Mais conteúdo relacionado

Similar a SCS DevSecOps Seminar - State of DevSecOps(20)


SCS DevSecOps Seminar - State of DevSecOps

  1. The State of DevSecOps Stefan Streichsbier |
  2. Actively involved in building the DevSecOps community Identified severe shortcomings in security processes and tech resulting in GuardRails Background Professional white-hat hacker Stefan Streichsbier @s_streichsbier
  3. What are we going to cover? And also, how security and developer experience are related. State of Security in DevOps Brief History of DevOps Common Pitfalls and suggestions For DevSecOps
  4. It used to be so simple Figure 1: Use an FTP Client to Copy the Necessary Files from Your Desktop to the Web Server at the Web Host Provider. Source:
  5. Web masters don’t need to collaborate Build? I’m using PHP, ASP, PERL, etc Test locally, As long as there is no parsing error, we’re all good. Drag and drop files to Filezilla. GoDaddy
  6. Tech Startups in Asia – #10YearChallenge 2009 vs 2019
  7. How is that possible?
  8. Existing markets are ripe for disruption Creating new technology solutions was never faster or cheaper Software can built locally but distributed globally
  9. It’s better now, but is it simpler?
  11. Complexity Is Increasing AWS Console Left: 2018 Right: 2019
  12. How does security fit into this?
  13. AWS Security Primer I have worked extensively with AWS over the last 4 years, and I can barely wrap my head around the scope of managing security in AWS. We have an entire department dedicated to security in our company, and none of them are remotely close to being experts in AWS security either. I’m starting to get curious if there even is an expert who could set up and maintain a bulletproof AWS account.
  15. DevSecOps: How important is it really? • Agile took us from months to days to deliver software • DevOps took us from months to minutes to deploy software • More applications are mission critical • Now security has become the bottleneck
  16. The real impact of hacks & breaches News is full of high-profile breaches that get widespread attention. But they are not the only target of hackers 43% of all cyber attacks target small businesses. 60% of small businesses that are Hacked go out of business within 6 months. 1/5 data breaches are the result of attackers abusing insecure web applications.
  17. Who is responsible?
  18. The Evolution of Security Tools Secure SDLCPenetration Testing DevSecOps Duration 2-4 weeks 1-2 weeks Continuous and Real-time Tools • Port Scanners • Vulnerability Scanners • Exploitation Tools Audience • Security Professionals Tools • Code Security Scanners • Dynamic Security Scanners • Vulnerability Scanners Audience • Security Professionals in Enterprise Security Teams Tools • Code Security Scanners • Interactive Security Scanners • Runtime Application Self Protection Audience • Developers in Product Teams
  19. Security Development Operations The Evolution of Security Teams Secure SDLCPenetration Testing DevSecOps Security Development Operations Security Development Operations “Department of NO” “Let’s work together” “How can we help you succeed?”
  20. Modern security teams empower dev teams! 100 10 1 Dev Ops Sec: : : : Looks like we have a scale problem
  21. - John Willis You build it, you secure it.
  22. Understanding benefits of security controls Create Test Monitor Challenges • Changing human behavior • Difficult to enforce • People churn Benefits • Reduce new vulnerabilities Challenges • Vulnerability Noise • Fixing issues • Coverage of issues Benefits • Enforceable • Provide Metrics Challenges • Coverage of issues • Org wide rollout Benefits • Enforceable • Provide Metrics • Block attacks Security
  23. DevSecOps - Monitor Are your applications currently under attack? Are we automatically defending against this attack? What are attackers going after? • Micro Segmentation • Runtime Application Self Protection (RASP) • Bug Bounties Questions you should be able to answerAvailable Technologies
  24. DevSecOps - Create Do your teams know the most common successful attacks? Who is the dedicated security contact in a team? Do your teams know how to detect and avoid them? Questions you should be able to answer • Security Awareness • Secure Coding Training • Shared Knowledge Base • Security Focused Hackathons • Security Champion Program Available Options
  25. DevSecOps - Test Do the latest changes introduce new security issues? Does our code contain hard- coded secrets? Do any of our 3rd party libraries have known security issues? Questions you should be able to answer • Static Application Security Testing (SAST) • Sensitive Information Scanners (SIS) • Software Composition Analysis (SCA/CCA) • Dynamic Security Scanning (DAST) • Interactive Application Security Testing (IAST) Available Technologies
  26. Automated Security Testing SAST SCA DAST/IASTCCA CommercialOpenSource 100+
  27. Automated Security Testing – Fragmentation
  28. Where do these tools live? Source:
  29. Security Developers
  30. “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. Bill Gates The second is that automation applied to an inefficient operation will magnify the inefficiency. ”
  31. What has to be different then?
  32. Signals vs Noise Focus on high-impact issues Don’t add to the noise Ensure the issues have high accuracy Security Trivia #213: What is the largest security tool report that has been recorded? 13,000 pages
  33. Lost in Translation Speak the same language as developers Issues are useless until they are fixed Leverage the right communication channel Security Trivia #937: What is the official CWE title for a SQL Injection? Improper Neutralization of Special Elements used in an SQL Command
  34. Make it easy Tightly integratedAllow developers to get started in minutes Provide all the needed functionality Security Trivia #23: How many of the 12 leading AST companies - according to the Gartner Magic Quadrant – have clear pricing information on their website? 1
  35. DevSecOps Do we really need it now? There are some compelling statistics • It’s 30 times cheaper to fix security defects in development vs production • 80% to 90% of modern applications consist of open source components • An average data breach costs 5M+ USD • Most of the DevOps high-performers include security in their delivery process Security as Competitive Advantage
  36. State of DevSecOps - Conclusion Security TeamTechnologies Product Team • Tools have improved • Choose them wisely • Solve technology problems • Cover the whole portfolio • Start acting on data in prod • Department of YES • Empowering product teams • Use scarce resources wisely • Respect complexity, but provide focus • Make security a non-event • Acknowledge that developers are key • Knowledge is power • Turn developers into security champs • Be mindful that change is slow • Build it, run it, secure it
  37. Get a curated list of security resources Consisting of: • Awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • the slides • … and more Then send an email to:

Notas do Editor

  1. Established security programs internationally Identified severe shortcomings in security processes and technologies Led me to create Guardrails to fill that need Have been very active in building up the DevSecOps community. Created a meetup in Singapore that has over1000 members (looking for some fresh blood to revive it) Have brought DevSecCon now MyDevSecOps to Singapore Have co-organized DevOps conferences in Singapore and Jakarta Have been one of the co-authors of The book “Epic Failures in DevSecOps” Vol 1.
  2. We gonna briefly discuss how the technology landscape has changed and what the implications are of that. How security is keeping up with the change, or rather how it isn’t. And what mindset shift security as an industry has to adopt to have a sustainable impact. We have a chance to be a part of development for the first time in a meaningful way. Let’s not blow it by adding the same old security toolchain to DevOps.
  3. And by the way, how many of you here today are in a fintech or any other kind of tech company startup? fintech slide -> You may join the unicorn club soon.
  4. It's astonishing how this game of david and goliath has changed the world in the last decade. Now, why is that possible? Software has become mission-critical!
  5. Litmus test, how long does it take you to get one line of code through your system?
  6. This still looks fairly simple, you have git your scm, Jenkins your bukld system, docker as containers, and kubernetes as the orchestration layer. That’s not too bad, is it?
  7. This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
  8. Have you looged into AWS/Google cloud platform lately? This is the high level menu overview of the offered services respectively.
  9. Feels a little bit like this, doesn’t it.
  10. When googling security complexity to illustrate this problem, I stumbled over this little gem. We understand that it’s already too much to understand modern development workflows and tooling. Understanding the security implications is almost impossible. So what you see on this slide, is a AWS expert sitting down to understand the security areas they have to consider for their AWS account. This gentlemen is by no means a security expert, not even a self proclaimed one. The response he got on hackernews is a real eye opener.
  11. This is just tools you have to use to get an application from an idea in someones head to code running in production. There are no security tools in that picture.
  12. DevOps is all about breaking down barriers, have developers work with the business, with the ops team and simply out-innovate and out-ship the competition. Software has become mission-critical!
  13. While hacking-related data breaches and subsequent ransom demands to large corporations like HBO, Target, and Home Depot understandably garner widespread attention, t he resulting assumption that only large companies face this growing digital threat couldn’t be further from the truth. In fact, a study in 2016 found that 43% of all cyber attacks targeted small businesses. Even more alarming is that a staggering 60% of small businesses hit with a cyber attack or data breach go out of business within 6 months. Software has become mission-critical!
  14. Everyone!!! Ok, but who is accountable?
  15. Different Tools come from different eras and are focused on outcomes and different audiences.
  16. Working as an audit/control function Working as security gates in the lifecycle Empowering DevOps teams to move fast and be safe.
  17. Think Application Performance monitoring for security Understanding how your app is abused and misused helps with prioritization.
  18. This is where most of the investments are done these days.
  19. To give an analogy, Software doesn't have to be of high quality and excellent user experience. most of the successful enterprise software did not provide these and they did succeed - until now at least. But now many of these organizations are struggling heavily, because their entire culture and processes are outdated and they are moving very slow. No matter how much money these orgs have, it is still a tricky process, because it's attempting to change the culture. Another example is Tesla. Stunning cars, that delight users all over the world. They designed a new car from the ground up. Many of their competitors spending a lot of money and time to retrofit their cars and convert them into more and more smart cars. But Tesla is a supercomputer on wheels and is out innovating the competition. The key point is that certain aspects that may not seem that relevant at the moment, will become the decisive advantage in the future. You can’t develop software and expect it to be secure after an audit at the end. Same way you can’t say now that the feature is shipped make sure it performs well and doesn’t have any bugs. Thebest time to plant a tree was 20 years ago. The second best time is now. That’s why we see many new organisations succeed, because they don’t carry the same baggage and can get things right from the start. Despite the challenges of identifying quality metrics that apply to all organizations, we can identify good proxies for quality that work across companies and industries. These include how time is spent, because it can tell us if we are working on value-add work or non-value-add work.
  20. Focus on the right improvements, e.g measuring defect density, etc. E.G if a technology can reliably identify and prevent a vulnerability in production, without having to involve humans to fix it, then That’s a good start. If you can have technology that alerts you of breaches while containing them, that’s great. Use it. If you have tools that you can embed in your pipeline to get more continuous security feedback into the hands of developers, then use that Be smart about where to use human efforts on and where not to. Security team should help engineering teams to succeed and achieve their mission. Not say no and delay releases like an audit function. Start with general training programs, there is excellent free training out there for engineers and basic security awareness. As you get more data from your tools, then you will be able to prioritize the next focus areas and teams that require that training. Teaching people and changing the culture is hard and takes a long time. It is still important but make sure all the other aspects are Reducing your risk while simultaneously buying time.