Security teams must adapt security controls to the growing use of DevOps processes such as cloud services, Continuous Integration and Continuous Deployment. Many of them are adopting an approach of Security delivered as a service, or DevSecOps. In this webcast, SANS Senior Analyst John Pescatore joins Chris Carlson, VP Product Management for Qualys Cloud Agent Platform, discuss how DevSecOps helps security teams work with DevOps to embed continuous security into IT and application infrastructure, and how to get started and build a DevSecOps program for improved and automated auditing, compliance, and control of applications. The presentation covers: • How and why security teams are partnering with app developers and sysadmins to build continuous security capabilities that are embedded into the fabric of IT and application infrastructures • The key elements of DevOps and modern cloud architecture models driving quality and rapid technical innovation, and how they successfully drive business value • Why applying DevOps and cloud architecture models to security delivers business value such as lower overall risk, capital expense, and operating costs • Methods to build DevSecOps into both cloud-first and cloud migration infrastructure deployments and achieve common business benefits in either environment • The initial steps security teams can take right away to engage application and DevOps counterparts in DevSecOps, and milestones to achieve for quick wins with business value as well as control in active projects. • Case studies on three industry leaders in how security is applied to DevOps to support secure digital transformation projects. Watch the on-demand webcast: https://www.sans.org/webcasts/105720

1. 1
DevSecOps - Building Continuous
Security Into IT & App Infrastructures
John Pescatore, SANS
Chris Carlson, Qualys

2. 2
Protecting Your Company From the Company It Keeps
 Business is increasingly
interconnected and interdependent
via software
 The bad guys have figured that out.
So have the regulators
 The “app cloud” exacerbates that
trend, additional levels of “parties”
 Software security/quality is a key
factor in business success

3. 3
What a Long Strange Trip It Has Been…
Sometimes the light's all shinin' on me,
Other times I can barely see.

4. 4
The Basics of Cyber Risks
Risk = Threat x Vulnerability +/- Action
•Vulnerabilities are at the center
•Threat actors will act
•Threat delivery continually evolves
•Effectiveness and timeliness of business security action
separates high loss/low loss
•Fewer Vulnerabilities
•Faster mitigation action

5. 5
First there was DevOps
• Amazon: “DevOps is the combination of cultural philosophies, practices,
and tools that increases an organization’s ability to deliver applications
and services at high velocity: evolving and improving products at a faster
pace than organizations using traditional software development and
infrastructure management processes. ”
• Not really much new, but key concepts: combine and faster

6. 6
So, What is SecOps?
• SecOps: “Integrating security processes with IT acquisition,
development, administration and operations practices to
reduce vulnerabilities and more quickly mitigate exposures.”
• Overcoming people/organizational barriers
• Integrating processes, then tools and data flow
Source: devops.tumblr.com

7. 7
SecOps – Continuous Processes
Shield
Eliminate Root
Cause
Monitor/
Report
Policy
Assess
Risk
Baseline
Vuln Assessment/Pen Test
Security Configuration
Mitigate
• FW/IPS
• Anti-malware
• NAC
• Patch Management
• Config Management
• Change Management
• Software Vuln Test
• Training
• Network Arch
• Privilege Mgmt
Discovery/Inventory
• SIEM
• Security Analytics
• Incident Response
Threats
Regulations
Requirements
OTT Dictates

8. 8
Delivering Security Efficiency and Effectiveness
• Decrease the cost of dealing
with known threats
• Decrease the impact of
residual risks
• Decrease the cost of
demonstrating compliance
• Reduce business damage due
to security failures
• Maintaining level of
protection with less EBITDA
impact
• Increase the speed of dealing
with a new threat or
technology
• Decrease the time required
to secure a new business
application, partner, supplier
• Reducing incident cost
￮ Less down time
￮ Fewer customer defections
• Security as a competitive
business factor
Efficiency Effectiveness

9. 9
Digital Transformation
is driving
Business + IT + Security

10. 10
#1 Engage Customers
#2 Empower Employees
#3 Optimize Operations
#4 Transform Products & Enable New Business
Models
Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-
leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-
study/microsoft-digital-transformation-infographic-asia
Digital Transformation – Priorities

11. 11
#1 Cyber Threats & Security Concerns
#1 Lack of Digitally-Skilled Workforce
#2 Lack of Supporting Government Policies and ICT Infrastructure
#3 Uncertain Economic Environment
#3 Lack of Leadership to Ideate, Plan, and Lead Digital
Transformation Strategy
Digital Transformation – Barriers

