we45’s SecDevOps and Security Automation Framework (2SAF) aims at decreasing mean time to product deployment with reduced operational resources – with the inclusion of relevant custom product security controls. The 2SAF enables engineering teams to implement a customized automated and threat modeled penetration testing model for every release of the produce lifecycle. Our powerful Review – Train – Study model has enabled engineering and DevOps teams to implement 2SAF within weeks to a fully operational and measurable working framework.

1. © 2015 , we45 1
Security in DevOps
Concept Presentation

2. Topics of Discussion
Current State of Application Delivery
Current Challenges with Application Security
The Application Driven Enterprise Goal
The we45 SecDevOps Framework
© 2015 , we45 2

3. Current State of Application Delivery
Massive Decrease in Application Delivery and Deployment Timelines:
Amazon ships code every 12 seconds.
Increased Use of Agile Development Practices in the SDLC
Increased Adoption of Cloud for Application Delivery
Increased Adoption of DevOps practices to:
Reduce friction between Development and Operations
Increase Collaboration in all areas of Application Delivery
Leverage Continuous Integration, Delivery and Deployment to release code to production
faster
Leverage Automation – To increase Throughput
© 2015 , we45 3

4. © 2015 , we45 4

5. Today – The Application Driven Economy
© 2015 , we45 5

6. Attributes of an Application Driven Enterprise
Throughput – Revenue generated from delivering
apps to customers
Operating Resources– Resources expended to
generate Throughput
© 2015 , we45 6

7. The Goal
© 2015 , we45 7
Increase Throughput while
simultaneously reducing the Operating
Resources

8. © 2015 , we45 8
4 in 5
Cost
of
fixing
a
security
bug,
in
production.
200
Average
Number
of
Days
required
to
fix
a
high/medium
security
bug
$30K
Managers
and
Product
Engineering
Heads
see
Security
as
the
biggest
bottleneck
74%Number
of
Apps
with
atleast one
serious
vulnerability
The
Numbers

9. App security bottleneck – blocking the release
© 2015 , we45 9
Requirements Design Develop Test Security
Test
Releases are blocked until security vulnerabilities are fixed, resulting in:
• Higher Operational Resources to fix Security Bugs
• Slower Release Cycles
• Slower Throughput
• Breakdown of Agile and DevOps

10. App security bottleneck – security iterations
© 2015 , we45 10
Requirements Design Develop Test Security
Test
Release
to
Customer
Apps cannot be used until security vulnerabilities are fixed, resulting in:
• Higher Sales Cycle – reducing Throughput
• Unhappy Customers
• Higher of Cost of Development to fix Security Issues – Higher
Operational Resources
Customer rejects the app till security vulnerabilities are fixed.

11. Security Flaws always do the following:
Break down the Agile and DevOps lifecycle
Cause reduction of Application Delivery Throughput
Result in Lower Customer Satisfaction
Increase time and resources in fixing security flaws
© 2015 , we45 11

12. we45 SecDevOps Framework
Designed to Integrate Security into the organization’s DevOps
practices
Combination of Training + Consulting + Implementation =>
Delivering Maximum Impact on Application Security through a Multi-
Pronged Approach
Guaranteed to meet the goal:
Increase Throughput while reducing Operational Resources in Application
Delivery
© 2015 , we45 12

13. How does it work?
It is a combination of the following:
System and Component Driven Threat
Modeling + Security By Design
Custom Security Automation Suite –
integrated with CI (Continuous DAST)
Automated Security Testing –
Integrated with Continuous
Deployment
Post-Deployment Security Validation
© 2015 , we45 13
Threat
Modeling
and
Secure
By
Design
SAST
and
Continuous
DAST
Pre
&
Post
Deployment
Security
Testing

14. A Highlight of the SecDevOps Approach
© 2015 , we45
14
Product
Backlog
-­‐
Requirements
Sprint
Backlog
-­‐
Sprint
Requirements
Design
DevelopIntegrate
Test
Release
Requirements
Design
and
Prototype
Development,
Iterations,
Prototype
Testing
Release
and
Deploy Security
Risk
Assessment
+
Threat
Model
Security
Design
Review
Peer
Code
Review
+
Training
Customized
Automated
Security
Testing
in
CI
Security
in
Release
and
Config
Management

15. © 2015 , we45 15
Threat Modeling + Security By Design
Threat Modeling is essential in integrating
security into the SDLC.
Threat Modeling done at the System and
specific component level provides micro and
macro perspectives
Threat Modeling – Valuable Input for Security
Testing and Security Automation
Serves as Valuable Input for Security By Design
we45’s SecDevOps Framework => STRIDE Threat
Modeling with DREAD for measurement
STRIDE
•Spoofing
•Tampering
•Repudiation
•Information
Disclosure
•Denial
of
Service
•Elevation
of
Privileges
DREAD
•Damage
•Reproducibility
•Exploitability
•Affected
Users
•Discoverability

16. © 2015 , we45 16
Custom Security Automation Suite
Current State of Application Security Testing
(DAST):
Only 30-40% of Security Vulnerabilities are identified
through Security Testing Tools (Automated tools)
Manual Application Security Testing is slow…
we45’s SecDevOps Framework incorporates a
hybrid approach:
Perform Automated Test through Automated Tools
Provide Custom Security Scripts to simulate manual
application security testing
Integrate the entire suite with Continuous Integration
Application
Security
Testing
(DAST)
-­‐ 100%
Coverage
Automated
Vulnerability
Assessment
Tools
Custom
Automation
of
Manual
Security
Tests

17. © 2015 , we45 17
Benefits – Custom Security Automation Suite
Perform a High Quality Penetration Test for EVERY RELEASE!! (Not quarterly/bi-
annual/annual)
Integrated with CI – Build Fails if Security has failed. No escape from fixing security
flaws
Greater Visibility – Complete Reporting of Tests, Payloads and Pass/Fail Information
Combination of Manual and Automated => 100% Vulnerability/Parameter
Coverage
Issues can be re-created and repeated without Penetration Testers being involved.
Granular Vulnerability Management using we45’s VME (Vulnerability Management
Engine)

18. Coverage – Custom Security Automation Suite
© 2015 , we45 18
OWASP/SANS/WASC
Vulnerabilities
Specialized
Business
Logic
Vulnerabilities
Identify
Vulnerabilities
-­‐
Insecure
Platform
Libraries
and
Third
Party
API
Vulnerabilities
in
the
Network
and
OS
Layer

19. © 2015 , we45 19
Automated Testing – Continuous Deployment
Automated Test Suite integrated with Continuous
Deployment products/standalone, to perform:
Host and OS Security Checks
Vulnerabilities in App Servers, DBs, NoSQL DBs, etc
Vulnerabilities in Network Configurations
Integrate with Continuous Deployment Products like Chef,
Ansible, Puppet, etc.

20. © 2015 , we45 20
Additional Elements – we45 SecDevOps Framework
Automated Static Code Analysis (SAST)
Designing a security oriented Continuous Monitoring Strategy
Focused Training Workshops for Different Teams:
Certified Web Security Professional (Developing Secure Web Apps and Web Services) –
Developers and Architects
Certified Mobile Security Professional (Developing Secure Mobile Apps and Web Services) –
Developers and Architects
Certified SecDevOps Professional (Comprehensive Insight into implementing SecDevOps for
your organization) – Developers, Architects, Operations Personnel, DevOps Engineers

21. © 2015 , we45 21
Conclusions
DevOps or Agile without Security is ineffective
Security is usually the most pervasive bottleneck
we45’s SecDevOps Framework ensures that Security is
integrated into the SDLC and DevOps Framework
This results in achievement of Enterprise Goals of:
Higher Throughput through Application Delivery with a simaltaneous reduction in
Operating Resources

22. thank you
22© 2015 , we45