the security phoenix devsecops - focus on risk and governance

1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
The Security Phoenix raises from DEV-OPS ashes
Whitehall Media Enterprise Security Risk Management
@FrankSEC42
A risk based prospective of DEV-SEC-OPS
https://uk.linkedin.com/in/fracipo

2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
Agenda About the author
Conclusions
Q&A
Security Phoenix – Security
Ops
Security Phoenix – Trust and Risk based
approach
Evolution of DEVOPS in Security
Phoenix
Context
@FrankSEC42
Security Phoenix – Governance &
Education

3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
About the Francesco
3
Francesco Cipollone
Founder – NSC42 LTD
I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and
Chair of Cloud security Alliance UK, Researcher and associate to ISC2.
I’ve been helping organizations define and implement cybersecurity strategies and protect
their organizations against cybersecurity attacks
Website Articles NSC42 LinkedIn
Security is everybody’s job
We need to make security cool and frictionless
Copyright © NSC42 Ltd 2019
Email@FrankSec42 Fracipo Linkein

4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
What the hek is DEV-SEC-OPS?
4
What kind of animal is the DEV-SEC-OPS?
CHALLENGE: How do we integrate risk MNGM into DEV-OPS?

5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Anatomy of a phoenix
5
What Are the core component of Security Phoenix
Secure
Operate
Secure
Design Build & Test
People &
Education
Governance
& Risk mng

6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Security Phoenix & Risk – what you get
6
1. Risk management & Trust - Trust & Verify & Risk
2. Visualize, triage/risk assess, fix Vulnerability at scale
and pace (DEV & Ops) in POD + Risk
3. Security Design Risk, Governance and Education for
Risk

7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Team Structure
7
Appl
Secu
Job Queu
Defects
Bugs
Am i still compliant with Overall
Build vs FIX Targets ?
Code
3rd parties
Components (FOSS +
Libraries)
Deployment to prod
Relies on the License
to Operate
Security
Vulnerabilities
Bugs&
Errors
NEWFeatures
Thresholds
Application
Security Scanners
Production Dashboard
Development Dashboard
Job Queue
Defects
Bugs
New
Features
Am I compliant with
Code Defects
Target ?
Am i still compliant with Overall
Build vs FIX Targets ?
Triage &
Vulnerability
Per applicationDay to
day fix or build
Code
3rd parties
Components (FOSS +
Libraries)
Engeneers &
Developers
DEV-SEC-OPS Application Group (unit that
works on one or more application)
DEV
Test
Prod
Deployment to prod
Relies on the License
to Operate
Engeneers &
Developers
Application/
Product
Owner
Security Champion
Security
Architect
Security
Vulnerabilities
Bugs&
Errors
NEWFeatures
Thresholds
License to operate
Build vs Fix
Vuln Thresholds
RiskManagement

8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
SDLC Stages and actions
8
SDLC
Stages

9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Security Phoenix & Risk – what you get
9
1. Risk management & Trust - Trust & Verify & Risk
2. Visualize, triage/risk assess, fix Vulnerability at scale
and pace (DEV & Ops) in POD + Risk
3. Security Design Risk, Governance and Education for
Risk

10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
DEVELOPMENT RISK
10
1. Library Update – timeline and risk
2. Code Defects – timeline and risk
3. Deviation from standards
4. Testing Defects (vulnerabilities in test)
BUILD/TE
ST
Security
Build/TEST Risk:

11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Production Risks
11
1. Library Update – timeline and risk
2. OS/Patching/Apps – timeline and risk
3. Deviation from regulation
4. Rinse and Repeat
Production
Security
OPS Risk:
Hardware
OS/Container
Apps (3rd Party)
Frameworks
Libraries (3rd) / FOSS
Code/Build

12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Security Operate - Size of the problem
12
Source:: https://snyk.io/wp-content/uploads/The-State-of-Open-Source-2017.pdf
How long it takes to fix a vulnerability? 16-94 days
Vulnerabilities disclosure:
5.9 years
MAX time from inclusion to disclosure
0 days
MIN time from inclusion to disclosure
2.5 years
AVER time from inclusion to disclosure
Vulnerabilities FIX:
94 days
MAX time from disclosure to fix
0 days
MIN time from disclosure to fix
16 days
AVER time from disclosure to fix

13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects -> Under the hood
13
Repositories
Build/Staging/UAT/
Test Environments
Scanner for Code
Scanner for Build
Dashboards For
SAST
DEV Dashboard
Scanner for Test
Dashboard Build/ Test
Production
Prod Scnner Dashboards
PROD Dashboards
Development-Testing Production
Scanner for prod
Triage the
vulnerabilities
Scan At
various
Stages
Scanners to
Tickets or
aggregators
DEV
Security
Productio
n
Security
SET Targets
For Prod &
DEV Vuln

14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects
14
Example of a dashboard for Vulnerability
Visualization
DEV
Security
Productio
n
Security

15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Risk at various stages
15
DEV
Security
Productio
n
Security

16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Triage, Prioritize & Risk assess
16
1. L1 – Basic – False positives
2. L2 – Medium – Location/CVE Risk
3. L3 – Adv – Environment/Exploitability
4. Nirvana – Auto Enrichment, Risk Score & prioritization
BUILD/TE
ST
Security
Triage Vulnerabilities – maturity levels

17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Secure Operate
17
Nirvana – number based risk score
Tools that are available in the market
DEV
Security
Productio
n
Security

18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Triage, Prioritize & Risk assess
18
BUILD/TE
ST
Security
Triage Vulnerabilities – maturity levels

19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Triage, Prioritize & Risk assess
19
For Advanced Consider:
1. Vulnerabilities score (LMH)
2. Network Location
3. Exploitability
4. Prod/Non Prod
5. Risk Lvl
BUILD/TE
ST
Security
BYORS
Risk = (1.5*High+1*medium+0.5*Low)
Risk = Likelihood × Impact
Criticality = Probability × Severit
Basic Formula
CWSS = BaseFindingSubscore * AttackSurfaceSubscore * EnvironmentSubscore
Advanced Formula

20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Security Phoenix & Risk – what you get
20
1. Risk management & Trust - Trust & Verify & Risk
2. Visualize, triage/risk assess, fix Vulnerability at scale
and pace (DEV & Ops) in POD + Risk
3. Security Design Risk, Governance and Education for
Risk

21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Security Education in DEV-SEC-OPS
21
1. Threat Modelling
2. Craft DEV Training based on the scanner (faults) data
3. Education on the job – risk assessment & management
4. Make the training entertaining (CTF and Rewards)
Security
Education
Education:

22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Conclusion
22
- Trust And Verify & risk management
- Risk visualization and prioritization
- Vulnerability & risk assessment every day life
- Automation vs people aspect – is a transformation
- Education on risk and assessment
Security at scale and pace
Security is everybody’s job

23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Mentoring
Research
Events
Networking
Twitter: @csaukchapter
LinkedIn: https://www.linkedin.com/groups/3745837/
CSA-UK - We need you
23
Join!

24. Every 2 weeks 1.30 PM UK Time
Cyber #MentoringMonday
Podcast
@FrankSEC42

25. Cyber Security Awards 2020
Cloud Security Influencer of the Year
Submission – 10 of May 2020 (TBD)
Ceremony 4 July
2020
#CYSECAWARDS20https://cybersecurityawards.com/
https://cloudsecurityalliance.org.uk
Submit: info@cybersecurityawards.com
Info:

26. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Q&A
26

27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Contacts
27
Get in touch:
https://uk.linkedin.com/in/fracipo
Francesco.cipollone (at) nsc42.co.uk
www.nsc42.co.uk
Thank you
WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY
@FrankSEC42