Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DevSecOps Singapore 2017 - Security in the Delivery Pipeline

23,390 views

Published on

This talk is from DevSecOps Singapore, June 29th, 2017.

Continuous Delivery and Security are traveling companions if we want them to be. This talk highlights how to make that happen in three areas of the delivery pipeline.

Published in: Engineering
  • Be the first to comment

DevSecOps Singapore 2017 - Security in the Delivery Pipeline

  1. 1. DevSecOps Singapore @WICKETT SECURITY IN THE DELIVERY PIPELINE JAMES WICKETT SIGNAL SCIENCES
  2. 2. DevSecOps Singapore @WICKETT ‣ HEAD OF RESEARCH AT SIGNAL SCIENCES ‣ ORGANIZER OF DEVOPS DAYS AUSTIN ‣ LYNDA.COM AUTHOR ON DEVOPS ‣ RECOVERING FROM YEARS OF OPS AND SECURITY @WICKETT
  3. 3. DevSecOps Singapore @WICKETT ‣ SECURITY IS STILL MAKING THE JOURNEY OF DEVOPS ‣ SECURITY SEES NEW OPPORTUNITIES TO AUTOMATE AND ADD VALUE ‣ THE DELIVERY PIPELINE EXTENDS FARTHER THAN WE USUALLY CONSIDER SUMMARY
  4. 4. DevSecOps Singapore @WICKETT ‣ CULTURE AND TOOLING NEED TO ALIGN FOR US TO MAKE THIS WORK ‣ COVERAGE OF SECURITY TOOLS FOR THREE PIPELINE AREAS: INHERIT, BUILD AND RUNTIME ‣ ADVICE FOR DEALING WITH THE AUDITORS AND OTHER BLOCKERS MORE SUMMARY
  5. 5. DevSecOps Singapore @WICKETT CI/CD JOURNEY
  6. 6. DevSecOps Singapore @WICKETT CI/CD at three companies
  7. 7. DevSecOps Singapore @WICKETT Currently, at Signal Sciences we do about 15 deploys per day
  8. 8. DevSecOps Singapore @WICKETT Roughly 10,000 deploys in the last 2.5 yrs
  9. 9. DevSecOps Singapore @WICKETT
  10. 10. DevSecOps Singapore @WICKETT CD is how little you can deploy at a time
  11. 11. DevSecOps Singapore @WICKETT We optimized for cycle time—the time from code commit to production
  12. 12. DevSecOps Singapore @WICKETT Gave power to the team to deploy
  13. 13. DevSecOps Singapore @WICKETT Signal Sciences is a software as a service company and a security company
  14. 14. DevSecOps Singapore @WICKETT Security had to be part of CI/CD and the overall delivery pipeline
  15. 15. DevSecOps Singapore @WICKETT Before Signal Sciences
  16. 16. DevSecOps Singapore @WICKETT Rugged Software circa 2010
  17. 17. DevSecOps Singapore @WICKETT
  18. 18. DevSecOps Singapore @WICKETT
  19. 19. DevSecOps Singapore @WICKETT Started Gauntlt 4 years ago
  20. 20. DevSecOps Singapore @WICKETT Security is different in CI/CD
  21. 21. DevSecOps Singapore @WICKETT SECURITY’S DILEMMA
  22. 22. DevSecOps Singapore @WICKETT Security Epistemology is difficult to assess
  23. 23. DevSecOps Singapore @WICKETT Early days of the industry created a binary approach to security
  24. 24. DevSecOps Singapore @WICKETT Breached or Secure
  25. 25. DevSecOps Singapore @WICKETT This creates a false dichotomy
  26. 26. DevSecOps Singapore @WICKETT Complexity Reductionism falsely propagates this type of thinking
  27. 27. DevSecOps Singapore @WICKETT Breached or secure? This is not the question we should ask
  28. 28. DevSecOps Singapore @WICKETT Where can security add value?
  29. 29. DevSecOps Singapore @WICKETT AN OPINIONATED VIEW OF HOW WE GOT HERE
  30. 30. DevSecOps Singapore @WICKETT Agile
  31. 31. DevSecOps Singapore @WICKETT Agile attempted to remove epistemological gaps in software development
