Shifting Security Left from the Lean+Agile 2019 Conference
•Download as PPTX, PDF•
0 likes•169 views
DevSecOps changes the application security value proposition by leveraging DevOps principles to shift security practices left and automating the collection of security-related data.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Shifting Security Left from the Lean+Agile 2019 Conference
Similar to Shifting Security Left from the Lean+Agile 2019 Conference (20)
Recently uploaded
Recently uploaded (20)
Shifting Security Left from the Lean+Agile 2019 Conference
- 1. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1@ThomasStiehm #Lean+AgileDC2019 Agility. Security. Delivered. Shifting Security Left The Innovation of DevSecOps Tom Stiehm @ThomasStiehm
- 2. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 2@ThomasStiehm #Lean+AgileDC2019 About Coveros 2 • Coveros helps organizations accelerate software delivery using agile and DevOps methods • Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps Implementations • DevSecOps Integrations • Agile, DevOps, DevSecOps Security, Testing Training • Open Source Products • SecureCI – DevSecOps toolchain • Selenified – Agile test framework
- 3. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 3@ThomasStiehm #Lean+AgileDC2019 Shifting Security Left •Shifting Left is taking a practice or process done late in development and doing it earlier. •Shifting Security Left is doing security testing, analysis, and remediation during development, iteratively. Usually automating data collection to make it faster and cheaper. •The net result is making security practices part of the daily workflow of the development team.
- 4. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 4@ThomasStiehm #Lean+AgileDC2019 Why Shift Security Left? Application Security is hard, error prone, and expensive. It is often made harder by trying to shoehorn it into the end of a release. Shifting Left allows the teams to deal with security issues early and often: •Reducing Risk •Reducing Cost •Leads to fewer errors •Results in fewer security compromises
- 5. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 5@ThomasStiehm #Lean+AgileDC2019 How DevSecOps builds on DevOps DevSecOps is a practice that rose from DevOps that includes information technology security as a fundamental aspect in all the stages of software development. -- Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.
- 6. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 6@ThomasStiehm #Lean+AgileDC2019 Why should you care about security? To reduce the likelihood of becoming the next:
- 7. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 7@ThomasStiehm #Lean+AgileDC2019 Security before the code is written Be proactive: •Architect and design security in from the start based on threat analysis. •Include security in your pipeline from the start. •Take time to analyze and remediate AppSec findings. Why? •Your software has security defects in it. •Testing security into software at the end doesn’t work. •Relying on network and OS security to protect applications doesn’t work. •Ignoring security concerns doesn’t work.
- 8. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 8@ThomasStiehm #Lean+AgileDC2019 Legacy Security Practices The Focus is on testing at the end.
- 9. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 9@ThomasStiehm #Lean+AgileDC2019 Shifting Left includes reacting to the feedback on a regular basis. Security Practices in DevSecOps
- 10. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 10@ThomasStiehm #Lean+AgileDC2019 Where to Start •SAST - Start with Static Application Security Testing •Quick to integration into a build pipeline •Leverages existing CI/CD assets •SCA - Install Software Composition Analysis •Expand existing CI/CD processes to scan your application dependencies •DAST - Next integrate Dynamic Application Security Testing •Could be as simple as adding a DAST proxy to your existing automated or manual testing environment •Expand into using the automated aspects of DAST tools
- 11. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 11@ThomasStiehm #Lean+AgileDC2019 What to do next •Security Testing – Testing the security features of your software •Security Test Automation - Using test automation tools like Selenium or Cucumber •Penetration Testing – Human beings evaluating the security of your software with the aid of tools •Threat Analysis – Understand who will attack you, why, and how •Infrastructure Analysis Scanning & Testing – Securing your OS and Server Software
- 12. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 12@ThomasStiehm #Lean+AgileDC2019 Advanced DevSecOps Techniques •IAST - Interactive Application Security Testing is technique for detecting security vulnerabilities in a running application •RASP - Runtime Application Self-Protection building on the same technology base as IAST by providing a facility to react to a detected vulnerability as it is exploited, e.g. terminating the session •HAST - Hybrid Application Security Testing uses DAST with IAST to find vulnerabilities
- 13. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 13@ThomasStiehm #Lean+AgileDC2019 Operational Security •Security Information and Event Management (SIEM) •Infrastructure Analysis Scanning & Testing •Encrypting Data at Rest •Encrypting Data in all Network Channels
- 14. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 14@ThomasStiehm #Lean+AgileDC2019 Secure practices in a pipeline
- 15. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 15@ThomasStiehm #Lean+AgileDC2019 Culture Shift Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1. Build a Knowledge base 2. Promote Openness 3. Create Cybersecurity Champions Need to experiment to find what works for your specific organization.
- 16. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 16@ThomasStiehm #Lean+AgileDC2019 DevSecOps Benefits •Faster vulnerability detection and mitigation •Always-known security posture •Less security-based risk •Smaller chance of getting exploited •Reduced cost of fixing AppSec bugs •Avoidance of publicity for getting pwned •Able to recover from security incidents faster
- 17. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 17@ThomasStiehm #Lean+AgileDC2019 Wrap UP #Coveros5 •Starting to Shift Left is more important then what practices you start with •Greenfield start with Threat Analysis and build security in •Legacy or brownfield start with SAST (or SCA or DAST) •Iteratively add more security practices into your process •Iteratively add more security to your build pipeline
- 18. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 18@ThomasStiehm #Lean+AgileDC2019 Periodic Table of DevOps Tools https://xebialabs.com/periodic-table-of-devops-tools/
- 19. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 19@ThomasStiehm #Lean+AgileDC2019 Questions?
