BATbern, profile picture
Uploaded byBATbern
PDF, PPTX675 views

Shift Left Security

The document discusses the importance of integrating security into the software development lifecycle (SDLC) through a 'shift left' approach, emphasizing fast feedback loops and the necessity of explicit trust in development processes. Key strategies include implementing tools such as automated security testing and maintaining a software bill of materials (SBOM) to manage vulnerabilities. Furthermore, it highlights the need for auditable and verifiable security measures throughout the SDLC in order to establish a robust security posture against potential threats.

Embed presentation

Download as PDF, PPTX
Shift left Security 17.06.2022, Florian Kammermann
Agenda 2 1. The Fast Feedback Loop 2. Security in the Software Development Life Cycle (SDLC) 3. Trust in the Software Development Life Cycle (SDLC) 4. Securing Code and Configuration, Artifacts 5. Prevent of Attacks in the Software Development Life Cycle (SDLC)
3 Fast Feedback Loop SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Instant The more left we hold the sensor, the faster we get the feedback, the faster we fix it, the lower the cost, the lower the security exposure sec - min < 5m < 7 min < 30min > 30min Test on Env. X Test on Env. X
4 Fast Feedback Loop – The Business View Cost per defect (functional, reliability, security) Source: NIST
5 Incident Types Impact / Probability 30x 25x 20x 15x 10x 5x 0x Functional Reliability Security 30x 25x 20x 15x 10x 5x 0x Security Reliability Functional Business Impact In case of a Major Incident Probability of Occurrence In case of Major Incident Optimizing for Security is a difficult Business Case, we have low probability with high impact.
6 Security in the Software Development Lifecycle (SDLC) Traditional Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Optimized for Production Traditional Security Measures focus on Security Exposure in Production
7 Security in the Software Development Lifecycle (SDLC) SSDLC Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Focus on the whole SDLC Digitalized Production assumes that every step has its security posture
8 The New Reality – Attack Vectors on the Software Development Lifecycle NCSC (Nationales Zentrum für Cybersecurity) OWASP Top 10 Executive Order improving the Nations Cybersecurity − 04 Insecure Design − 05 Security Misconfiguration − 06 Vulnerable and outdated Components − 08 Software and data integrity failures Shift left Security CISA Model part of Zero Trust Application Pillar (CISA = Cybersecurity & Infrastructure Security Agency) − Angesichts der zunehmenden Komplexität von Hard- und Software sowie der fortschreitenden Digitalisierung der Gesellschaft stellen nicht zuletzt Software- Abhängigkeiten eine grosse Herausforderung für die Sicherheit von Unternehmen dar. − In den letzten Jahren hat die «US National Telecommunications and Information Administration (NTIA)» mit Partnern an der Entwicklung einer «Software Bill of Materials (SBOM)» gearbeitet.
9 Security in the Software Development Lifecycle How Security is applied to the SDLC Traditional Security Measures (SAST, DAST / PEN Test) Digitalized Production Security Measures (digital Identities and Bill of Materials) SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
10 Trust How we create Trust into the Software Development Lifecycle Implicit Trust is created by ticketing systems, by verbal communication by email or chat. Implicit trust is not auditable and can not be traced back programmatically. Implicit trust is not verifiable. Implicit trust doesn’t protect from tampering. implicit explicit Explicit Trust is auditable and verifiable by digital evidence. Explicit trust also comes with digitally represented parties, which took an action in the SSDLC (Secure Software Development Lifecycle). Explicit Trust creates a chain of trust, which can be verified by external parties.
11 Accumulate explicit Trust over the Pipeline Stages digitally signed propagation Signed commit Signed SAST Signed commit Signed unit tests Signed SAST Signed commit Signed build Signed unit tests Signed SAST Signed commit Signed x Tests Signed build Signed unit tests Signed SAST Signed commit SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
12 Securing Code and Configuration A foundation of securing source code is the ability to authenticate contributor- added commits to the repository. Unsigned or unknown signatures have to be rejected. Commit Authenticity Use SAST to scan the code for vulnerabilities. SAST can find code segments which can lead to possible security exposure. https://cwe.mitre.org/ Identify malicious code early It’s still a problem, that secrets can make it into the code base. Use pre-commit hooks to avoid sensitive information in the central git repository. Avoid exposing sensitive information Review Code Changes by qualified Coworkers. Create short lived branches to bring new code to main. Avoid long lived feature branches. Flawless Change Management x x SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
13 Securing Artifacts before Deployment Artifact Repositories play a central role in the SDLC. The accumulated Trust and Immutability needs to be guaranteed by Artifact Repositories. They are also the gate for incoming artifacts from central repositories. Artifact Repositories Analyses artifacts to detect known software components and identify any associated vulnerabilities. Scanning complements SAST by finding vulnerabilities not detectable by scanning source code and can also help to build the SBOM. Identify malicious dependencies early VM images should be treated the same as any artifact. They should go through all the stages of the SSDLC. For OCI Images, distroless images are to favor, to remove all the non- essential operating system dependencies. Managed base Images (VM/OCI) Lib D Lib I Lib J SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
