We all love DevOps and Continuous Deployment because it allows us to deploy more reliable software faster. But are we willing to sacrifice the security of our and our customer's data for those benefits? Fortunately we don't need to… but we do need to think about application security differently than we have in the past. Our traditional application security methodologies present a host of challenges in the fast moving world of DevOps, including:
- How do we ensure that the code we deploy is secure when it was only written just this morning?
- How can we provide the security our customers expect without impacting our speed and agility?
- How can we insert security into an SDLC when there is no formal SDLC?
- How do you deal with auditors that don't understand DevOps and Continuous Deployment?
At New Relic, we deploy on a daily basis and face all of these challenges. We'll talk about how we are addressing them as well as our vision for the evolution of application security.
46. Continuous Deployment Security
Requirements
Low to No friction (can’t slow us down)
Transparent
No significant changes to development processes
Make us More Secure
Wednesday, November 6, 13
47. Continuous Deployment Security
Requirements
Strategies & Tactics
Low to No friction (can’t slow us down)
Automation
Transparent
Training & Empowerment
No significant changes to development processes
Lightweight Processes
Make us More Secure
Triage
Quickly Detect & Respond
Wednesday, November 6, 13
48. Traditional (Waterfall) SDLC Security
Requirements
• Functional &
Non-Functional
security
requirement
Design
• Architectural
•
Review
Threat Modeling
Development
• Secure Coding
•
•
Practices
Static Analysis
White Box
Testing
Testing
• Dynamic
•
• Separation
Analysis
Requirements
Testing
Release
• Penetration
•
•
Testing
Security
Assessment
Security SignOff
of Duties
• Management Release Sign-Off
• Limits on Production Access
Wednesday, November 6, 13
Production
• Vulnerability
•
Scanning
Penetration
Testing
67. Threat Modeling @ New Relic
Decompose your Application
Wednesday, November 6, 13
68. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Wednesday, November 6, 13
69. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Wednesday, November 6, 13
70. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threats
Wednesday, November 6, 13
71. Threat Modeling @ New Relic
Decompose your Application
Identify your Assets
Enumerate your Threats
Rate & Rank your Threats
Address or Accept
Wednesday, November 6, 13