12. 12
Not a Challenge – An Opportunity!
Business Transformation IT Transformation
IT Transformation Security Transformation

13. 13
DevSecOps =/ DevOps + Security

14. 14
If DevOps is about
Speed
Agility
Automation

15. 15
False Approach ~ False Start ~ Failure

16. 16
Security + DevOps = Revolt or Left Out?
Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-
flaming-torches/

17. 17
Food Safety is a Security Problem in
Manufacturing Pipeline
Source:
http://www.foodengineeringmag.com/articles/889
90-tech-update-metal-detection-xray-inspection-

18. 18
Shift
Time
Shift
Technique
Shift
Tools
Shift Approaches

19. 19
Shift Time
It’s not about doing the same things earlier …
... but an opportunity to do different and
better things earlier

20. 20
Case Study: Financial Services Mobile Wallet

21. 21
Security
Born in the Cloud: New
builds in AWS every 60 days
Automated Regression &
Test-Driven Development
Docker containers abstracts
applications from OS
DevOps
Qualys Case Study: Financial Services Mobile Wallet
Commercial/Open Source
vulnerabilities are detected & fixed
on same release cadence
Automated regression
finds patch issues faster
OS vulnerabilities are patched
separate from Applications
1
2
3

22. 22
Qualys Case Study: Financial Services Mobile Wallet

23. 23
Shift Techniques
Instead of thinking like a security person –
perimeter, gates, limiting access, closed…
... Think like a developer:
Automation API
Integration Continuous
Visibility Measure + Refine

24. 24
Qualys Case Study: One of Largest Ecommerce Companies

25. 25
Prevent Software Check-Ins
that use Vulnerable Libraries
Apply Technique
Tag Vulnerable Libraries in
Source Control
1
Shift Technique
Automatically open tickets for
Developers on security issues
Apply Technique
Vulnerabilities in Production
are Treated as Defects
Shift Technique
2
Excessive Remediation Times
are escalated to CEO
Apply Technique
Open Vulnerabilities Reported
to Business Unit VPs
Shift Technique
3
Qualys Case Study: One of Largest Ecommerce Companies

26. 26
Shift Tools
Find/Implement the right tools for the DevOps
Processes…
... But:
You may not need to procure new tools
APIs, Integrations, Self-Service UIs
Collaborate with current vendors on your DevOps plans

27. 27
Qualys Case Study: Financial Investment Services

28. 28
Qualys Case Study: Financial Investment Services
SolutionChallenge
400+ Web Apps in production
Web Security Assessment found
they had a lot of “easily”
mitigated app vulnerabilities
Integrated the production Web
Security Assessment tool into DevOps
processes via API
Automatically create Jira bugs for
App Development to fix XSS and
SQL Injection issues
Continuously assess Web
Apps in the dev process so
issues are not re-introduced
Hard for developers to fix
security issues in production
1
2
3

29. 29
Integrate Production Security Tool into DevOps
Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation-for-apps-
games-and-mobile-web/
Selenium
Qualys WAS
Jira Issues
Selenium
Qualys WAS
Jira Issues

30. 30
How can you get
started?

31. 31
Next Week
• Take an accounting of
current security tools –
are they DevOps
friendly with APIs,
automation, or self-
service UIs?
• Identify development
teams using DevOps –
engage and discuss
DevSecOps
• Visible vs. Safe project
• Cloud vs. On-premise
Next Quarter
• Integrate security tools
into one development
lifecycle
• Security process(es) to
overcome tool integration
• Measure outcomes – #
vulns identified/fixed
before release
• Host a vendor Summit –
present your project
roadmap and Evangelize
DevSecOps
Next 6 Months
• Consolidate / select new
security tool sets ($$
savings)
• Implement self-service
and API-based
DevSecOps programs
• Expand to more projects
– foundational
• Present at conferences
and user groups on
DevSecOps

32. 32
Resources
• SANS : https://www.sans.org/webcasts/archive/2017
• SAFECode: https://www.safecode.org/
• SANS Difference Makers - https://www.sans.org/cyber-innovation-awards
• Qualys: https://www.qualys.com
• Questions: q@sans.org
• @John_Pescatore
• @Qualys

33. 33
Acknowledgements
Thanks to our sponsor:
And also to our speakers and to our attendees:
Thank you for joining us today
© 2017 The SANS™ Institute – www.sans.org