14 The Importance of the Software Bill of Materials (SBOM) A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. Source https://www.cisa.gov/sbom artifact Lib A Lib B Lib C Lib D Lib E Lib F Lib I Lib J Lib K Lib L Lib M Lib N Lib G Lib H
15 Securing deployed Artifacts Secure the deployment through the validation of digital trust (signature). Applying policies that require the progressive series of signed attestations protects environments from accidental, or malicious, artifact deployments. Open Policy Agent can help here. Apply Policies Dynamic application security testing (DAST) tests are designed to identify functional security vulnerabilities in deployed artifacts. Use DAST to identify possible exploits following known patterns of attack, like SQL injection or cross-site scripting (XSS). Dynamic Application Security Testing Static environments are challenging. To create environments where you can test new functionality in isolation, use Declarative infrastructure. These environments are ephemeral. They only live as long as the feature test cycle is active. Isolated and replicable testing Environments SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Lib I stop
Infrastructure Infrastructure 16 The importance of declarative Infrastructure (IaC) Infrastructure – Ephemeral Environment X Artifact A key component of securing infrastructure is to use declarative infrastructure. Declarative infrastructure is commonly known as infrastructure as code (IaC). It defines infrastructure components as code, manages the components in code repositories, and helps ensure that the infrastructure components undergo the same level of checks and balances as application feature code. Declarative Infrastructure is the basis to manage ephemeral Environments. Artifact Artifact Ephemeral Environment Environments become replicable. Environments (also prod), can be created or rebuilt automated on demand.
17 Mitigation of Attacks in the SSDLC Malicious library Example
18 Mitigation in a traditional SDLC Lib Z Zero Day CVE (manually) analyze Deployments Maintain lists of Deployments to fix Update every Deployment and build/deploy Without an SBOM and trusted Libraries, it can take days to weeks to rollout Mitigations of zero-day CVE’s. And even then, it is not clear all vulnerable Deployments were discovered, APT’s (Advanced Persistent Threat) can take hold and lateral move. SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar 19 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Repair Version Control Unit Tests build Verify on environment x production Requirements for Repair • CVE tracking • SBOM and (automated) manifest update • Signed Artifacts Artifact Zero Day CVE SBOM SBOM SBOM SBOM
20 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar Version Control Unit Tests build Verify on environment x production Infrastructure Artifact Artifact Artifact Requirements for Repave • Declarative Infrastructure • Cloud Native / Stateless Architecture • Known trusted State Repave APT’s get starved and can’t take a hold
21 ISO 20’000 and SSDLC (Secure Software Development Life Cycle) the international standard for IT service management Automated and Auditable Software Supply Chain The Software Supply Chain must be auditable to ensure ISO 20’000 compliance. The Implementation of the Software supply chain has to guarantee that the Software supply chain covers integrity and confidentiality. Every step in the building, integration and testing process has to be secured that integrity and confidentiality is guaranteed from the code commit to the running workload on production. In a traditional environment this is/was mostly done trough documented human interaction (handover, signoff etc.) If we apply zero trust to the SDLC and combine it with an audit trail, this requirement is already fulfilled.
22 Shift left Security – Key Takeaways Verifiable Identities Its all about verifiable entities and trust – zero trust applied to the SDLC results in SSDLC Standardizes Processes and Tools Standardize Software Development Processes and Tools enable SSDLC Ephemeral Environments Ephemeral Environments, immutable artifacts and infrastructure is a must Change the culture Change the culture in your workforce towards a security – zero trust culture Enable the Developers Make it easy for your Engineers to deliver Software in a secure way
23 Secure Software Development Lifecycle Journey where is Swisscom Threat Modelling Threat modelling is executed on critical services / applications. Actually this is the “leftest” security measure. We have a security program, which shifts the security Know How left to the DevOps Teams. Every Team should have a certified Security Champion. App Sec Peaks Snyk integrates perfect in the Dev Workflow to Scan Code on vulnerabilities and sensitive information. SAST/SBOM with Snyk Central repositories are used to control the flow from public repositories and scan inhouse produced artifacts as also external fetched artifacts Artifact repositories Not pervasive, but is used more and more. The dominance of kubernetes helps here. isolated ephemeral Environments
References • DevSecOps Booklet Swisscom • Shifting Left on Security Google • The Three R’s of Enterprise Security: Rotate, Repave, and Repair
25 Question and Answer