  32. 32. DevSecOps Singapore @WICKETT Largely it worked and created a new culture of rapid delivery and feedback loops
  33. 33. DevSecOps Singapore @WICKETT
  34. 34. DevSecOps Singapore @WICKETT Operations didn’t ride the first wave of Agile
  35. 35. DevSecOps Singapore @WICKETT Continuation of Agile to Ops
  36. 36. DevSecOps Singapore @WICKETT DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
  37. 37. DevSecOps Singapore @WICKETT
  38. 38. DevSecOps Singapore @WICKETT
  39. 39. DevSecOps Singapore @WICKETT
  40. 40. DevSecOps Singapore @WICKETT DEV : OPS 10 : 1
  41. 41. DevSecOps Singapore @WICKETT CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS SUCCEEDING IN THE ENTERPRISE - PATRICK DEBOIS
  42. 42. DevSecOps Singapore @WICKETT ‣ MUTUAL UNDERSTANDING ‣ SHARED LANGUAGE ‣ SHARED VIEWS ‣ COLLABORATIVE TOOLING 4 KEYS TO CULTURE
  43. 43. DevSecOps Singapore @WICKETT
  44. 44. DevSecOps Singapore @WICKETT SECURITY WAS LEFT OUT OF THE STORY
  45. 45. DevSecOps Singapore @WICKETT Why?
  46. 46. DevSecOps Singapore @WICKETT Compliance Driven Security
  47. 47. DevSecOps Singapore @WICKETT [Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work
  48. 48. DevSecOps Singapore @WICKETT Dev : Ops : Sec 100 : 10 : 1
  49. 49. DevSecOps Singapore @WICKETT Security as the cultural outlier in an organization
  50. 50. DevSecOps Singapore @WICKETT “SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED” - DEVELOPER
  51. 51. DevSecOps Singapore @WICKETT “…THOSE STUPID DEVELOPERS” - SECURITY PERSON
  52. 52. DevSecOps Singapore @WICKETT “every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR
  53. 53. DevSecOps Singapore @WICKETT Bottleneck Approach
  54. 54. DevSecOps Singapore @WICKETT THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  55. 55. DevSecOps Singapore @WICKETT Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016 THE GROWTH OF [SECURITY] FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.
  56. 56. DevSecOps Singapore @WICKETT IT IS 30 TIMES CHEAPER TO FIX SECURITY DEFECTS IN DEV VS. PROD NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
  57. 57. DevSecOps Singapore @WICKETT NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
  58. 58. DevSecOps Singapore @WICKETT Security is ineffective
  59. 59. DevSecOps Singapore @WICKETT
  60. 60. DevSecOps Singapore @WICKETT SECURITY KNOWS IT MUST CHANGE OR DIE
  61. 61. DevSecOps Singapore @WICKETT Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process. THINKING SECURITY, STEVEN M. BELLOVIN 2015
  62. 62. DevSecOps Singapore @WICKETT AVERAGE INCIDENT COST IS $5.4 MILLION IN THE U.S. Poneman Institute, 2013, Cost of Data Breach Report
  63. 63. DevSecOps Singapore @WICKETT High performers spend 50 percent less time remediating security issues than low performers. By better integrating information security objectives into daily work, teams achieve higher levels of IT performance and build more secure systems. 2016 State of DevOps Report
  64. 64. DevSecOps Singapore @WICKETT High performing orgs achieve quality by incorporating security (and security teams) into the delivery process 2016 State of DevOps Report
  65. 65. DevSecOps Singapore @WICKETT
  66. 66. DevSecOps Singapore @WICKETT http://www.youtube.com/watch?v=jQblKuMuS0Y
  67. 67. DevSecOps Singapore @WICKETT A CI/CD PIPELINE