Editor's Notes
- Coveros is a consulting company that helps organizations build better software. We provide software development, application security, QA/testing, and software process improvement services. Coveros focuses on organizations that must build and deploy software within the constraints of significant regulatory or compliance requirements. The primary markets we serve include: DoD, Homeland Security & associated critical infrastructure companies, Healthcare providers, and Financial services institutions
- Make security a first class citizen in your software development process. Part of the daily workflow instead of something done late in the process. By late I mean too late to change much. Shifting Left is the practice of taking something you did later in a process and doing it earlier in a process. Shifting Security Left is the practice of doing security testing and analysis during development. Usually automating data collection to make it faster and cheaper. DevSecOps leverages the collaboration and automation of DevOps to Shift Security Left.
- Fewer security compromoses in production. Making is less likely that something will happen to exploit the software. By shifting security left teams are usually given the opportunity to deal with security issues as they happen so there are fewer last minute mistakes, compromises, and untested code going into production.
- Making Application Security a first class citizen in a software development process. Vs. and after thought that gets interpreted as a hurdle.
- Appear on the cover of a national newspaper is bad, being part of the current network news cycle is worse, appearing before Congress is worse. Losing $1Ms, $10Ms, $100Ms in revenue, fines, and compensation is even worse. Privacy Laws are coming … GDPR, CANSPAM, and soon others.
- This is where compromised come into play. We don’t have time to triage (analyze) all of the findings We don’t have time to fix all of the issues We don’t want to fix issues that already exist in the code base We don’t have time to find alternatives The functionality can’t wait What is the likelihood of something happening anyway?
- Threat Analysis - Figuring out who wants to attack you, why, and how they would do it. Secure Code Review - Human beings reviewing code for security flaws (Check In) Static Analysis - Using fast running static analysis to find a number of issues including vulnerabilities and insecure code SAST - Static Application Security Testing - Using static analysis to specifically find security issues SCA - Software Composition Analysis - Checking your software and dependencies for security issues and license compliance Security Testing - Using test automation tools to verify the security features of an application (functional and nonfunctional) DAST - Dynamic Application Security Testing - Using tools to interact with your software like a user and in different ways to find issues (crawl your site, fuzz testing, injection JavaScript, etc.) IAST - Interactive Application Security Testing - Using software agents that monitor the internal state of your running application to find issues Pen Testing - Penetration Testing - A human being trying to find vulnerabilities in your software, usually aided by tools like proxies, could be informed by the results of other tools Infrastructure Analysis Testing - using tools to check the host and software configuration to determine if known vulnerabilities are present Encrypted Data Channels - all network traffic encrypted including traffic within a data center Data Encrypted at rest - all Personally Identifiable Information (PII), if not all data, needs to be encrypted in the database or files in a system, including backups RASP - Runtime Application Self-Protection - Using software tools or agents to monitor the internal state of an application and determine if an exploit is currently happening SIEM - Security Information and Event Management - Software that monitors a running system, including logs, and determines if security events are happening, have happened, and manage the process of recovering from the event.
- Your implementation order may vary because: You already have something in place Your risk may drive a different order Your tech stack may make something easier to put in place quickly
- Threat Analysis is a story about: Who – who will attack you What – Attack you Where – Your Application UI or API When - Whenever you software is running Why – What do the attackers get out of it? Money, Fame, a bot, a place to stage other attacks, crypto-mining resources How – What tools or techniques might they use
- One upside of all of these is that they are operating on the software as it is being used in an environment so the number of false positives is low. The downside is the performance overhead can be high. Some tech stacks require component substitutions that might have unexpectable trade-offs such as a lower performance interpreter, slow start or warm up times, or a large number of extra libraries. These are advanced because they are new tools and techniques that are stilling finding their place in processes and practices. They are unproven and are looking for the right niche to fill. That said, they are promising. They can also be very resource intensive and have yet to prove they are worth the cost and complexity of using them. IAST seems to be best done in pre-production environments where performance is less of an issue RASP has to be done in production and the real trick is to tune it properly. Some RASP (and IAST) solutions have the added issue of requiring different or specific runtimes that are an added risk to projects and can often be the first thing people blame when things start to go wrong. IAST has the upside of producing fewer false positives, almost always when IAST identifies an issue it is really an issue.
- SIEM – Tools to detect an anomaly and track what happens in investigation, clean up, and remediation of the anomaly (ostensible security related) Infrastructure Analysis Scanning & Testing – Using tools to make sure your OS and Server software is secure and up to regulations or policy Encrypting data at rest or in transit are important aspects of Application and Data security. At this point all websites. Web apps, and web services should be encrypted point to point. Most or all services, even within a datacenter should be encrypted. As within a datacenter more and more become in a public, private, or hybrid cloud or tenancy in a remote data center the odds of only friend eyes seeing your traffic gets smaller and smaller (if it ever really was, insider threats are more common then outsider threats).
- A build pipeline is the automation embodiment of a DevSecOps value stream, as your build moves down your pipeline to become a release candidate you want to have more and more confidence that the software and platform are secure and resilient to attack and exploit.
- DevSecOps is as much about how security is perceived as it is about the technical practices and their implementation. You want to move the perception that security is a hurdle to security being an enabler of higher quality software and supports the business or mission better.