DevOps Connect: DevSecOps Edition at RSAC 2017

1. Quality health plans & benefits
Healthier living
Financial well-being
Intelligent solutions
DJ Schleen
February 13, 2017
Implementing DevOps in a
Regulated Environment
@dschleen

2. © 2017 Aetna Inc. 2

3. © 2017 Aetna Inc. 3

4. © 2017 Aetna Inc.
Let’s bust out some walls and install some
windows…
4

5. © 2017 Aetna Inc.
The Aetna Landscape
The seeds of DevOps are germinating everywhere
• 3,500+ Developers
• 1,500+ Applications
• Multiple deployment platforms and development languages
• Robust software security program and training programs
• Formerly a “waterfall” organization, but evolving people and
resources to support DevOps
• Mature DevOps practices in some facets of the organization and
subsidiaries
• Evolving legacy apps to support microservice design principles and
containerization
5

6. © 2017 Aetna Inc.
The Aetna Journey
• The evolution of our SDLC from Waterfall to DevOps
• Integration of our Software Security Program into our CI/CD Process,
Specifically:
─ Automated Static Code Analysis
─ Container Vulnerability Scanning
─ Identifying and remediating AWS Security Risk
• How we measure ourselves and map security controls to compliance
• Observations and benefits of DevOps/DevSecOps
• Constantly learning, improving, and re-evaluating
6

7. © 2017 Aetna Inc.
Aetna’s Traditional Approach
7
Requirements Design Development Test Production
1. Set project
expectations:
secure from the
start (per
archetype)
2. Define security
blueprints:
Archetype specific
patterns and
secure-by-design
components
Identification &
proactive protection
against security
vulnerabilities in
production
Conduct application
security testing on
deployed
configurations
PREVENTATIVE DETECTIVEStatic Analysis
Dynamic Assessment
Security Libraries &
Frameworks
Threat Modeling
Ex: All data input
by users must be
validated
Assets
Attack
Vectors
Threats
Threat-Based Pen Test
Open Source Analysis
Application Risk
Classification
Security Requirement
Definition
Software Security Training (Role-Based Curriculum)
PRODUCTION
Continuous Perimeter
Assessment
Web Application
Firewalls
Secure Coding Guidelines
Automated Attack/Bot
Defense
Secure Application Design

8. © 2017 Aetna Inc.
• Automation/Tool Integration
• Transparency
• Increased Collaboration
• Consistent Adoption
• Continual Feedback
• Remediation Efficiency
• Release Gating
• Resiliency & Scalability
(Microservices/Containers)
8
DevOps and Security – an Unprecedented
Opportunity

9. © 2017 Aetna Inc. 9
Role Based Software Security Training
DevOps/Security Program Integrated
Requirements
& Design
Dev CI
Interval
Triggered
Assessments
Production
Static Analysis
(CI)
Dynamic
Assessment
Container Security
Scanning (CI)
Static Analysis (IDE)
Threat-Based Pen
TestOpen Source
Governance(CI)
Application Risk
Classification
Security Requirement
Definition
Security Mavens (Security-Trained Developers and Operations)
Perimeter
Assessment
Web Application
Firewalls
Automated
Attack/Bot Defense
Container Security
Management
Preventative Detective
Detailed manual assessments
triggered automatically at
appropriate interval; detached
from release cycle
Lightweight threat
modeling approach
AEFW/Secure Libraries
Iterative, Automated, Efficient
Secure Coding
Standards
Threat Modeling Application Red
Team
Continuous Monitoring, Analytics, and KPI Gathering
SCM

10. © 2017 Aetna Inc.
Check In
Commit
or Pull
Request
Successful
Build
Security
Scan
Feedback
Code
Feature
Static Code Analysis and Gated Check-ins
10
Goal: Improve Code Security
• Move to a fully integrated and
automated state
• Push SCA to the build platform and
triggered with commits/merges
• Use thresholds to “stop the
bleeding”
• Measure defect density (1 high
vulnerability in 10000 LOC)
• Automate threshold reduction as
vulnerabilities in code decreased
• Be as unobtrusive as possible to
developers
• Mandatory Security Control
Thresholds

11. © 2017 Aetna Inc.
Container Vulnerability Scanning
Goal: Ensure our Containers are current and vulnerability free
• Use CIS Docker Benchmarks as a guideline
• Initially attempted to script and automate the audit checks
• Identified commercial software to provide:
─ Automated CIS Docker Benchmark checks
─ Container and repository vulnerability scanning
─ Security policy enforcement
─ Runtime policy enforcement
─ Real-time threat intelligence
─ Specific guidance for HIPPA Compliance
• Mandatory for any container host deployed enterprise wide
11

12. © 2017 Aetna Inc.
AWS Infrastructure Risk
Goal: Identify and Reduce AWS Infrastructure Risk
• Use CIS AWS Foundations Benchmarks as a guideline
• Initially scripted and automated the checks via AWS CLI
• Moved to a vendor provided platform that streamlines and optimizes
vulnerability and risk management for AWS
• Continuously monitor our configured AWS accounts
• Automatically identify security misconfigurations
• Rapidly mitigate risk through guided remediation
• Mandatory for any Aetna or Affiliate AWS account
12

13. © 2017 Aetna Inc. 13
• Gather relevant and
measureable KPIs – Example:
Defect Density
• Trend your performance to see
where you’ve been and project
where you are going
• Use information to strengthen
the confidence in the process
• Whenever applicable, map
process and infrastructure
checks to compliance
requirements (HIPPA, PCI)
Turn Information into Understanding

14. © 2017 Aetna Inc.
Observations and Benefits of DevSecOps
• Consistent application of security controls across all builds,
applications & releases
• Decrease in Defect Density from 1.0 to 0.1
• Increase in the security integrity of applications
• Increase in remediation efficiency through continuous feedback
• Release gating/security gating
• Rapid deployment/increased speed to market
• Increase in efficiency & scalability (microservices)
14

15. © 2017 Aetna Inc.
Challenges Moving to DevOps
• Evolving the culture and habits of 3,500+ developers
• Multiple “flavors” of DevOps in different parts of the organization
• Security tool integration in a manner that supports objectives for
actionable continuous feedback
• What is the best approach for integrating threat modeling and
manual assessments into the lifecycle without impacting CD
objectives?
15

16. © 2017 Aetna Inc.
Takeaways
• Find out where DevOps is happening in your organization
• Identify where security controls can be injected
• Enhance the process with Security, don’t be an impediment
• Turn information into understanding and measure success
• Learn, Expand, Improve, Repeat
16

17. © 2017 Aetna Inc.
Thank you
@dschleen

18. © 2017 Aetna Inc. 18