Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security in the Delivery Pipeline - GOTO Amsterdam 2017

2,697 views

Published on

Security testing is often relegated to the end of software delivery to the detriment of quality and safety. Often security gets aligned with compliance timelines or other long-cycle process inside an organization. This session is complete reversal of the status quo and we will cover modern approaches to security in your CI/CD pipelines.

You will gain experience with some of the testing tools and processes needed to make this happen. We will also cover some advice for dealing with compliance and security engineers as you make a transition to TDD-style approach to security.

Published in: Software
  • Be the first to comment

Security in the Delivery Pipeline - GOTO Amsterdam 2017

  1. 1. GOTO; Amsterdam 2017 @WICKETT SECURITY IN THE DELIVERY PIPELINE JAMES WICKETT SIGNAL SCIENCES
  2. 2. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  3. 3. GOTO; Amsterdam 2017 @WICKETT Want the slides? james@signalsciences.com
  4. 4. GOTO; Amsterdam 2017 @WICKETT ‣ HEAD OF RESEARCH AT SIGNAL SCIENCES ‣ ORGANIZER OF DEVOPS DAYS AUSTIN ‣ LYNDA.COM AUTHOR ON DEVOPS ‣ RECOVERING FROM YEARS OF OPS AND SECURITY @WICKETT
  5. 5. GOTO; Amsterdam 2017 @WICKETT ‣ SECURITY IS STILL MAKING THE JOURNEY OF DEVOPS ‣ SECURITY SEES NEW OPPORTUNITIES TO AUTOMATE AND ADD VALUE ‣ THE DELIVERY PIPELINE EXTENDS FARTHER THAN WE USUALLY CONSIDER SUMMARY
  6. 6. GOTO; Amsterdam 2017 @WICKETT ‣ CULTURE AND TOOLING NEED TO ALIGN FOR US TO MAKE THIS WORK ‣ COVERAGE OF SECURITY TOOLS FOR THREE PIPELINE AREAS: INHERIT, BUILD AND RUNTIME ‣ ADVICE FOR DEALING WITH THE AUDITORS AND OTHER BLOCKERS MORE SUMMARY
  7. 7. GOTO; Amsterdam 2017 @WICKETT CI/CD JOURNEY
  8. 8. GOTO; Amsterdam 2017 @WICKETT CI/CD at three companies
  9. 9. GOTO; Amsterdam 2017 @WICKETT Currently, at Signal Sciences we do about 15 deploys per day
  10. 10. GOTO; Amsterdam 2017 @WICKETT Roughly 10,000 deploys in the last 2.5 yrs
  11. 11. GOTO; Amsterdam 2017 @WICKETT
  12. 12. GOTO; Amsterdam 2017 @WICKETT CD is how little you can deploy at a time
  13. 13. GOTO; Amsterdam 2017 @WICKETT We optimized for cycle time—the time from code commit to production
  14. 14. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Gave power to the team to deploy
  15. 15. GOTO; Amsterdam 2017 @WICKETT Signal Sciences is a software as a service company and a security company
  16. 16. GOTO; Amsterdam 2017 @WICKETT Security had to be part of CI/CD and the overall delivery pipeline
  17. 17. GOTO; Amsterdam 2017 @WICKETT Before Signal Sciences
  18. 18. GOTO; Amsterdam 2017 @WICKETT Rugged Software circa 2010
  19. 19. GOTO; Amsterdam 2017 @WICKETT
  20. 20. GOTO; Amsterdam 2017 @WICKETT
  21. 21. GOTO; Amsterdam 2017 @WICKETT Started Gauntlt 4 years ago
  22. 22. GOTO; Amsterdam 2017 @WICKETT Security is different in CI/CD
  23. 23. GOTO; Amsterdam 2017 @WICKETT SECURITY’S DILEMMA
  24. 24. GOTO; Amsterdam 2017 @WICKETT Security Epistemology is difficult to assess
  25. 25. GOTO; Amsterdam 2017 @WICKETT Early days of the industry created a binary approach to security
  26. 26. GOTO; Amsterdam 2017 @WICKETT Breached or Secure
  27. 27. GOTO; Amsterdam 2017 @WICKETT This creates a false dichotomy
  28. 28. GOTO; Amsterdam 2017 @WICKETT Complexity Reductionism falsely propagates this type of thinking
  29. 29. GOTO; Amsterdam 2017 @WICKETT Breached or secure? This is not the question we should ask
  30. 30. GOTO; Amsterdam 2017 @WICKETT Where can security add value?
  31. 31. GOTO; Amsterdam 2017 @WICKETT AN OPINIONATED VIEW OF HOW WE GOT HERE
  32. 32. GOTO; Amsterdam 2017 @WICKETT Agile
  33. 33. GOTO; Amsterdam 2017 @WICKETT Agile attempted to remove epistemological gaps in software development