  68. 68. DevSecOps Singapore @WICKETT Pipelines look different for different people
  69. 69. DevSecOps Singapore @WICKETT ‣DESIGN ‣BUILD ‣DEPLOY ‣OPERATE PIPELINE PHASES
  70. 70. DevSecOps Singapore @WICKETT ‣DESIGN ‣INHERIT ‣BUILD ‣DEPLOY ‣OPERATE PIPELINE PHASES
  71. 71. DevSecOps Singapore @WICKETT ‣DESIGN ‣INHERIT ‣BUILD ‣DEPLOY ‣OPERATE WE WILL FOCUS HERE
  72. 72. DevSecOps Singapore @WICKETT ‣INHERIT ‣BUILD ‣OPERATE SECURITY CONSIDERATIONS What have I bundled into my app that leaves me vulnerable? Do my build acceptance tests and integration tests catch security issues before release? Am I being attacked right now? Is it working?
  73. 73. DevSecOps Singapore @WICKETT
  74. 74. DevSecOps Singapore @WICKETT SECURITY IN THE DELIVERY PIPELINE
  75. 75. DevSecOps Singapore @WICKETT INHERIT
  76. 76. DevSecOps Singapore @WICKETT OpenSSL
  77. 77. DevSecOps Singapore @WICKETT Shellshock
  78. 78. DevSecOps Singapore @WICKETT
  79. 79. DevSecOps Singapore @WICKETT OVER 30% OF OFFICIAL IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY SECURITY VULNERABILITIES https://banyanops.com/blog/analyzing-docker-hub/
  80. 80. DevSecOps Singapore @WICKETT bundler-audit for ruby
  81. 81. DevSecOps Singapore @WICKETT Lynis https://cisofy.com/lynis/
  82. 82. DevSecOps Singapore @WICKETT snyk serverless dep checks
  83. 83. DevSecOps Singapore @WICKETT Docker Bench for Security script that checks for dozens of common best-practices around deploying Docker containers in production https://dockerbench.com
  84. 84. DevSecOps Singapore @WICKETT Retire.js http://retirejs.github.io/retire.js/ @webtonull
  85. 85. DevSecOps Singapore @WICKETT Lots more…
  86. 86. DevSecOps Singapore @WICKETT Instrument your CI system with checks for all the things you inherit
  87. 87. DevSecOps Singapore @WICKETT Twistlock Aqua Sonatype BlackDuck
  88. 88. DevSecOps Singapore @WICKETT BUILD
  89. 89. DevSecOps Singapore @WICKETT Security is a function of Quality
  90. 90. DevSecOps Singapore @WICKETT Vulnerable code in all Languages WhiteHat Security Report (2015)
  91. 91. DevSecOps Singapore @WICKETT Security tools are intractably noisy and difficult to use
  92. 92. DevSecOps Singapore @WICKETT A method of collaboration was needed for devs, ops and security eng.
  93. 93. DevSecOps Singapore @WICKETT There needed to be a new language to span the parties
  94. 94. DevSecOps Singapore @WICKETT
  95. 95. DevSecOps Singapore @WICKETT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/ stderr
  96. 96. DevSecOps Singapore @WICKETT gauntlt.org
  97. 97. DevSecOps Singapore @WICKETT
  98. 98. DevSecOps Singapore @WICKETT
  99. 99. DevSecOps Singapore @WICKETT
  100. 100. DevSecOps Singapore @WICKETT $ gem install gauntlt # download example attacks from github # customize the example attacks # now you can run gauntlt $ gauntlt
  101. 101. DevSecOps Singapore @WICKETT @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What?
  102. 102. DevSecOps Singapore @WICKETT “We have saved millions of dollars using Gauntlt for the largest healthcare industry project.” - Aaron Rinehart, UnitedHealthCare
  103. 103. DevSecOps Singapore @WICKETT http://bit.ly/2s8P1Ll
  104. 104. DevSecOps Singapore @WICKETT ‣ 8 LABS FOR GAUNTLT ‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS ‣ GAUNTLT FOR XSS, SQLI, OTHER APSES ‣ HANDLING REPORTING ‣ USING ENV VARS ‣ CI SYSTEM SETUP WORKSHOP INCLUDES:
  105. 105. DevSecOps Singapore @WICKETT http://bit.ly/2s8P1Ll
  106. 106. DevSecOps Singapore @WICKETT github.com/gauntlt/gauntlt-demo
  107. 107. DevSecOps Singapore @WICKETT github.com/gauntlt/gauntlt-starter-kit
  108. 108. DevSecOps Singapore @WICKETT SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
  109. 109. DevSecOps Singapore @WICKETT
  110. 110. DevSecOps Singapore @WICKETT
  111. 111. DevSecOps Singapore @WICKETT Most teams use Gauntlt in Docker containers
  112. 112. DevSecOps Singapore @WICKETT https://github.com/ gauntlt/gauntlt-docker
  113. 113. DevSecOps Singapore @WICKETT ZAP https://github.com/zaproxy/zaproxy
  114. 114. DevSecOps Singapore @WICKETT Static Code Analysis e.g. Brakeman
  115. 115. DevSecOps Singapore @WICKETT OPERATE
  116. 116. DevSecOps Singapore @WICKETT Configuration and Runtime
  117. 117. DevSecOps Singapore @WICKETT Configuration
  118. 118. DevSecOps Singapore @WICKETT Chef Inspec Audit and CIS benchmarks on machines
  119. 119. DevSecOps Singapore @WICKETT evident.io Threatstack AlienVault
  120. 120. DevSecOps Singapore @WICKETT Runtime
  121. 121. DevSecOps Singapore @WICKETT
  122. 122. DevSecOps Singapore @WICKETT Runtime is arguably the most important place to instrument
  123. 123. DevSecOps Singapore @WICKETT Are you under attack?
  124. 124. DevSecOps Singapore @WICKETT Where?
  125. 125. DevSecOps Singapore @WICKETT ModSecurity pumped to ELK
  126. 126. DevSecOps Singapore @WICKETT RASP and NGWAF and Web Protection Platform
  127. 127. DevSecOps Singapore @WICKETT Signal Sciences Immunio Contrast This one is the best! [n.b. I work here, but it really is]
  128. 128. DevSecOps Singapore @WICKETT ‣ ACCOUNT TAKEOVER ATTEMPTS ‣ AREAS OF THE SITE UNDER ATTACK ‣ MOST LIKELY VECTORS OF ATTACK ‣ BUSINESS LOGIC FLOWS DETECT WHAT MATTERS
  129. 129. DevSecOps Singapore @WICKETT Runtime instrumentation also helps prioritize backlog
  130. 130. DevSecOps Singapore @WICKETT Bug Bounties
  131. 131. DevSecOps Singapore @WICKETT HackerOne BugCrowd
  132. 132. DevSecOps Singapore @WICKETT A SIDE JOURNEY ON COMPLIANCE
  133. 133. DevSecOps Singapore @WICKETT Separation of Duties Considered Harmful
  134. 134. DevSecOps Singapore @WICKETT Win over the auditors and lawyers with the DevOps Audit Defense Toolkit https://cdn2.hubspot.net/hubfs/228391/Corporate/ DevOps_Audit_Defense_Toolkit_v1.0.pdf
  135. 135. DevSecOps Singapore @WICKETT 3 LESSONS LEARNED ALONG THE JOURNEY
  136. 136. DevSecOps Singapore @WICKETT Security is not a binary event; embrace feedback loops
  137. 137. DevSecOps Singapore @WICKETT Attack Driven Defense beats Compliance Driven Defense
  138. 138. DevSecOps Singapore @WICKETT Don’t be a blocker, be an enabler of the business
  139. 139. DevSecOps Singapore @WICKETT ‣ SECURITY IS STILL MAKING THE JOURNEY OF DEVOPS ‣ SECURITY SEES NEW OPPORTUNITIES TO AUTOMATE AND ADD VALUE ‣ THE DELIVERY PIPELINE EXTENDS FARTHER THAN WE USUALLY CONSIDER SUMMARY
  140. 140. DevSecOps Singapore @WICKETT ‣ CULTURE AND TOOLING NEED TO ALIGN FOR US TO MAKE THIS WORK ‣ COVERAGE OF SECURITY TOOLS FOR THREE PIPELINE AREAS: INHERIT, BUILD AND RUNTIME ‣ ADVICE FOR DEALING WITH THE AUDITORS AND OTHER BLOCKERS MORE SUMMARY
  141. 141. DevSecOps Singapore @WICKETT Questions?

×