
  • 30.
    Your fix cannotbe my new problem Ensure no single-step optimizations degrade overall performance Spending time optimizing anything other than the critical resource is an illusion. Find the bottle neck in your workflow and start there - Upstream changes will just back things up - Downstream changes won't manifest since input is limited Each new optimization creates a new bottleneck – iterate on this #1 - Workflow Local optimizations with a global view Now go faster Make sure you have a well-defined, repeatable process first Look for manual steps that can be automated Look for duplicate work that can be removed/eliminated Measuring/tracking time taken at each step is crucial Where does the flow ebb? Increase the flow of work
  • 31.
    Workflow Improve Feedback The 3Ways of DevOps 1 2 3
  • 32.
    Open yourself toupstream and downstream information Feedback loops occur when information is gathered from - upstream (business / development) - downstream (customer / operations) Make visible problems, concerns, potential improvements – share this publicly within your company Learn as you move left to right so improvements aren't lost Requests are opportunities to better fulfill the needs of the business There is rarely enough feedback, capture and look for more Feedback collected can be used to optimally improve the system #2 – Improve Feedback
  • 33.
    Customers are alsoinside your business Customer is more then the 'consumer' at the end of the process - Each step is the customer of the previous step - Understand what the next steps need from you to succeed Remember, feedback isn't guaranteed - encourage it by responding Make feedback & responding quick, easy and readily available #2 – Improve Feedback Understand and respond to your customers Embed knowledge when needed Go all in Keep specialized knowledge out of people's heads and into the system - Check it into source control – automatically versioned. Moving left to right, keep needed info in the stage that requires it
  • 34.
    Workflow Improve Feedback Continual Experimentationand Learning The 3 Ways of DevOps 1 2 3
  • 35.
    Create a cultureof innovation and experimentation The fundamentals are now solid, what can your new knowledge buy you? The business culture must allow for and embrace innovation & experimentation Two essential things must be understood by the business and all involved - We can learn from the failed experiments and risks we take - Mastery comes with repetition and practice and you won't be a master the first N times you practice #3 – Continual Experimentation & Learning
  • 36.
    Findings directly tobug trackers • PDFs are great, bugs are better • Work with developer teams to submit bugs • Security category needs to exist • Bonus points if the bug tracker has an API • Security issues are now part of the normal work flow • Beware of death by backlog - do security sprints • Learn how the team treats issues • ThreadFix is nice for metrics and pumping issues into issue trackers - http://code.google.com/p/threadfix/
  • 37.
    For the reticent:nag, nag, nag • Attach a SLA to each severity level for findings • Remediation plan vs Fixed • “Age” all findings against these SLAs • Politely warn when SLA dates are close • Walk up the Org chart as things get older • Bonus points for dashboards and bug tracker APIs • Get management sold first
  • 38.
    Automating Infrastructure • Declarativeconfiguration language • Plain-text configuration in source control • Fully programmatic, no manual interactions
  • 39.
    Cookbooks, Stacks, Playbooks,... • Most have methods to bundle / share automation routines • You will have to write your own / customize • Good place to spend security cycles -Merge patches upstream for extra good karma points.
  • 40.
    Grouping & Tagging •Tagging your servers applies the required set of automation • A base set of for all servers • Each server can have multiple tags • Map tags to security requirements Node Node Node Node DB Node Node Node Node Cache Node Node Node Node Web Apache Monitoring MySql Memcache Works for Clouds Too!
  • 41.
    Inspector – youneed one • For each group and/or tag • Review the recipe, do a PR aka Pull Request • Hook provisioning for post deploy review • Focus on checking for code compliance -Not perfection, bare minimums • Can include multiple facets -Security, Scalability, Compliance • Vuln scanners – manual or auto • Jenkins Job + Lynis (open source)
  • 42.
    Agent – onemole to rule them all • Add an agent to the standard deploy • Read-only helps sell to SysAdmin • Looks at the state of the system • Reports the state to the “mothership” • Add a dashboard to visualize state of infrastructure • Change policy, servers go red • Watch the board go green as patches roll-out • Create your own or find a vendor Mozilla MIG
  • 43.
    Turn Vuln scanningon its head • Add value for your ops teams • Subscribe and parse vuln emails for key software • Get this info during threat models or config mgmt • Provide an early warning and remove panic from software updates • Roll your own or find a vendor • Gmail + filters can work surprisingly well • Secunia VIM covers 40K+ products • Reverse the scan then report standard
  • 44.
    • Automate, automate,automate • Look for “paper cuts” and fix those first • Finding workflow – your AppSec Pipeline • Figure this out and standardize / optimize • Create systems which can grow organically • App is never done, its just created to easily be added to over time • Finding blocks become templates for next time • Learn to talk “dev” Key Take Aways
  • 45.
    The Phoenix Project ThePractice of Cloud System Administration Gene Kim, Kevin Behr and George Spafford Books to read Thomas A. Limoncelli, Strata R. Chalup, Christina J. Hogan
  • 46.