  34. 34. GOTO; Amsterdam 2017 @WICKETT Largely it worked and created a new culture of rapid delivery and feedback loops
  35. 35. GOTO; Amsterdam 2017 @WICKETT
  36. 36. GOTO; Amsterdam 2017 @WICKETT Operations didn’t ride the first wave of Agile
  37. 37. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Continuation of Agile to Ops
  38. 38. GOTO; Amsterdam 2017 @WICKETT DEVOPS IS THE APPLICATION OF AGILE METHODOLOGY TO SYSTEM ADMINISTRATION - THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK
  39. 39. GOTO; Amsterdam 2017 @WICKETT
  40. 40. GOTO; Amsterdam 2017 @WICKETT
  41. 41. GOTO; Amsterdam 2017 @WICKETT
  42. 42. GOTO; Amsterdam 2017 @WICKETT DEV : OPS 10 : 1
  43. 43. GOTO; Amsterdam 2017 @WICKETT CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS SUCCEEDING IN THE ENTERPRISE - PATRICK DEBOIS
  44. 44. GOTO; Amsterdam 2017 @WICKETT ‣ MUTUAL UNDERSTANDING ‣ SHARED LANGUAGE ‣ SHARED VIEWS ‣ COLLABORATIVE TOOLING 4 KEYS TO CULTURE
  45. 45. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  46. 46. GOTO; Amsterdam 2017 @WICKETT SECURITY WAS LEFT OUT OF THE STORY
  47. 47. GOTO; Amsterdam 2017 @WICKETT Why?
  48. 48. GOTO; Amsterdam 2017 @WICKETT Compliance Driven Security
  49. 49. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT [Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy and that underfunded security efforts plus risk management are about as good as properly funded security work
  50. 50. GOTO; Amsterdam 2017 @WICKETT Dev : Ops : Sec 100 : 10 : 1
  51. 51. GOTO; Amsterdam 2017 @WICKETT Security as the cultural outlier in an organization
  52. 52. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT “SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED” - DEVELOPER
  53. 53. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT “…THOSE STUPID DEVELOPERS” - SECURITY PERSON
  54. 54. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT “every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required to get and keep the WAF running productively.” - WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR
  55. 55. GOTO; Amsterdam 2017 @WICKETT Bottleneck Approach
  56. 56. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10 MONTHS IN THE LAST 5 YEARS Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
  57. 57. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016 THE GROWTH OF [SECURITY] FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.
  58. 58. GOTO; Amsterdam 2017 @WICKETT IT IS 30 TIMES CHEAPER TO FIX SECURITY DEFECTS IN DEV VS. PROD NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
  59. 59. GOTO; Amsterdam 2017 @WICKETT NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing
  60. 60. GOTO; Amsterdam 2017 @WICKETT Security is ineffective
  61. 61. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  62. 62. GOTO; Amsterdam 2017 @WICKETT SECURITY KNOWS IT MUST CHANGE OR DIE
  63. 63. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process. THINKING SECURITY, STEVEN M. BELLOVIN 2015
  64. 64. GOTO; Amsterdam 2017 @WICKETT AVERAGE INCIDENT COST IS $5.4 MILLION IN THE U.S. Poneman Institute, 2013, Cost of Data Breach Report
  65. 65. GOTO; Amsterdam 2017 @WICKETT High performers spend 50 percent less time remediating security issues than low performers. By better integrating information security objectives into daily work, teams achieve higher levels of IT performance and build more secure systems. 2016 State of DevOps Report
  66. 66. GOTO; Amsterdam 2017 @WICKETT High performing orgs achieve quality by incorporating security (and security teams) into the delivery process 2016 State of DevOps Report
  67. 67. GOTO; Amsterdam 2017 @WICKETT
  68. 68. GOTO; Amsterdam 2017 @WICKETT http://www.youtube.com/watch?v=jQblKuMuS0Y
