Anúncio
Anúncio

Mais conteúdo relacionado

Apresentações para você(20)

Similar a Ofer Maor - Security Automation in the SDLC - Real World Cases(20)

Anúncio

Mais de centralohioissa(20)

Anúncio

Ofer Maor - Security Automation in the SDLC - Real World Cases

  1. Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys Central Ohio Security Summit, March 2016
  2. Speaker • Security Strategy at Synopsys • Founder of Seeker / Pioneer of IAST • Hacker at Heart • Longtime OWASPer • Over 20 Years in Cybersecurity • Avid Photographer Yes, Agile can bite…
  3. Too Much Data Security by Developers Short Cycles Rapid Delivery Prioritizing Risk Understanding the Pain The Agile Security Challenge™
  4. Automation Automated, Continuous, Practical Testing
  5. Case I Insurance Company Transforming to Agile
  6. Case I Background Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium • Insurance Company. Home grown apps • ~15 different systems (Customer/Agent/Internal) • Varying level of agile maturity & transformation • CI-Only to Full-Agile • Focus on new systems
  7. Case I Challenges Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium • Limited security background for developers, no existing process • Different “Agile Maturity” – No one process fits all • Insufficient test automation (coverage) • Limited security resources • Strong regulatory requirements • Various technologies (.Net, Java, Legacy MF, more…)
  8. Case I Process Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium • Creating strong cooperation (R&D/DevOps/Security) • Security visibility into R&D bugs • Weekly approval committee • R&D Training (Basic!) • Risk Policy (adapting risks, “High” only blocks) • Multiple output channels (tickets, reports, etc.)
  9. Case I Existing CI/DevOps Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium • CI – Jenkins. Pulls code from Java/.NET Repositories • Ticket Tracking – HP QC • Static Analysis (mainly for quality). Not integrated into the process • Artifacts deployed to test env (permanent – static) • Test automation – basic (in progress) • Functionality testing – mostly manual
  10. Case I Security Automation Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium • Integrate to launch from CI • Integration with both automated (speed) and manual testing (coverage) • Multiple Outputs: • Jenkins Integration – “High” breaks build (response + HTML data) • QC Integration – Bug Tracking and Remediation • PDF Report – for auditing and committee review
  11. Case II UK Retailer, Established Agile Shop
  12. Case II Background UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low • UK Retailer with eCommerce Platform • Single Platform, 5 “Flavors” (Customer facing) • “Run of the mill” Agile Shop: • Scrum based • 3-Weeks long sprints. Strict enforcement • Strong automation
  13. Case II Challenges • Response to an incident • Minimal existing security • No security background for developers. • Limited security resources • No existing process between security & R&D • Very strict 3 weeks sprints UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low
  14. Case II Process • Process driven by R&D, with security supervision • Security “Workflow” created, testing once a week • Week 1 & 2 to identify vulnerabilities in new code • Week 3 test provides verification • Breaking (Medium or higher) on verification – feature pushed out of version • Weekly reports (PDF) to security group for auditing UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low
  15. Case II Existing CI/DevOps • CI – Jenkins. • Ticket Tracking – JIRA • All testing environment is done in cloud (Amazon) • Dynamic orchestration of test env – new environments every week (4 servers/instance) • Automated deployment of build artifacts alongside testing framework (Selenium) • Daily execution of test automation (functionality) UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low
  16. Case II Security Automation • Dedicated security environment • Adaption of orchestration scripts (for deploying security testing software) • Integration with Selenium • Weekly orchestration test environment and execution of tests • Tests integrated into CI – HTML reports for Jenkins viewing. • PDF Reports for processing and audit UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low
  17. Case III eCommerce Giant, Continuous Delivery
  18. Case III Background eCommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High • In Top 10 largest eCommerce sites • Following a long, cross-organization “Agile Transformation” process • Highly advanced Agile/DevOps process • Modular site with multiple front-end and back-end components • Hundreds of engineers (Dev, QA, DevOps, etc.) • Heavy investment in security – already using various tools
  19. Case III Challenges • Introduction of security automation in QA/DevOps • Multiple components for multiple teams • Extremely dynamic testing environments (dynamically orchestrated and changing) • Home-Grown DevOps – Cloud, CI, Testing, Orchestration, etc. • Highly Agile/Rapid environment – Continuous Delivery with daily artifacts • Security cannot be involved in the daily process eCommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High
  20. Case III Process • Process initiated by the security group, with DevOps cooperation • QA/DevOps training on process (rather than security) • Security tests to run as part as other testing, on a daily basis • Prioritization policy – “Medium” or higher blocks. “Low” scheduled for next version. • Verification Metrics – Usage of another tool in production – must return clean. • Security group supervises the process and has visibility to reports. eCommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High
  21. Case III Existing CI/DevOps • Homegrown CI/Orchestration/Cloud • Ticket Tracking - JIRA • Daily builds creation • Daily creation of cloud environments with various server roles and elastic scaling • Daily orchestration of latest builds and latest test automation versions • Hybrid Automation – Selenium for web/front-end, Homegrown for WS eCommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High
  22. Case III Security Automation • Orchestration adapted to deploy security testing software as part of existing testing env • Full CI integration • All existing automation directed to integrate with security testing • Security tests run daily • Full JIRA bug tracking integration – with automated delivery per team • Running of additional blackbox scanner on production for reverification eCommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High
  23. Thank You! Questions?
Anúncio