Mais conteúdo relacionado

Apresentações para você(20)

Similar a The Future of DevSecOps(20)




The Future of DevSecOps

  1. www.guardrails.ioStefan StreichsbierVersion 1.2 (11-20) The Future of DevSecOps
  2. Stefan Streichsbier @s_streichsbier Actively involved in building the Dev(Sec)Ops community (Events/Author) Identified severe shortcomings in security processes and technologies Background Previously professional white-hat hacker Founder of
  3. The Present Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment. - Buddha
  4. The talk is split into three segments: 1. The past: Ride down memory lane 2. The present: Where things are at today 3. The future: Take a look into the crystal ball Agenda
  5. The Past “To understand the future ... we have to understand the past.” - Carl Sagan
  6. 1760-1830 1870-1914 1947-1989 1990-2020 2021-... Revolution #1 ● New manufacturing processes ● Hand production to machines ● Use of steam and water power ● Rise of population and cities Revolution #2 ● New steel making processes ● Mass production/assembly lines ● Electrical grid systems ● Telephones Revolution #3/1 ● Use of digital logic (MOS transistors) ● 1985: Waterfall methodology ● 1989: Invention of the Internet ● Rise of home computers (15%) Revolution #3/2 ● 1990: First web browser (pictures) ● 1994: First online banking ● 2001: Agile, 2009: DevOps ● 60% access to Internet Revolution #4 ● Merging physical, digital, and biological worlds ● Quantum Computing ● Robotics ● Artificial Intelligence The industrial revolutions
  7. Focus on Applications ● DevOps ● Containers ● Smart Everything (IoT) ● Rust, Kotlin, Elixir, Swift 1990-1999 ● Waterfall ● Public access to the Internet ● Personal computers ● Java, Python, Ruby, JavaScript1990-1999 ● 1991: First version of AntiVirus ● 1994: Hack $10 million from Citibank ● 1995: Arrest of Kevin Mitnick ● 1996: Smashing the stack for fun and profit ● 1999: Hundreds of advisories for Windows 2000-2009 ● Agile ● Cloud Computing ● Smart phones ● C#, Scala, PowerShell, Go 2010-2020 2000-2009 ● 2001: Code Red Worm ● 2003: First Static Analysis Tools ● 2004: Microsoft SDL Version 1 ● 2006/8: Building Security In/BSIMM ● 2009: Conficker Worm 2010-2020 ● 2010: Operation Aurora/Stuxnet ● 2013: 65M records hacked from Tumblr ● 2016: $101M stolen from Bangladesh Bank ● 2017+: Data breaches Equifax, LinkedIn, ... 01 02 03 04 05 06 Security vs. Software Focus on Operating System Focus on Network Services
  8. Present State: Software Engineering A lot has happened in the past and software development has evolved by leveraging the principles of lean manufacturing and iterative & incremental software processes. ● Slow release cycles (quarters) ● Manual Deployments ● Only code is version controlled ● Strict separation of teams (dev/ops/sec) ● Monolithic Architecture ● Lack of visibility ● Fast release cycles (<days) ● Automatic CI/CD Pipelines ● Everything is version controlled (IaC, etc) ● Cross functional teams (dev/ops/sec) ● Microservice Architecture ● Full Stack Visibility
  9. Present State: Security Engineering Security has evolved a lot as well from existing security testing techniques, to the required skills, to the mindset of how security can support the business. ● Department of No ● One-off security scans ● Security test at the end ● Waiting for issue reports ● Pentesting mindset ● Business Enabler ● Continuous security scanning ● Upfront security analysis ● Proactive vulnerability detection ● Security Engineering mindset
  10. Present State: Challenges Feedback Time Many existing security tools take a long time to scan and as such can’t easily be implemented in CI/CD pipelines. Nightly scans are still a thing. Find vs Fix The main problem is that most applications (especially legacy ones), have many security vulnerabilities when they first get tested. Knowing that there are vulns is good, but fixing them would take a lot of time. Fragmentation Many solutions out there only provide part of the picture, which results in needing different dashboards and unify different data sources to get actionable visibility. Which is a pain for managers, security engineers, and developers. Security Noise Security tools are traditionally designed for security engineers and as such aim to provide a lot of results to catch anything that’s possibly a vulnerability. Which causes a lot of noise and tends to result in outputs being ignored. Integration Many existing tools work stand alone and don’t integrate well into the development workflows. Dropping tools into a CI/CD pipeline, takes a lot of effort to maintain and rollout org-wide and is typically not enough. Testing Techniques There are a lot of security testing techniques available these days. SAST. SCA, CCA, DAST, IAST, RASP, VA, Cloud it is very difficult for organizations to understand what these do and how to use them.