  69. 69. GOTO; Amsterdam 2017 @WICKETT A CI/CD PIPELINE
  70. 70. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Pipelines look different for different people
  71. 71. GOTO; Amsterdam 2017 @WICKETT ‣DESIGN ‣BUILD ‣DEPLOY ‣OPERATE PIPELINE PHASES
  72. 72. GOTO; Amsterdam 2017 @WICKETT ‣DESIGN ‣INHERIT ‣BUILD ‣DEPLOY ‣OPERATE PIPELINE PHASES
  73. 73. GOTO; Amsterdam 2017 @WICKETT ‣DESIGN ‣INHERIT ‣BUILD ‣DEPLOY ‣OPERATE WE WILL FOCUS HERE
  74. 74. GOTO; Amsterdam 2017 @WICKETT ‣INHERIT ‣BUILD ‣OPERATE SECURITY CONSIDERATIONS What have I bundled into my app that leaves me vulnerable? Do my build acceptance tests and integration tests catch security issues before release? Am I being attacked right now? Is it working?
  75. 75. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  76. 76. GOTO; Amsterdam 2017 @WICKETT SECURITY IN THE DELIVERY PIPELINE
  77. 77. GOTO; Amsterdam 2017 @WICKETT INHERIT
  78. 78. GOTO; Amsterdam 2017 @WICKETT OpenSSL
  79. 79. GOTO; Amsterdam 2017 @WICKETT Shellshock
  80. 80. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  81. 81. GOTO; Amsterdam 2017 @WICKETT OVER 30% OF OFFICIAL IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY SECURITY VULNERABILITIES https://banyanops.com/blog/analyzing-docker-hub/
  82. 82. GOTO; Amsterdam 2017 @WICKETT bundler-audit for ruby
  83. 83. GOTO; Amsterdam 2017 @WICKETT Lynis https://cisofy.com/lynis/
  84. 84. GOTO; Amsterdam 2017 @WICKETT snyk serverless dep checks
  85. 85. GOTO; Amsterdam 2017 @WICKETT Docker Bench for Security script that checks for dozens of common best-practices around deploying Docker containers in production https://dockerbench.com
  86. 86. GOTO; Amsterdam 2017 @WICKETT Retire.js http://retirejs.github.io/retire.js/ @webtonull
  87. 87. GOTO; Amsterdam 2017 @WICKETT Lots more…
  88. 88. GOTO; Amsterdam 2017 @WICKETT Instrument your CI system with checks for all the things you inherit
  89. 89. GOTO; Amsterdam 2017 @WICKETT Twistlock Aqua Sonatype BlackDuck
  90. 90. GOTO; Amsterdam 2017 @WICKETT BUILD
  91. 91. GOTO; Amsterdam 2017 @WICKETT Security is a function of Quality
  92. 92. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Vulnerable code in all Languages WhiteHat Security Report (2015)
  93. 93. GOTO; Amsterdam 2017 @WICKETT Security tools are intractably noisy and difficult to use
  94. 94. GOTO; Amsterdam 2017 @WICKETT A method of collaboration was needed for devs, ops and security eng.
  95. 95. GOTO; Amsterdam 2017 @WICKETT There needed to be a new language to span the parties
  96. 96. GOTO; Amsterdam 2017 @WICKETT
  97. 97. GOTO; Amsterdam 2017 @WICKETT Open source, MIT License Gauntlt comes with pre-canned steps that hook security testing tools Gauntlt does not install tools Gauntlt wants to be part of the CI/CD pipeline Be a good citizen of exit status and stdout/ stderr
  98. 98. GOTO; Amsterdam 2017 @WICKETT gauntlt.org
  99. 99. GOTO; Amsterdam 2017 @WICKETT
  100. 100. GOTO; Amsterdam 2017 @WICKETT
  101. 101. GOTO; Amsterdam 2017 @WICKETT
  102. 102. GOTO; Amsterdam 2017 @WICKETT $ gem install gauntlt # download example attacks from github # customize the example attacks # now you can run gauntlt $ gauntlt
  103. 103. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT @slow @final Feature: Look for cross site scripting (xss) using arachni against a URL Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected." Given When Then What?
  104. 104. GOTO; Amsterdam 2017 @WICKETT “We have saved millions of dollars using Gauntlt for the largest healthcare industry project.” - Aaron Rinehart, UnitedHealthCare
  105. 105. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT http://bit.ly/2s8P1Ll
