Mais conteĂșdo relacionado Semelhante a Take Control: Design a Complete DevSecOps Program (20) Mais de Deborah Schalm (20) Take Control: Design a Complete DevSecOps Program1. © 2017 WhiteHat Security, Inc.
Take Control:
Design a Complete DevSecOps
Program
Siamak Pazirandeh
Chief Architect
WhiteHat Security Inc.
2. © 2017 WhiteHat Security, Inc. 2
Siamak Pazirandeh
Chief Architect
Founding Engineer for over 14 years at
WhiteHat Security Inc. Specialized in
DAST (Dynamic Application Security
Testing), scalability, and deployment
automation.
3. © 2017 WhiteHat Security, Inc. 3
About WhiteHat Security
150+ TOP SECURITY RESEARCHERS
Santa Clara
Houston
Belfast
5. © 2017 WhiteHat Security, Inc.
Gartner, 01 February 2017, âMarket Insight: Security Market Transformation Disrupted by the Emergence
of Smart, Pervasive and Efficient Securityâ, Elizabeth Kim, Deborah Kish, Avivah Litan, Ruggero Contu,
Perry Carpenter, Sid Deshpande, Lawrence Pingree, Eric Ahlm, Jacqueline Heng, Dale Gardner
By 2020, 60% of digital businesses will suffer
major service failures due to IT security
teams' inability to manage digital risk.
Itâs All About Risk
5
7. © 2017 WhiteHat Security, Inc.
Agenda
ï± What is DevSecOps?
ï± Basics of a Security Program
ï± Adding Security Checks into your DevOps Chains
ï± Example Scenarios
7
8. © 2017 WhiteHat Security, Inc.
Agenda
ï± What is DevSecOps?
ï± Basics of a Security Program
ï± Adding Security Checks into your DevOps chains
ï± Example scenarios
8
9. © 2017 WhiteHat Security, Inc.
Forces behind the DevSecOps movement
ï± Agile development dictates fast pace
ï± IT managed Infrastructure needs to keep up
ï± Must automate as much as possible in : development, deployment,
and operational environment
9
10. © 2017 WhiteHat Security, Inc.
DevSecOps
ï± IT teams responsible for Security
ï± Software iterates faster than IT can keep up
ï± DevSecOps : Weaves security into the fabric of your SDLC
ï± DevSecOps is to Security as DevOps is to IT
10
11. © 2017 WhiteHat Security, Inc.
Agenda
ï± What is DevSecOps
ï± Basics of a Secure Development
ï± Adding Security Checks into your DevOps chains
ï± Example scenarios
11
12. © 2017 WhiteHat Security, Inc.
The Challenge of Secure Software Development
âą Security not the core competency for most
âą Most organizations do not foster secure coding culture
âą Most devs are not trained in Secure Coding practices
âą Most devs are not supported well for Secure Coding
âą Security often an after-thought
12
13. © 2017 WhiteHat Security, Inc.
Basics of Secure Development
ï± Understand your business risk exposure
ï± What is your companyâs SDLC and DevOps maturity level?
ï± What is your architectural complexity?
ï± What is your current security stance?
ï± Answer, Document, Review periodically
13
14. © 2017 WhiteHat Security, Inc.
Basics of Secure Development
ï± Produce a supportive environment
ï± Customize security documentation to your tech-stack
ï± All tiers of an application (UI, APIs, Data-Access, Business Logic) need to be
developed with Security in mind
ï± Security practices need to be reinforced early and often
ï± Developer Training
ï± Come up with a Secure Development policy
14
15. © 2017 WhiteHat Security, Inc.
Security Practice Checklist
ï± 1. Verify for Security Early and Often
ï± 2. Parameterize Queries
ï± 3. Encode Data
ï± 4. Validate All Inputs
ï± 5. Implement Identity and Authentication Controls
ï± 6. Implement Appropriate Access Controls
ï± 7. Protect Data
ï± 8. Implement Logging and Intrusion Detection
ï± 9. Use Security Frameworks and Libraries
ï± 10. Error and Exception Handling
15
16. © 2017 WhiteHat Security, Inc.
Agenda
ï± What is DevSecOps
ï± Basics of a Security Program
ï± Adding Security Checks into your DevOps chains
ï± Example scenarios
16
17. © 2017 WhiteHat Security, Inc.
Reframing Security as a DevOps
Initiative
17
18. © 2017 WhiteHat Security, Inc.
DevSecOps â The Beginning
So, what if we âŠ
ï± Treat security testing like feature testing
ï± Incorporate security requirement and checks into SDLC
ï± Use available tooling to tie vulnerability scanning into DevOps
build chains
ï± Automate defect state management
18
20. © 2017 WhiteHat Security, Inc. 20
A Typical Development Cycle
Code
Repo
Code /
Developer
Run
Tests
Build
Artifacts
Object
Registry
Team
Integration
QA Integration Pipeline
Nightly
Stage
21. © 2017 WhiteHat Security, Inc. 21
Incorporate Security Checks
Code
Repo
Run
Tests
2 Pull-Request:
Code Review
Static Analysis
Security Unit Tests
Build
Artifacts
Object
Registry
Team
Integration
Integration QA Pipeline
Jenkins
(Nightly)
Stage
1 Pre-Commit:
Static Analysis
Security Unit Tests
IDE integration
3 Integration:
Dynamic testing
Result Verification
File Vulnerability Tickets
5 Release:
Production safe
Dynamic testing
File Vulnerability Tickets
WAF / RASP
Rules
6 WAF/RASP
Pass, merge
4 QA Integration:
Dynamic testing
Result Verification
Production
22. © 2017 WhiteHat Security, Inc.
DevSecOps Trigger Points
1. Static scanning during development
2. Pull-Requests: Static scans of data-flow, semantic and configurational
3. Integration branch: Dynamic scanning
4. QA Release Candidate Integration: Dynamic scanning
5. Production Acceptance : Production-safe dynamic scanning
6. Post-Production: RASP (runtime application self-protection,) WAF (Web App Firewalls) both need
rules updated â automation is better
22
23. © 2017 WhiteHat Security, Inc.
Scenario 1 â Small Organization/App
Assume a Single Repo with a few components :
ï± UI static JS client-side APP
ï± REST API
ï± Data Interface - SQL Layer
23
24. © 2017 WhiteHat Security, Inc.
Scenario 1 â Small Application
Code
Repo
Code /
Developer
Run
Tests
PR hook
Build
Artifacts
Stage Prod
âą Integration Tests
âą Performance
âą Security
1 Static analysis
IDE integration
Pre-commit
checklist
2 Static Analysis
Quick Feedback analysis
Verification a Challenge
3 Dynamic Analysis
Poll for results
Verification a Challenge
24
25. © 2017 WhiteHat Security, Inc.
Create a supportive dev environment
Code
Repo
Code /
Developer
Run
Tests
PR hook
Build
Artifacts
Stage Prod
âą Integration Tests
âą Performance
âą Security
1 Static analysis
IDE integration
Pre-commit
checklist
2 Static Analysis
Quick Feedback analysis
Verification a Challenge
3 Dynamic Analysis
Poll for results
Verification a Challenge
25
27. © 2017 WhiteHat Security, Inc.
âI fire up my IDE and triage my issuesâŠâ
âą Search application vulnerabilities
28. © 2017 WhiteHat Security, Inc.
âI fire up my IDE and triage my issuesâŠâ
âą Search application vulnerabilities
âą Step through vulnerability in code
29. © 2017 WhiteHat Security, Inc.
âI fire up my IDE and triage my issuesâŠâ
âą Search application vulnerabilities
âą Step through vulnerability in code
âą Review remediation guidance
30. © 2017 WhiteHat Security, Inc.
âI fire up my IDE and triage my issuesâŠâ
âą Search application vulnerabilities
âą Step through vulnerability in code
âą Review remediation guidance
âą Ask for help from TRC
31. © 2017 WhiteHat Security, Inc.
âI fire up my IDE and triage my issuesâŠâ
âą Search application vulnerabilities
âą Step through vulnerability in code
âą Review remediation guidance
âą Ask for help from TRC
âą Apply Directed Remediation patch if available
32. © 2017 WhiteHat Security, Inc.
Scenario 1 â Small Application
Code
Repo
Code /
Developer
Run
Tests
PR hook
Build
Artifacts
Stage Prod
âą Integration Tests
âą Performance
âą Security
1 Training,
Documentation
Dissemination
Code Reviews
2 Static Analysis
Quick Feedback
analysis
Verification a Challenge
3 Dynamic Analysis
Poll for results
Verification a Challenge
32
33. © 2017 WhiteHat Security, Inc.
Scenario 1 â Small Application
Code
Repo
Code /
Developer
Run
Tests
PR hook
Build
Artifacts
Stage Prod
âą Integration Tests
âą Performance
âą Security
1 Training,
Documentation
Dissemination
Code Reviews
2 Static Analysis
Quick Feedback
analysis
Verification a Challenge
3 Dynamic Analysis
Poll for results
Verification a Challenge
33
34. © 2017 WhiteHat Security, Inc.
Example:
API Integration to Trigger a Dynamic Scan
PUT
https://sentinel.whitehatsec.com/api/site/6/scan_schedule
{
"schedule":{
"name":"Scan Once Nowâ,
"specs":[
{
"type":"scan-once-nowâ
}
]
}
}
200 OK
{
"creator": 524,
"job": {
"id": "10"
},
"specs": [
{
"id": "1503",
"type": "single",
"cron_spec": "53 14 15 6 * 2017"
}
],
"timezone": "America/Los_Angeles",
"href": "/api/job/10/schedule",
"id": "1503",
"api-version": 2,
"name": "Scan Once Now"
}
34
35. © 2017 WhiteHat Security, Inc.
Example:
API Integration to Query for Results
GET https://sentinel.whitehatsec.com/api/job/10/instance/1402?format=json
200 OK
{
"end": 1497564375,
"duration": 4,
"id": 1402,
"timestamp": 1497564358,
"requested_status": "",
"job": 10,
"status": "completed",
"begin": 1497564371,
"href": "/api/job/10/instance/1402â
}
35
36. © 2017 WhiteHat Security, Inc.
Example:
API Integration to Find Vulnerabilities
GET https://sentinel.whitehatsec.com/api/vuln?query_site=6&query_status=open&format=json
200 OK
{
"collection": [
{
"status": "open",
"site": "6",
"opened": "2017-06-15T19:07:54Z",
"threat": "2",
"url": "testsite.localdomain.lan/app.cgi?var=<script>alert(123)<%2Fscript>",
"id": "260",
"modified": "2017-06-15T22:06:12Z",
"first_opened": "2017-04-15T19:07:54Z",
"site_name": "Testsite",
"service_level_abbr": "BE",
"accepted": 0,
"found": "2017-04-15T19:07:54Z",
âŠ
âŠ
"severity": "3",
"score": 8,
"class": âCross Site Scripting",
"href": "/api/vuln/260",
"impact": 3
}
]
}
36
39. © 2017 WhiteHat Security, Inc.
DevSecOps Pain Points
ï± Scanner Result Verification, False Positives
ï± Static / Dynamic Scan Speeds
ï± Results Need Interpretation and Prioritization within Business Context
39
40. © 2017 WhiteHat Security, Inc.
Scenario 2 â Medium-Size Organization/App
DevOps 1 -> team integration branch
(team integration commit hooks)
âą Black Box dynamic testing in QA
âą Business logic assessment
âą Pen testing
Team needs to vet results, assess risk,
prioritize, apply sec policy to green/red
light)
DevOps 2 -> team integration branch
QA integration â Prod push
âą Production safe dynamic testing
âą Remediate using WAF technologies for
short term
âą Queue up for fixing original ticket
Team needs to vet results, prioritize,
generate tickets, apply company security
policy to bubble up priorities
Each team does pre-commit hooks static analysis, verify results, accept/fix per security policy
40
41. © 2017 WhiteHat Security, Inc.
Scenario 2 â Common Challenges
Static analysis of individual repositories is too narrow-minded
(think micro-services)
Verification of results is time-consuming
Increasing need for analytics and overall risk analysis
41
42. © 2017 WhiteHat Security, Inc.
Scenario 3 - Large Company â Mature DevOps
42
âą Compliance is more a factor
âą Policy & records need documentation
âą Risk management platforms can be integrated with vulnerability data
âą Reports need to be available on-hand for audits
43. © 2017 WhiteHat Security, Inc.
Risk Management: Asset Enumeration
Evaluate Operational Risk, enumerate assets, produce security
policies for different groups
ï± Customize policies and requirements based risk profile of asset
ï± Platforms like RSAâs Archer evaluate your overall risk and integrate with
security vendors
ï± Integrations between your Risk model (BI, VM) software and scanning
services
43
44. © 2017 WhiteHat Security, Inc.
Asset Enumeration Example:
Fictitious Healthcare company
âą Documentation content for customers (Low risk)
âą Customer Health data portal (High risk, HIPAA)
âą Online personalized medical appliances shopping website (High Risk, PCI, HIPAA)
âą Backend Insurance/EHR Processing/B2B integrations (High risk, HIPAA)
âą Backend statistics integrations for website usage statistics (Medium Risk, Non-
authenticated content only)
âą New Mobile App portal (High risk, HIPAA)
44
45. © 2017 WhiteHat Security, Inc.
DevSecOps Integrations & Touchpoints:
Healthcare Example cont.
â Add ticketing system checkbox for architectural security review by feature.
â Add code review checkboxes on âpull-requestsâ. Integrate with ticketing.
â Codify security tests as part of unit/integration testing where possible.
â Tie static analysis security testing and make a gating factor for code check-ins. Integrate with
Tickets.
â Require Manager approval to by-pass security test failures.
â Test QA integration branches with verified security testing services â QA teams codify
negative security tests for verified vulnerabilities.
45
46. © 2017 WhiteHat Security, Inc.© 2017 WhiteHat Security, Inc.
Other Resources
How about mobile?
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
OWASP Top 10 in practice, great page
: https://www.owasp.org/index.php/OWASP_Top_10/Mapping_to_W
HID
OWASP site also has links to many tools that can be integrated into
your SDLC automations
46
47. © 2017 WhiteHat Security, Inc.
Thank You
Siamak Pazirandeh
WhiteHat Security Inc.
max.pazirandeh@whitehatsec.com
47