DevOps is a revolution starting to deliver. The “shift left” security approach is trying to catch up, but challenges remain. We will go over concrete security approaches and real data that overcome these challenges.
It takes more than adding “hard to find” security talent to your DevOps team to reach DevSecOps benefits. Our discussion focuses on the practical side and lessons-learned from helping organizations gear up for this paradigm shift.
3. About Outpost24
3
• Global HQ – Sweden
• Sales – BeNeLux, DACH,
Nordics, UK&I/France, US
• MSSP and Reseller partners
in additional locations
• Over 130 full time staff
• 37% YoY growth 2016 -
2017
6. • Cost of a Data Breach $7.2M
• 80 days to detect
• More than four months (123
days) to resolve
Find during Development
$80 / defect
Find during Build
$240 / defect
Find during QA/Test
$960 / defect
Find in Production
$7,600 / defect
80% of development costs
are spent identifying and
correcting defects!
Source: Ponemon InstituteSource: National Institute of Standards and Technology
Cost of Security Defects (courtesy of IBM, 2016)
7. So why are organisations ‘Slow’to adopt
DevSecOps?
• Clinging to traditional security
• Security NOT a priority in DevOps
• Lack of Expertise in house
• Zero defect at release
7
‘Information Security and compliance
won’t let us’
8. How do we
incorporate Security?
• Security has historically been a
silo
• Designed to prevent change
• Waterfall security does not fit
the shift left mentality
• Process + People change
9. ‘Companies are spending a great deal on
security. But we read of a number of massive
computer-related attacks. Clearly something is
wrong. The root of the problem is twofold:
we’re protecting the wrong things, and were
hurting productivity in the process.’
Thinking security, Steven M. Bellovin
16. DevSecOps – How?
• Dev teams should engage with Infosec as early as
possible
• Embed security championsinto DevOpsteams
• ‘Shift left’ in your security testing approach
• Embed security into the DevelopersKPI’s
• Integrate security into the DevOps Tool chain
(automatically)
• Run post mortems and ‘Learn’ from them
16
18. “We are no longer writing customized software
–instead, we assemble what we need from
open source parts, which has become the
software supply chain that we are very much
reliant upon” – Joshua Corman (DevOps
enterprise summit 2015)
18
21. 21
Example 1 : Commercial software
• ISM platform – initial parameters where ‘No
credentials’
• In examining the CoTS platform discovered no Brute
force password protection in place
• Discovered a Java reporting module.
• led to crafting template that included remote
code execution – resulting in functional exploit.
• Major 3rd party vendor. 85% of fortune 500 ,
a least 1 Nato armed forces, NASA & A well known
multinational coffee shop.
• LEARNING: Never assume an off the shelf application is secure.
22. 22
Example 2: Open source intelligence could be your Enemy
• Uber developer posted sensitive information allowing access to
AWS infrastructure in Github.
• More an more developers using GitHub or similar repositories
to store code
• Tools to search Github repositories for sensitive information exist
• Some enterprises mistakenly post to public rather than
private repositories
23. Example 3: Time is
irrelevant
• Organization using a CMS (Content management
system)
• Discovered to leak non sensitive information through
local file disclosure in old forked development that
was still active on server
• A number of findings were responsibly disclosed but
Customer risk accepted them because the fork was
obsolete
• Regular continuous testing (manual and automatic)
led to team discovering a plugin for the old application
had been written and posted to a public repository
(OSINT)
• Resulted in (12months later) a successful compromise
and remote code execution.
24.
25. Example 4:Outsourcing DevOps Security
• Organization employed outsource agency to develop new application
Security processes had been discussed and agreed.
• After application delivered to production, 3rd party Pen test team discovered
a number of critical and high vulnerabilities.
• Organization sent these to outsourcer to address.
• On the next release, the old vulnerabilities were reintroduced and new ones
added. This was repeated several times.
• Organization pulled the plug on the outsourcer and moved development
inhouse.
26. Example 5: Privilegeescalation
• https://www.owasp.org/index.php/Top_10-2017_A5-
Broken_Access_Control
• HR System : Sequential ID’s used for users. You could
assigndeputy to assumerights and access whilst on
vacation. Simple ID manipulation led to full compromise
of system as Admin.
• Patient record system. Another sequential numbering
system and ID manipulation in Browser header lead to the
ability to fully manipulate ANY users patient history.
• SaaS system, no additional checking of authentication
after Browser check, resulted in ability to compromisethe
entire system and other modules quickly and easily.
26
27. Learningfromthe Bestor the worst
• Mistakes happen. And continue to happen daily.
• DevSecOps integration is not immune.
• DevSecOps is about process as well as people.
• Building security into the very heart of DevOps. Empower individuals to
be the security person in their day to day roles through:
• Mutual understanding.
• Shared Language.
• Shared vision.
• Collaborative tooling.
31. DevSecOps takeaways
• People & Process.
• Security needs to keep pace, be ‘agile’
• Integrated into the CI/CD process.
• Test everything, at every stage. Don’t forget 3rd party
components and outsourcers
• Shift left. But test at all phases. Automate the testing
tool set & Pen test!
• ‘Culture is the most important aspect to Dev(sec)Ops
succeeding in the Enterprise’ – Patrick Debois
32. Don’tresist - builda plan…
• If DevSecOps isn’t practiced today:
• In the next month identify the who / what / where of the CI /CD
pipeline
• Find security champions in Dev and Ops
• In the next 3 months create a plan to integrate security into DevOps
• Shift left. Add one or two tools into an earlier phase of the SDLC
• Empower Developers and Ops (champions) to use the tools
• Within 6 months security should be embedded in all phases of the
SDLC
• If DevSecOps is practiced today:
• Can it be improved?
• Do you have a good understanding of security state of each phase
from Develop through deploy and monitor?
32