More Related Content

PDF
Shift Left Security - The What, Why and How
byDevOps.com
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
byDevOps.com
 
PPTX
DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...
byAnowar Hossain
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
DevSecOps | DevOps Sec
byRubal Jain
 
Shift Left Security - The What, Why and How
byDevOps.com
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
byDevOps.com
 
DevOps to DevSecOps: Enhancing Software Security Throughout The Development L...
byAnowar Hossain
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
The What, Why, and How of DevSecOps
byCprime
 
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecOps | DevOps Sec
byRubal Jain
 

What's hot

PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
PPTX
SEIM-Microsoft Sentinel.pptx
byAmrMousa51
 
PDF
Red Team Framework
by👀 Joe Gray
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
Practical DevSecOps - Arief Karfianto
byidsecconf
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
Snyk Intro - Developer Security Essentials 2022
byLiran Tal
 
PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PDF
DevSecOps What Why and How
byNotSoSecure Global Services
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PPTX
Micro services Architecture
byAraf Karsh Hamid
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
byDevOps.com
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
byTonex
 
SEIM-Microsoft Sentinel.pptx
byAmrMousa51
 
Red Team Framework
by👀 Joe Gray
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
Practical DevSecOps - Arief Karfianto
byidsecconf
 
The State of DevSecOps
byDevOps Indonesia
 
DevSecOps : an Introduction
byPrashanth B. P.
 
Demystifying DevSecOps
byArchana Joshi
 
DevSecOps
byJoel Divekar
 
Snyk Intro - Developer Security Essentials 2022
byLiran Tal
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
DevSecOps What Why and How
byNotSoSecure Global Services
 
2019 DevSecOps Reference Architectures
bySonatype
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Micro services Architecture
byAraf Karsh Hamid
 
Introduction to DevSecOps
bySetu Parimi
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
byDevOps.com
 
DevSecOps reference architectures 2018
bySonatype
 

Similar to Shift Left Security

PDF
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
PPTX
Shift_Left_Strategies_general _2025.pptx
bykeerthanakeerthana85184
 
PDF
The Future of DevSecOps
byStefan Streichsbier
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
Application Security Guide for Beginners
byCheckmarx
 