  11. There are several tools out there now completely open source, that in some cases even outperform some existing enterprise security solutions. It is easier to develop tools now than 15 years ago. Harder to justify the price. Many of the “leading” software security tools have been founded over 15 years ago, and a lot of intellectual property has been created for a different era. Legacy IP Present State: Inconvenient Truths Acquisition Grown Increased Pressure Wrong Audience Most security companies have started with one scanning technique and then with success acquired more companies with more techniques, which have been patched together. The traditional software security tools have been developed for security experts, are difficult to use, very noisy and often hard to use in CI/CD pipelines.
  12. Present State: A Ray of Hope?
  13. The promise ● Simple, customizable, and fast static analysis tool for finding bugs ● Runs offline on uncompiled code in CI, at pre-commit, or in the editor ● Company and community backed The idea is indeed interesting, create a kind of smart grep that allows you to create rules in an easy way, then open it up for the community, et voila. SAST for everyone. Suddenly much of the IP of these “dinosaurs” has lost a lot of value, because now there is a good solution that’s available for free. Present State: CodeQL & SemGrep A Silver Bullet? ● Many concerns not addressed by this ○ Other security testing techniques ○ Curation of rules ○ Rollout and Orchestration Let’s say a perfect SAST solution is available for everyone, would that solve all problems? One of the main issues remains: Find vs. Fix
  14. The Future There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in. - Bishop Desmond Tutu
  15. Goals that need to be achieved ● Smart Security Scanning ● Unify all security testing techniques ● Native Integration ● Continuous Verification ● Auto-fixing of issues ● Security for developers ● Security available for all
  16. Smart Security Scanning Data science is eating the world ● Rules are a great foundation ○ Leverage crowd to mark issues ● Findings data-set has to be verified ○ Leverage crowd to verify issues ● Identify issues by “understanding code” ○ With high levels of accuracy
  17. All in One Stand on the shoulders of giants ● Adding a layer of abstraction ○ True tight unification of all solutions ● Ability to cross reference issues ○ Based on different scanning techniques ● Central Storage of all data ○ Used for data science
  18. Native integration DevSecOps Native ● Tools should understand all events ○ Code, Runtime, Infrastructure ● No more pipelines that do different things ○ Standardized and fully managed ● Vulnerability lifecycle has to be clear ○ Created, changed, fixed, re-introduced
  19. Continuous verification Scanning is not enough ● Continuously ensure a known safe state ○ Covering all security aspects ● Continuous verification against standards ○ PCI, HIPAA, ASVS, etc ● Provide instant security feedback ○ Whenever anything fails
  20. Auto-Fixing Vulnerabilities Finding is not enough ● Even finding and fixing all new issues ○ Doesn’t really reduce the risk ● Real labor is fixing all issues ○ For each vulnerability class ● Implement controls to prevent it in the future ○ Thus sustainably eradicating issues Auto-fixing at scale ● Provide just in time training on the issue ○ Leverage gamification to fix more issues ● Leverage data science to fix issues ○ Can be a hybrid approach ● Rely on secure by default frameworks ○ Over others that are less opinionated
  21. Empower Developers Focus on the right audience ● Standardize security issues ○ Which ones are important and why ● Focus on the right risk context ○ Security risk is not equal for every app ● Make it easy to understand and fix issues ○ Shouldn’t take a security PhD to get it
  22. Security For All Make Security Accessible ● There is no security training in schools ○ Should take civil engineering approach ● Security is not affordable to everyone ○ Open source software vulnerabilities
  23. The 3 Core Takeaways 01 02 03 Security Practices Security practices have evolved a lot, but overall there has not been a clear downward trend in vulnerabilities being fixed. Data Science Data science will completely change the way security is going to look in the future resulting in a paradigm shift. The Future of DevSecOps Will be a very bright one. Smart, all-in-one security testing technologies, that are tightly integrated into developer workflows will provide continuous verification, auto-fixing and be available to everyone.
  24. Who wants a virtual goody bag? Consisting of: • GuardRails coupon code • Links to awesome security lists • Developer trainings • List of great security tools • Security Page templates • Free digital copy of my book • … and more Then send an email to: