RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Service Risks

3. © 2019 Synopsys, Inc.3 Data breaches are serious business Average cost of data breach: $7.35 Million Lost business: $4.03 Million Average time to identify and contain a breach: 206 days Source: 2017 Cost of Data Breach Study (US Data) – Ponemon Insitute Average cost of data breach: $7.91 Million Lost business: $4.20 Million Average time to identify and contain a breach: 253 days Source: 2018 Cost of Data Breach Study (US Data) – Ponemon Insitute 2017 2018

5. © 2019 Synopsys, Inc.5 Gartner definition of DevSecOps Information security architects must • Integrate security at multiple points and • Preserve teamwork, agility and speed in dev environments Security activities must be an integral part of the DevSecOps pipeline. DevOps teams have to own security the same way they own development and operations. Sec

7. © 2019 Synopsys, Inc.7 DevSecOps Pipeline: Quality and Security Checks Build Test Prod Ops Deploy Dev IDE Feedback •Risk assessment •Threat model •Lightweight SAST •Local unit tests • Functional tests • Load test • Performance test • DAST/IAST • Penetration test •SAST •SCA •Unit tests •Config tests •Hardening check •Network scanning •Continuous monitoring •Threat intelligence •CVE reports •Regulatory changes

8. © 2019 Synopsys, Inc.8 Example: IoT takes over the world • Limited CPU resources • Limited RAM for features • C/C++ typical • MQTT common protocol • Responsive application • View device data • View historical information Web UI 4 4 • Lightweight protocol • High volume • Pub/Sub interface MQTT Broker Encrypted data published via MQTT2 IoT Device • iOS/Android application • Configure device • View device data • Receive notifications Mobile Interface1 Configure via Bluetooth represents constraints in the system 3 Data stored for analysis Analysis Engine Authentication and Authorization Analysis Engine MQTT WebSocket Core Data • Avoid MITM • Certification of image OTA

9. © 2019 Synopsys, Inc.9 Identify security targets from platform requirements Goal: Select an IoT toolchain meeting product and cost requirements Role: Security Architect with CISO and Product Owner guidance Tasks and requirements: 1. Select platform supporting desired protocols • Protocol implementations must be resilient 2. Select candidate vendor or open source stack 3. Validate protocols against cost and stability • Define protocol fuzzing framework 4. Report on security targets during development

10. © 2019 Synopsys, Inc.10 Select development frameworks and environment Role: Development Lead with Product Owner guidance Goal: Select frameworks capable of meeting time to market and security targets Tasks and requirements 1. Select languages based on security 2. Define build environment 3. Identify commercial and open source frameworks and libraries • Define governance for security updates 4. Enable IDE security plugins 5. Enable build time CI analysis

11. © 2019 Synopsys, Inc.11 Continuous security assessments during development Role: Developer with Development Lead guidance Goal: Identify security governance issues prior to commits Tasks: 1. Transparent security review during coding • No disruption to existing workflows 2. Remediation and contextual guidance • Lower defect costs by shifting left 3. Developer reviews results before merging

12. © 2019 Synopsys, Inc.12 Continuous security assessments during build Role: Release Engineer with guidance from QA and Product Owner Goal: Ensure release meets security and functional targets Tasks and requirements: 1. Build triggered from merge/pull request 2. Detailed scans run parallel to build process 3. Optionally fail builds based on security targets/exceptions 4. Analysis summaries fed back to IDE plugins 5. Centralized security progress tracking

13. © 2019 Synopsys, Inc.13 Confirm governance and security target progress Role: Security Architect Goal: Ensure release meets security and functional targets Tasks: 1. Centralized view of security results 2. Review by common taxonomy • (OWASP Top 10, SANS Top 25) 3. Triage issue status via defect workflows 4. Measure progress against governance targets 5. Define security targets for future releases

15. © 2019 Synopsys, Inc.15 IDE-based Security Analysis Supports most popular IDEs – IntelliJ, Eclipse, Visual Studio – Works natively in the developer’s environment Integrates local and central analysis into IDE – Reduce incidence of security and quality issues entering codebases – SAST (Coverity), SCA (Black Duck), IAST(Seeker) and managed services information at developers finger tips Provides context-sensitive training & tutorials – Built-in eLearning integration – Delivers the right training at the right time Strengthen adoption by providing security information where developers work – in the IDE

16. © 2019 Synopsys, Inc.16 Centralized Reporting and Analysis Unified UI, reporting, and alerts – Simple unified user experience – Quickly onboard new projects and analysis engines Flexible cloud-based deployment – Public/Private Cloud & on-premises – Single or Multi-tenant Integrated Analysis Engines – SAST, SCA, IAST, DAST, Pen Testing, Network Enterprise systems integrated – SSO, RBAC – SCM, CI, Issue Tracking Integrations – Open API for proprietary integrations Providing a comprehensive view of software security and quality risks across teams z

17. © 2019 Synopsys, Inc.17 Security Toolchain – Synopsys Polaris with Code Sight Code Sight IDE Plugins 3 • Invoke analysis • Perform capture and send to platform CI/CD Integration 2 • Run analysis on the platform • Central issue triage and management • Centralized reporting 56 1 • Support all popular IDEs • Incremental, high-fidelity analysis • Local issue triage and management • Check in to SCM and trigger central builds • Complement central scans Polaris Central Server in the Public/Private Cloud Alert and notifications 4

18. © 2019 Synopsys, Inc.18 Key takeaways Measure progress against targets and changes in direction • Identify opportunities to reduce business risk with new technologies • Design update mechanisms for resiliency against MITM attacks • Legacy best practices may increase risk when applied to new paradigms Reduce risks of non-compliance • Implement continuous monitoring of all deployed apps, complete with dependency inventory • Reassess point in time decisions and impact of new regulations • Proactively compare running infrastructure against configured infrastructure for deltas Define security targets when selecting components and toolchains • Ensure criteria is understood in Ops, Development and Procurement • Train all development and operations teams to identify changes in risk • Document decisions impacting risk acceptance at all points in the SDLC

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Service Risks

Esté a ler uma amostra.

Confira estes a seguir

RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Service Risks

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Service Risks (20)

Mais de Synopsys Software Integrity Group (18)

Mais recentes (20)