PDF
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
PPTX
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
bylior mazor
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PPTX
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PPT
Software Security in the Real World
byMark Curphey
 
PDF
The complete guide to developer first application security By Github.Com
bydarelinornes
 
PDF
The complete guide to developer first application security By Github.Com
bynootjeiviwe
 
PDF
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
PDF
SACON - Automating SecOps (Murray Goldschmidt)
byPriyanka Aash
 
PPTX
Strengthening cyber resilience with Software Supply Chain Visibility
bySonatype
 
PDF
Terrascan - Cloud Native Security Tool
bysangam biradar
 
PDF
AppSec in an Agile World
byDavid Lindner
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
byBlack Duck by Synopsys
 
Shift_Left_Strategies_general _2025.pptx
bykeerthanakeerthana85184
 
The Future of DevSecOps
byStefan Streichsbier
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Application Security Guide for Beginners
byCheckmarx
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
byTom Stiehm
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
bylior mazor
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
Software Security in the Real World
byMark Curphey
 
The complete guide to developer first application security By Github.Com
bydarelinornes
 
The complete guide to developer first application security By Github.Com
bynootjeiviwe
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
SACON - Automating SecOps (Murray Goldschmidt)
byPriyanka Aash
 
Strengthening cyber resilience with Software Supply Chain Visibility
bySonatype
 
Terrascan - Cloud Native Security Tool
bysangam biradar
 
AppSec in an Agile World
byDavid Lindner
 

More from BATbern

PDF
BATbern56 TrainVision – ein ehrlicher Erfahrungsbericht vom Prototyp bis zur ...
byBATbern
 
PDF
BATbern56 RAG in Produktion bei der Mobiliar
byBATbern
 
PDF
BATbern56 Vom Experiment zur Wirkung – Die KI-Initiative im ISC-EJPD
byBATbern
 
PDF
BATbern56 Die Architektur der intelligenten Zukunft: Vom Code zum kooperative...
byBATbern
 
PDF
BATbern56 GenAI beim Bund: Wie das BAFU komplexe Anfragen meistert!
byBATbern
 
PDF
BATbern56 ariolilaw Rechtskonformer Einsatz von GenAI
byBATbern
 
PPTX
BATbern55 Bridging the Gap from Telco to Techco with Agile Architecture
byBATbern
 
PPTX
BATbern55 How can TWINT be agile in an inert ecosystem?
byBATbern
 
PPTX
BATbern55 Agile Architektur und Transformation @Postfinance
byBATbern
 
PDF
BATbern54 Build & Run on the same platform, embracing Platform Engineering & ...
byBATbern
 
PDF
BATbern54 Plattform-Engineering für digitale Versicherungsprodukte: «Joint Ap...
byBATbern
 
PDF
BATbern54 Plattform-Engineering für digitale Versicherungsprodukte: Erfahrung...
byBATbern
 
PDF
BATbern53 Post Data persistence in the business-critical and event driven env...
byBATbern
 
PPTX
BATbern53 BKW Easy Migration through Clean Architecture
byBATbern
 
PDF
BATbern53 ETHZ Rethinking Cluster State Management for Lightweight Function a...
byBATbern
 
PDF
BATbern53 SBB Wieso in jeder Zugfahrt der SBB ein Stück MongoDB drinsteckt
byBATbern
 
PDF
BATBern53 - EPFL - Blue Brain and related technical challenges
byBATbern
 
PDF
BATbern53 Die Mobiliar Bring die Algorithmen zu den Daten – nicht umgekehrt
byBATbern
 
PDF
BATbern53 ELCA Analyticsdatenhaltung in der Cloud
byBATbern
 
PDF
BATber53 AWS Modernize your applications with purpose-built AWS databases
byBATbern
 
BATbern56 TrainVision – ein ehrlicher Erfahrungsbericht vom Prototyp bis zur ...
byBATbern
 
