How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments. The talk will focus on three different organizations at different maturity levels and how security automation processes were applied and adapted to fit their development lifecycle.
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Ofer Maor - Security Automation in the SDLC - Real World Cases
1. Security Automation in Agile SDLC
Real World Cases
Ofer Maor
Director of Security Strategy, Synopsys
Central Ohio Security Summit, March 2016
2. Speaker
• Security Strategy at Synopsys
• Founder of Seeker / Pioneer of IAST
• Hacker at Heart
• Longtime OWASPer
• Over 20 Years in Cybersecurity
• Avid Photographer
Yes, Agile can bite…
3. Too Much
Data Security by
Developers
Short Cycles Rapid Delivery
Prioritizing
Risk
Understanding
the Pain
The Agile Security Challenge™
6. Case I
Background
Insurance Company
Agile Maturity: In Transition
Automation Maturity: Starting
AppSec Maturity: Medium
• Insurance Company. Home grown apps
• ~15 different systems (Customer/Agent/Internal)
• Varying level of agile maturity & transformation
• CI-Only to Full-Agile
• Focus on new systems
7. Case I
Challenges
Insurance Company
Agile Maturity: In Transition
Automation Maturity: Starting
AppSec Maturity: Medium
• Limited security background for developers, no existing process
• Different “Agile Maturity” – No one process fits all
• Insufficient test automation (coverage)
• Limited security resources
• Strong regulatory requirements
• Various technologies (.Net, Java, Legacy MF, more…)
8. Case I
Process
Insurance Company
Agile Maturity: In Transition
Automation Maturity: Starting
AppSec Maturity: Medium
• Creating strong cooperation (R&D/DevOps/Security)
• Security visibility into R&D bugs
• Weekly approval committee
• R&D Training (Basic!)
• Risk Policy (adapting risks, “High” only blocks)
• Multiple output channels (tickets, reports, etc.)
9. Case I
Existing CI/DevOps
Insurance Company
Agile Maturity: In Transition
Automation Maturity: Starting
AppSec Maturity: Medium
• CI – Jenkins. Pulls code from Java/.NET Repositories
• Ticket Tracking – HP QC
• Static Analysis (mainly for quality). Not integrated into the process
• Artifacts deployed to test env (permanent – static)
• Test automation – basic (in progress)
• Functionality testing – mostly manual
10. Case I
Security Automation
Insurance Company
Agile Maturity: In Transition
Automation Maturity: Starting
AppSec Maturity: Medium
• Integrate to launch from CI
• Integration with both automated (speed) and manual testing (coverage)
• Multiple Outputs:
• Jenkins Integration – “High” breaks build (response + HTML data)
• QC Integration – Bug Tracking and Remediation
• PDF Report – for auditing and committee review
13. Case II
Background
UK Retailer
Agile Maturity: High
Automation Maturity: High
AppSec Maturity: Low
• UK Retailer with eCommerce Platform
• Single Platform, 5 “Flavors” (Customer facing)
• “Run of the mill” Agile Shop:
• Scrum based
• 3-Weeks long sprints. Strict enforcement
• Strong automation
14. Case II
Challenges
• Response to an incident
• Minimal existing security
• No security background for developers.
• Limited security resources
• No existing process between security & R&D
• Very strict 3 weeks sprints
UK Retailer
Agile Maturity: High
Automation Maturity: High
AppSec Maturity: Low
15. Case II
Process
• Process driven by R&D, with security supervision
• Security “Workflow” created, testing once a week
• Week 1 & 2 to identify vulnerabilities in new code
• Week 3 test provides verification
• Breaking (Medium or higher) on verification – feature pushed out of version
• Weekly reports (PDF) to security group for auditing
UK Retailer
Agile Maturity: High
Automation Maturity: High
AppSec Maturity: Low
16. Case II
Existing CI/DevOps
• CI – Jenkins.
• Ticket Tracking – JIRA
• All testing environment is done in cloud (Amazon)
• Dynamic orchestration of test env – new environments every week (4 servers/instance)
• Automated deployment of build artifacts alongside testing framework (Selenium)
• Daily execution of test automation (functionality)
UK Retailer
Agile Maturity: High
Automation Maturity: High
AppSec Maturity: Low
17. Case II
Security Automation
• Dedicated security environment
• Adaption of orchestration scripts (for deploying security testing software)
• Integration with Selenium
• Weekly orchestration test environment and execution of tests
• Tests integrated into CI – HTML reports for Jenkins viewing.
• PDF Reports for processing and audit
UK Retailer
Agile Maturity: High
Automation Maturity: High
AppSec Maturity: Low
21. Case III
Background
eCommerce Giant
Agile Maturity: Very High
Automation Maturity: Very High
AppSec Maturity: Very High
• In Top 10 largest eCommerce sites
• Following a long, cross-organization “Agile Transformation” process
• Highly advanced Agile/DevOps process
• Modular site with multiple front-end and back-end components
• Hundreds of engineers (Dev, QA, DevOps, etc.)
• Heavy investment in security – already using various tools
22. Case III
Challenges
• Introduction of security automation in QA/DevOps
• Multiple components for multiple teams
• Extremely dynamic testing environments (dynamically orchestrated and changing)
• Home-Grown DevOps – Cloud, CI, Testing, Orchestration, etc.
• Highly Agile/Rapid environment – Continuous Delivery with daily artifacts
• Security cannot be involved in the daily process
eCommerce Giant
Agile Maturity: Very High
Automation Maturity: Very High
AppSec Maturity: Very High
23. Case III
Process
• Process initiated by the security group, with DevOps cooperation
• QA/DevOps training on process (rather than security)
• Security tests to run as part as other testing, on a daily basis
• Prioritization policy – “Medium” or higher blocks. “Low” scheduled for next version.
• Verification Metrics – Usage of another tool in production – must return clean.
• Security group supervises the process and has visibility to reports.
eCommerce Giant
Agile Maturity: Very High
Automation Maturity: Very High
AppSec Maturity: Very High
24. Case III
Existing CI/DevOps
• Homegrown CI/Orchestration/Cloud
• Ticket Tracking - JIRA
• Daily builds creation
• Daily creation of cloud environments with various server roles and elastic scaling
• Daily orchestration of latest builds and latest test automation versions
• Hybrid Automation – Selenium for web/front-end, Homegrown for WS
eCommerce Giant
Agile Maturity: Very High
Automation Maturity: Very High
AppSec Maturity: Very High
25. Case III
Security Automation
• Orchestration adapted to deploy security testing software as part of existing testing env
• Full CI integration
• All existing automation directed to integrate with security testing
• Security tests run daily
• Full JIRA bug tracking integration – with automated delivery per team
• Running of additional blackbox scanner on production for reverification
eCommerce Giant
Agile Maturity: Very High
Automation Maturity: Very High
AppSec Maturity: Very High