DevSecOps without DevOps is Just Security
Denunciar
Kevin FealeySeguir
23 de Dec de 2018•0 gostou•225 visualizações
2 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Check these out next
DevSecOps without DevOps is Just Security
23 de Dec de 2018•0 gostou•225 visualizações
2 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Software
The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.
Kevin FealeySeguir
DevSecOps without DevOps is Just Security
- DevSecOps without DevOps is just security LASCON 2018
- Page 2 Introductions Kevin Fealey ► 10 years in application security ► 8 years focusing on DevSecOps ► 5 time speaker at LASCON Josh Wallace ► 7 years in development + 6 years in application security (DevSecOps) ► Thought leadership ► “On the ground” with Fortune 100 companies
- Page 3 Agenda ► Defining Dev[Sec]Ops ► AppSec / “DevSecOps” Today ► Building a Foundation for DevSecOps
- Page 4 Defining DevOps One definition of many… Culture Automation Lean Measurement Sharing C.A.L.M.S.
- Page 5 Defining DevOps One definition of many… Culture Automation Lean Measurement Sharing C.A.L.M.S. DevSecOps just means security follows these principles too.
- Page 6 Where is application security today A consultant’s viewpoint High maturity in financial services organizations Maturity is increasing in other sectors as well • Driven largely by incidents and regulations Organizations are spending increasing amounts of time waiting on AppSec activities Existing processes and work flows are difficult to scale, time consuming, and often manual • All things we do not want to hear in a DevOps talk
- Page 7 DevSecOps Today AppSec is getting left behind ► AppSec is not even in the race.. DevOps AppSec ► SAST and DAST were released almost 20 years ago ► How are they different today? ► Few technology innovations since.. Unrelated… Is this someone’s vision of the future? Why was this picture taken?
- Page 8 Current tooling gaps ► Takes considerable time to execute ► Planning required to perform even a basic test ► High rates of false positives and false negatives ► Slow to evolve ► Minimal support for: ► REST Services ► Front-end web frameworks (AngularJS, React) ► Mobile ► Dynamically-typed languages (Python, JavaScript, Ruby, PHP) ► Newly popular languages / frameworks (Rust, GoLang, Kotlin) What are the challenges with current security tooling?
- Page 9 Top programming languages Now, where have I seen most of these languages before? 6/8 Languages not well supported
- Page 10 Top programming languages Now, where have I seen most of these languages before? 6/8 Languages not well supportedDevOps in 5 years… ► Over $10B market cap (3x today) ► 25% CAGR ► Approximately a zillion new tools
- Page 11 Security in the Dev[Sec]Ops chain Building stronger links Culture of experimentation Automate your job Leverage standardization to scale Measure everything Shared responsibility Profit?
- Page 12 Culture of experimentation Curse you, Perry the Platypus! It’s time to practice “mad” science! AppSec Engineer DevOps Engineer DevSecOps Engineer “Well, that didn't work. And now we have a two-ton ball of tin foil going at 200 miles an hour heading directly at us!” “Decades of scientific research has proven that …” -Every scientist ever
- Page 13 Automate your job! Before someone else does ► Less reliance on 3rd party tooling ► Custom tooling for your tech stacks that meet your throughput and coverage requirements ► Automating your job becomes part of your job description ► “If you are able to automate your job, you will never automate yourself out of a job.” - me https://www.linkedin.com/jobs/search/?currentJobId=858847672&keywords=application%20security%20engineer
- Page 14 Leverage standardization to scale ► The DevOps industry is the Wild West ► New (fun?) languages, frameworks, and tools daily ► Languages, frameworks, SCM tooling, SDLCs, and release processes not shared between teams ► What is easier to secure? 10 disparate systems or 10,000 identical ones? ► Standardized architecture enables the “high-trust culture” that successful DevOps requires. – Gene Kim
- Page 15 Standardized security architecture An example Standard architecture patterns 1 Security control taxonomy 2 Security as Code 3 User Example Admin (Ops Team) Internet Central Administration SharePoint Farm SC IntraLinks (Content Mgmnt) Control Point (Reporting) Nintex (Workflow) Web Front End Web Crawler (Search) Document Respository HTTPS (IWA/Basic NTLM) SharePoint Services Business Intelligence -Performance Point -Excel Services -Power Pivot ActiveDirectory HTTPS Application Server (SSRS) SQL Server Reporting Services Application Server (SSAS) SQL Server Analysis Services SharePoint App External DBs Site Admin Config Services DBs Content HTTPS NTFS Cluster FS Large Blobs Legend Present and Requires Limited Action Present but Not Standard Not Provided Provided But Irrelevant to Security Present but Requires Action User Example Admin (Ops Team) Internet Central Administration SharePoint Farm SC IntraLinks (Content Mgmnt) Control Point (Reporting) Nintex (Workflow) Web Front End Web Crawler (Search) Document Respository HTTPS (IWA/Basic NTLM) SharePoint Services Business Intelligence -Performance Point -Excel Services -Power Pivot ActiveDirectory HTTPS Application Server (SSRS) SQL Server Reporting Services Application Server (SSAS) SQL Server Analysis Services SharePoint App External DBs Site Admin Config Services DBs Content HTTPS NTFS Cluster FS Large Blobs Legend Present and Requires Limited Action Present but Not Standard Not Provided Provided But Irrelevant to Security Present but Requires Action
- Page 16 Measure everything And collect it, and track it, and correlate it… and look at it too. ► Collect and analyze data to find bottlenecks and anomalies (i.e. log everything!) ► Correlate development, operational, and security metrics to get better 0% 100% 50% Curve 4 Curve 3 Curve 2 Curve 1
- Page 17 Sample metrics A few ideas just to get you started ► Today ► # of findings per security category found (including false-positives) ► # of findings per security category reported ► Average time spent on each task (kickoff, scan, triage, reporting, etc.) per application ► Average number of findings (false positives, true positives, in/out of scope, reported) for each security category (XSS, injection, etc.) per application ► Future ► Average number of DOM-Based XSS vulnerabilities released on a Thursday before a holiday by Kevin Fealey when the moon is waning
- Page 18 Shared responsibility Sharing is caring ► Organize as product teams rather than traditional application teams ► Development, Security, Operations, Quality, Business, etc. working together to complete the project ► “Application Security Champion” programs help support AppSec success (and they are a great way to scale) ► Everyone writes and shares code ► “Security as Code”
- Page 19 Security as Code – Test cases ► Application security tools are not fast enough ► Slow running, false-positive/false-negative balance ► There is a lot to do in this space ► R&D ► Microservices, Web apps, Mobile, Legacy, Toaster (IoT) ► Additional security categories ► Rollout ► Requires a “testing culture” and supporting infrastructure ► Auto-provision test accounts and mock authN service ► Infrastructure as code, scalable ephemeral servers
- Page 20 Security as Code – Test cases ► Cache-Control header configuration test
- Page 21 Bonus content: out of your scope
- Page 22 DevSecOps requires DevOps DevOps is not just culture… 1. Infrastructure as code (repeatable, securable) 2. Scalable ephemeral servers (security testing environment) 3. Automated functional test suite (non-security, for DAST/IAST coverage) 1. API definition files (e.g. OpenAPI / Swagger) 4. System / Process standardization 1. Consistent branching strategy, SCM system, CI server 2. Reference architectures 5. No more than 1 new reporting system for each stakeholder + ChatOps Also (related to security)… 1. Enterprise credential vault / secrets management (for automated DAST)
- EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2018 Ernst & Young LLP. All Rights Reserved. 1804-2669147 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com