BATbern56 RAG in Produktion bei der Mobiliar
byBATbern
 
BATbern56 Vom Experiment zur Wirkung – Die KI-Initiative im ISC-EJPD
byBATbern
 
BATbern56 Die Architektur der intelligenten Zukunft: Vom Code zum kooperative...
byBATbern
 
BATbern56 GenAI beim Bund: Wie das BAFU komplexe Anfragen meistert!
byBATbern
 
BATbern56 ariolilaw Rechtskonformer Einsatz von GenAI
byBATbern
 
BATbern55 Bridging the Gap from Telco to Techco with Agile Architecture
byBATbern
 
BATbern55 How can TWINT be agile in an inert ecosystem?
byBATbern
 
BATbern55 Agile Architektur und Transformation @Postfinance
byBATbern
 
BATbern54 Build & Run on the same platform, embracing Platform Engineering & ...
byBATbern
 
BATbern54 Plattform-Engineering für digitale Versicherungsprodukte: «Joint Ap...
byBATbern
 
BATbern54 Plattform-Engineering für digitale Versicherungsprodukte: Erfahrung...
byBATbern
 
BATbern53 Post Data persistence in the business-critical and event driven env...
byBATbern
 
BATbern53 BKW Easy Migration through Clean Architecture
byBATbern
 
BATbern53 ETHZ Rethinking Cluster State Management for Lightweight Function a...
byBATbern
 
BATbern53 SBB Wieso in jeder Zugfahrt der SBB ein Stück MongoDB drinsteckt
byBATbern
 
BATBern53 - EPFL - Blue Brain and related technical challenges
byBATbern
 
BATbern53 Die Mobiliar Bring die Algorithmen zu den Daten – nicht umgekehrt
byBATbern
 
BATbern53 ELCA Analyticsdatenhaltung in der Cloud
byBATbern
 
BATber53 AWS Modernize your applications with purpose-built AWS databases
byBATbern
 

Recently uploaded

PPTX
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Cédric Nève
byFinTech Belgium
 
PDF
Finale Group Project UW- Uyghur Muslims.pdf
bykarlas39
 
PPTX
WASTEWATER TREATMENT LABORATORY TRAINING.pptx
byImadAghila
 
PDF
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
PPTX
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - MyProved by Xavier Laoureux
byFinTech Belgium
 
DOCX
Top Platforms to Secure Gmail Accounts for Business Use This Year.docx
bysmmtrust service
 
PPTX
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
PPT
Fast approximate minimum spanning tree based clustering algorithm
byMd. Shakil Hossain
 
PDF
Digital Finance Summit 2025 - Lauren, Sylvain and Florence (Approach Cyber)
byFinTech Belgium
 
PPTX
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
PDF
HEPA (AHU) Qualification.pdf & Replacement Frequency of HEPA filter
byvinodchauhan89
 
PDF
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
PPTX
Digital Marketing for a mnc company.pptx
bybcabcu20222025
 
PPTX
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
PDF
Classification and adoption of AI technologies for use in parliaments
byProf. Dr. Fotios Fitsilis
 
PDF
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Kris Boudt and Ann Marcelle
byFinTech Belgium
 
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
Digital Finance Summit 2025 - Cédric Nève
byFinTech Belgium
 
Finale Group Project UW- Uyghur Muslims.pdf
bykarlas39
 
WASTEWATER TREATMENT LABORATORY TRAINING.pptx
byImadAghila
 
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
Digital Finance Summit 2025 - MyProved by Xavier Laoureux
byFinTech Belgium
 
Top Platforms to Secure Gmail Accounts for Business Use This Year.docx
bysmmtrust service
 
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
Fast approximate minimum spanning tree based clustering algorithm
byMd. Shakil Hossain
 
Digital Finance Summit 2025 - Lauren, Sylvain and Florence (Approach Cyber)
byFinTech Belgium
 
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
HEPA (AHU) Qualification.pdf & Replacement Frequency of HEPA filter
byvinodchauhan89
 
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
Digital Marketing for a mnc company.pptx
bybcabcu20222025
 
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
Classification and adoption of AI technologies for use in parliaments
byProf. Dr. Fotios Fitsilis
 
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
Digital Finance Summit 2025 - Kris Boudt and Ann Marcelle
byFinTech Belgium
 
In this document
Powered by AI

Overview of 'Shift Left Security' presented by Florian Kammermann on 17.06.2022.