  106. 106. GOTO; Amsterdam 2017 @WICKETT ‣ 8 LABS FOR GAUNTLT ‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS ‣ GAUNTLT FOR XSS, SQLI, OTHER APSES ‣ HANDLING REPORTING ‣ USING ENV VARS ‣ CI SYSTEM SETUP WORKSHOP INCLUDES:
  107. 107. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT http://bit.ly/2s8P1Ll
  108. 108. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT github.com/gauntlt/gauntlt-demo
  109. 109. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT github.com/gauntlt/gauntlt-starter-kit
  110. 110. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
  111. 111. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  112. 112. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  113. 113. GOTO; Amsterdam 2017 @WICKETT Most teams use Gauntlt in Docker containers
  114. 114. GOTO; Amsterdam 2017 @WICKETT https://github.com/ gauntlt/gauntlt-docker
  115. 115. GOTO; Amsterdam 2017 @WICKETT ZAP https://github.com/zaproxy/zaproxy
  116. 116. GOTO; Amsterdam 2017 @WICKETT Static Code Analysis e.g. Brakeman
  117. 117. GOTO; Amsterdam 2017 @WICKETT OPERATE
  118. 118. GOTO; Amsterdam 2017 @WICKETT Configuration and Runtime
  119. 119. GOTO; Amsterdam 2017 @WICKETT Configuration
  120. 120. GOTO; Amsterdam 2017 @WICKETT Chef Inspec Audit and CIS benchmarks on machines
  121. 121. GOTO; Amsterdam 2017 @WICKETT evident.io Threatstack AlienVault
  122. 122. GOTO; Amsterdam 2017 @WICKETT Runtime
  123. 123. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT
  124. 124. GOTO; Amsterdam 2017 @WICKETT Runtime is arguably the most important place to instrument
  125. 125. GOTO; Amsterdam 2017 @WICKETT Are you under attack?
  126. 126. GOTO; Amsterdam 2017 @WICKETT Where?
  127. 127. GOTO; Amsterdam 2017 @WICKETT ModSecurity pumped to ELK
  128. 128. GOTO; Amsterdam 2017 @WICKETT RASP and NGWAF and Web Protection Platform
  129. 129. GOTO; Amsterdam 2017 @WICKETT Signal Sciences Immunio Contrast This one is the best! [n.b. I work here, but it really is]
  130. 130. GOTO; Amsterdam 2017 @WICKETT ‣ ACCOUNT TAKEOVER ATTEMPTS ‣ AREAS OF THE SITE UNDER ATTACK ‣ MOST LIKELY VECTORS OF ATTACK ‣ BUSINESS LOGIC FLOWS DETECT WHAT MATTERS
  131. 131. GOTO; Amsterdam 2017 @WICKETT Runtime instrumentation also helps prioritize backlog
  132. 132. GOTO; Amsterdam 2017 @WICKETT Bug Bounties
  133. 133. GOTO; Amsterdam 2017 @WICKETT HackerOne BugCrowd
  134. 134. GOTO; Amsterdam 2017 @WICKETT A SIDE JOURNEY ON COMPLIANCE
  135. 135. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Separation of Duties Considered Harmful
  136. 136. GOTO; Amsterdam 2017 @WICKETT Win over the auditors and lawyers with the DevOps Audit Defense Toolkit https://cdn2.hubspot.net/hubfs/228391/Corporate/ DevOps_Audit_Defense_Toolkit_v1.0.pdf
  137. 137. GOTO; Amsterdam 2017 @WICKETT 3 LESSONS LEARNED ALONG THE JOURNEY
  138. 138. GOTO; Amsterdam 2017 @WICKETT Security is not a binary event; embrace feedback loops
  139. 139. GOTO; Amsterdam 2017 @WICKETT Attack Driven Defense beats Compliance Driven Defense
  140. 140. GOTO; Amsterdam 2017 @WICKETT Don’t be a blocker, be an enabler of the business
  141. 141. GOTO; Amsterdam 2017 @WICKETT ‣ SECURITY IS STILL MAKING THE JOURNEY OF DEVOPS ‣ SECURITY SEES NEW OPPORTUNITIES TO AUTOMATE AND ADD VALUE ‣ THE DELIVERY PIPELINE EXTENDS FARTHER THAN WE USUALLY CONSIDER SUMMARY
  142. 142. GOTO; Amsterdam 2017 @WICKETT ‣ CULTURE AND TOOLING NEED TO ALIGN FOR US TO MAKE THIS WORK ‣ COVERAGE OF SECURITY TOOLS FOR THREE PIPELINE AREAS: INHERIT, BUILD AND RUNTIME ‣ ADVICE FOR DEALING WITH THE AUDITORS AND OTHER BLOCKERS MORE SUMMARY
  143. 143. GOTO; Amsterdam 2017 @WICKETT Want the slides? james@signalsciences.com
  144. 144. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT Questions?
  145. 145. GOTO; Amsterdam 2017 @WICKETTGOTO; Amsterdam 2017 @WICKETT

×