Outlines key topics: Fast Feedback Loop, Security in SDLC, Trust, Securing Code, Preventing Attacks.

Explains fast feedback in coding, testing, and cost implications on security and defect management.

Distinction between traditional security measures for production vs. focused security across the entire SDLC.

Differentiates between implicit and explicit trust, emphasizing auditability and verifiability in SSDLC.

Focus on securing source code through authentic signings, code scans, and rigorous change management.

Importance of monitoring artifacts, ensuring vulnerabilities are detected, and the role of SBOM in security.

Discusses securing deployments with digital trust verification and DAST testing for vulnerabilities.

Highlights utilizing Infrastructure as Code for security, enabling efficiency in creating and managing environments.

Discusses proactive and reactive strategies using SBOM, rapid response to vulnerabilities, and the 3 R’s.

Describes the need for an auditable Software Supply Chain to comply with ISO 20'000 and ensure security.

Summarizes essential principles: verifiable identities, standardized processes, and fostering a security culture.

Details Swisscom's approach to threat modeling, security integration in DevOps, and use of Snyk.

Provides references to materials on DevSecOps and shifting left on security.

Engagement with the audience through questions and answers.

Shift Left Security

  • 1.
  • 2.
    Agenda 2 1. The FastFeedback Loop 2. Security in the Software Development Life Cycle (SDLC) 3. Trust in the Software Development Life Cycle (SDLC) 4. Securing Code and Configuration, Artifacts 5. Prevent of Attacks in the Software Development Life Cycle (SDLC)
  • 3.
    3 Fast Feedback Loop SCM (git) UnitTesting Build Test on Env. X Production Coding (IDE) Instant The more left we hold the sensor, the faster we get the feedback, the faster we fix it, the lower the cost, the lower the security exposure sec - min < 5m < 7 min < 30min > 30min Test on Env. X Test on Env. X
  • 4.
    4 Fast Feedback Loop– The Business View Cost per defect (functional, reliability, security) Source: NIST
  • 5.
    5 Incident Types Impact/ Probability 30x 25x 20x 15x 10x 5x 0x Functional Reliability Security 30x 25x 20x 15x 10x 5x 0x Security Reliability Functional Business Impact In case of a Major Incident Probability of Occurrence In case of Major Incident Optimizing for Security is a difficult Business Case, we have low probability with high impact.
  • 6.
    6 Security in the SoftwareDevelopment Lifecycle (SDLC) Traditional Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Optimized for Production Traditional Security Measures focus on Security Exposure in Production
  • 7.
    7 Security in theSoftware Development Lifecycle (SDLC) SSDLC Security Measures SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Focus on the whole SDLC Digitalized Production assumes that every step has its security posture
  • 8.
    8 The New Reality– Attack Vectors on the Software Development Lifecycle NCSC (Nationales Zentrum für Cybersecurity) OWASP Top 10 Executive Order improving the Nations Cybersecurity − 04 Insecure Design − 05 Security Misconfiguration − 06 Vulnerable and outdated Components − 08 Software and data integrity failures Shift left Security CISA Model part of Zero Trust Application Pillar (CISA = Cybersecurity & Infrastructure Security Agency) − Angesichts der zunehmenden Komplexität von Hard- und Software sowie der fortschreitenden Digitalisierung der Gesellschaft stellen nicht zuletzt Software- Abhängigkeiten eine grosse Herausforderung für die Sicherheit von Unternehmen dar. − In den letzten Jahren hat die «US National Telecommunications and Information Administration (NTIA)» mit Partnern an der Entwicklung einer «Software Bill of Materials (SBOM)» gearbeitet.
  • 9.
    9 Security in theSoftware Development Lifecycle How Security is applied to the SDLC Traditional Security Measures (SAST, DAST / PEN Test) Digitalized Production Security Measures (digital Identities and Bill of Materials) SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 10.
    10 Trust How we createTrust into the Software Development Lifecycle Implicit Trust is created by ticketing systems, by verbal communication by email or chat. Implicit trust is not auditable and can not be traced back programmatically. Implicit trust is not verifiable. Implicit trust doesn’t protect from tampering. implicit explicit Explicit Trust is auditable and verifiable by digital evidence. Explicit trust also comes with digitally represented parties, which took an action in the SSDLC (Secure Software Development Lifecycle). Explicit Trust creates a chain of trust, which can be verified by external parties.
  • 11.
    11 Accumulate explicit Trustover the Pipeline Stages digitally signed propagation Signed commit Signed SAST Signed commit Signed unit tests Signed SAST Signed commit Signed build Signed unit tests Signed SAST Signed commit Signed x Tests Signed build Signed unit tests Signed SAST Signed commit SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 12.
    12 Securing Code andConfiguration A foundation of securing source code is the ability to authenticate contributor- added commits to the repository. Unsigned or unknown signatures have to be rejected. Commit Authenticity Use SAST to scan the code for vulnerabilities. SAST can find code segments which can lead to possible security exposure. https://cwe.mitre.org/ Identify malicious code early It’s still a problem, that secrets can make it into the code base. Use pre-commit hooks to avoid sensitive information in the central git repository. Avoid exposing sensitive information Review Code Changes by qualified Coworkers. Create short lived branches to bring new code to main. Avoid long lived feature branches. Flawless Change Management x x SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 13.
    13 Securing Artifacts beforeDeployment Artifact Repositories play a central role in the SDLC. The accumulated Trust and Immutability needs to be guaranteed by Artifact Repositories. They are also the gate for incoming artifacts from central repositories. Artifact Repositories Analyses artifacts to detect known software components and identify any associated vulnerabilities. Scanning complements SAST by finding vulnerabilities not detectable by scanning source code and can also help to build the SBOM. Identify malicious dependencies early VM images should be treated the same as any artifact. They should go through all the stages of the SSDLC. For OCI Images, distroless images are to favor, to remove all the non- essential operating system dependencies. Managed base Images (VM/OCI) Lib D Lib I Lib J SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 14.
    14 The Importance ofthe Software Bill of Materials (SBOM) A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components. Source https://www.cisa.gov/sbom artifact Lib A Lib B Lib C Lib D Lib E Lib F Lib I Lib J Lib K Lib L Lib M Lib N Lib G Lib H
  • 15.
    15 Securing deployed Artifacts Securethe deployment through the validation of digital trust (signature). Applying policies that require the progressive series of signed attestations protects environments from accidental, or malicious, artifact deployments. Open Policy Agent can help here. Apply Policies Dynamic application security testing (DAST) tests are designed to identify functional security vulnerabilities in deployed artifacts. Use DAST to identify possible exploits following known patterns of attack, like SQL injection or cross-site scripting (XSS). Dynamic Application Security Testing Static environments are challenging. To create environments where you can test new functionality in isolation, use Declarative infrastructure. These environments are ephemeral. They only live as long as the feature test cycle is active. Isolated and replicable testing Environments SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X Lib I stop
  • 16.
    Infrastructure Infrastructure 16 The importance ofdeclarative Infrastructure (IaC) Infrastructure – Ephemeral Environment X Artifact A key component of securing infrastructure is to use declarative infrastructure. Declarative infrastructure is commonly known as infrastructure as code (IaC). It defines infrastructure components as code, manages the components in code repositories, and helps ensure that the infrastructure components undergo the same level of checks and balances as application feature code. Declarative Infrastructure is the basis to manage ephemeral Environments. Artifact Artifact Ephemeral Environment Environments become replicable. Environments (also prod), can be created or rebuilt automated on demand.
  • 17.
    17 Mitigation of Attacks inthe SSDLC Malicious library Example
  • 18.
    18 Mitigation in atraditional SDLC Lib Z Zero Day CVE (manually) analyze Deployments Maintain lists of Deployments to fix Update every Deployment and build/deploy Without an SBOM and trusted Libraries, it can take days to weeks to rollout Mitigations of zero-day CVE’s. And even then, it is not clear all vulnerable Deployments were discovered, APT’s (Advanced Persistent Threat) can take hold and lateral move. SCM (git) Unit Testing Build Test on Env. X Production Coding (IDE) Test on Env. X Test on Env. X
  • 19.
    Rotate datacenter credentialsevery few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar 19 Mitigation in a SSDLC with the 3 R’s of Enterprise Security Repair Version Control Unit Tests build Verify on environment x production Requirements for Repair • CVE tracking • SBOM and (automated) manifest update • Signed Artifacts Artifact Zero Day CVE SBOM SBOM SBOM SBOM
  • 20.
    20 Mitigation in aSSDLC with the 3 R’s of Enterprise Security Rotate datacenter credentials every few minutes or hours. Repair vulnerable operating systems and application stacks consistently within hours of patch availability. Faster is safer. Repave every server and application in the datacenter every few hours from a known good state. Source: Pivotal, ThoughtWorks Techradar Version Control Unit Tests build Verify on environment x production Infrastructure Artifact Artifact Artifact Requirements for Repave • Declarative Infrastructure • Cloud Native / Stateless Architecture • Known trusted State Repave APT’s get starved and can’t take a hold
  • 21.
    21 ISO 20’000 andSSDLC (Secure Software Development Life Cycle) the international standard for IT service management Automated and Auditable Software Supply Chain The Software Supply Chain must be auditable to ensure ISO 20’000 compliance. The Implementation of the Software supply chain has to guarantee that the Software supply chain covers integrity and confidentiality. Every step in the building, integration and testing process has to be secured that integrity and confidentiality is guaranteed from the code commit to the running workload on production. In a traditional environment this is/was mostly done trough documented human interaction (handover, signoff etc.) If we apply zero trust to the SDLC and combine it with an audit trail, this requirement is already fulfilled.
  • 22.
    22 Shift left Security– Key Takeaways Verifiable Identities Its all about verifiable entities and trust – zero trust applied to the SDLC results in SSDLC Standardizes Processes and Tools Standardize Software Development Processes and Tools enable SSDLC Ephemeral Environments Ephemeral Environments, immutable artifacts and infrastructure is a must Change the culture Change the culture in your workforce towards a security – zero trust culture Enable the Developers Make it easy for your Engineers to deliver Software in a secure way
  • 23.
    23 Secure Software DevelopmentLifecycle Journey where is Swisscom Threat Modelling Threat modelling is executed on critical services / applications. Actually this is the “leftest” security measure. We have a security program, which shifts the security Know How left to the DevOps Teams. Every Team should have a certified Security Champion. App Sec Peaks Snyk integrates perfect in the Dev Workflow to Scan Code on vulnerabilities and sensitive information. SAST/SBOM with Snyk Central repositories are used to control the flow from public repositories and scan inhouse produced artifacts as also external fetched artifacts Artifact repositories Not pervasive, but is used more and more. The dominance of kubernetes helps here. isolated ephemeral Environments
  • 24.
    References • DevSecOps BookletSwisscom • Shifting Left on Security Google • The Three R’s of Enterprise Security: Rotate, Repave, and Repair
  • 25.