Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
2. WhoAmI
● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● Head of IT Security, Kiatnakin Bank PLC (KKP)
● Consultant for OWASP Thailand Chapter
● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter
● Committee Member of Thailand Banking Sector CERT (TB-CERT)
● Technical Team Member, National Digital Identity Platform project
● Contact: narudom@owasp.org
3. ““Software is eating the world!!!”Software is eating the world!!!”
Marc Andreessen, co-founder and general partner of the ventureMarc Andreessen, co-founder and general partner of the venture
capital firm Andreessen-Horowitz, also Netscape co-coundercapital firm Andreessen-Horowitz, also Netscape co-counder
Source: The Wall Street Journal, August 20, 2011Source: The Wall Street Journal, August 20, 2011
https://www.wsj.com/articles/SB10001424053111903480904576512250915629460https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
6. What Is DevOps?
Dev
Integration
Ops
Communication
Collaboration
“It’s a movement of people
who think it’s change in the IT
Industry - time to stop wasting
money, time to start delivering
great software, and building
systems that scale and last”
Patrick DeBois, the "founder"
of the DevOps movement.
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
7. DevOps Is ...
●
An approach based on agile and lean principles in which business
owners, development, operations, and quality assurance team
collaborate to deliver software in a continuous stable manner
●
An environment that promotes cross practicality, shared business
tasks and belief
●
A movement that improves IT service delivery agility
●
A culture that promotes better working relationship within the
company
●
A set of practices that provides rapid, reliable software delivery
9. DevOps Is Eating the World!!!
●
Imagine solving the world’s
problems faster by collaborating
and taking responsibility.
●
In connection with Cloud
Computing, DevOps is the
cultural enabler needed to scale
creativity and innovation.
●
With the goal of solving
customer problems faster, no
wonder DevOps is taking over.
Over Past 10 Years
10. Cloud Is Eating the World!!!
●
Public Cloud adoption is
accelerating at a rapid pace…
●
Software defined
environments allow scale to
happen and more decisions to
be made daily…
●
More people can experiment,
learn and fail at a rapid pace to
solve for customer demand….
●
Creativity is the next frontier…
11. Is Security Blocking the World?
“This is the end of security as we know it…
and isn’t it a good thing!”
-Josh Corman
@petecheslock
12. The Urgency of Dev with Integrated Security
●
Development without integrated
security and compliance will fail;
– progressive orgs have prioritized
security due to uptime and
compliance concerns
– accelerating the need for agility
and a curated OSS-dev portfolio.
●
Security-led development will be
a priority for 90% of orgs by
2020.
IDC FutureScape: Worldwide Developer and DevOps 2018 Predictions, November, 2, 2017
13. What is DevSecOps?
DevSecOps is the answer to integrating these various challenges into a
coherent and effective approach to software delivery. It is a new method
that helps identify security issues early in the development process rather
than after a product is released.
IS IS NOT
A Mindset and Holistic Approach A One-Size-Fits-All Approach
A Collection of Processes & Tools A Single Tool or Method
A Means of Security & Compliance
Integrated to Software
Just a means of adding Security into
Continuous Delivery
A Community Driven Effort Invented by Vendors
A Strategy Driven by Learning and
Experiments
A Strategy Driven by Perfection and
Compliance
15. The Main Course
● Vulnerability (VA) Scans and
Assessments
● Threat Modeling
● Secure Code Reviews (Static
Code Analysis)
● Penetration Tests (PenTests)
● This applies to both Custom
Apps and COTS
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
16. The Gravy
● Educating Developers on
Secure Coding
● Practices with workshops,
talks, lessons
● Secure Coding Standards
● Responsible/Coordinated
Disclosure
● Secure code library and
other reference materials,
creating custom tools
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
17. The Dessert
● Bug Bounty Programs
● Capture The Flag (CTF)
contests
● Red Team Exercises
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
18. Best Practices
Successful security programs involve three intersecting parts:
people, processes, and technologies.
People
People are the starting point of the DevSecOps implementation.
Through ensuring proper training and restructuring of teams
security will become a frame of mind rather than a hindrance.
Processes
DevSecOps aims to align and implement processes common to
an enterprise to facilitate cooperation and achieve more secure
development processes as a whole.
Technology
Technologies enable people to execute DevSecOps processes,
which aim to reduce the enterprise attack surface and enable
effective management of the technical security debt.
20. People: What Type of Skills Are Required?
Dev Sec Ops Dev Sec Ops Dev Sec Ops
Developer Sys Admin Security Engineer
competency
needed skill; functional
21. People: Security Champions
Ensure that security is not a
blocker on active development
or reviews
Be empowered to make
decisions
Work with AppSec team on
mitigations strategies
Help with QA and Testing
Write Tests (from Unit Tests to
Integration tests)
Help with development of CI
(Continuous Integration)
environments
Keep track of and stay up to date
on modern security attacks and
defenses
Introduce body of knowledge
from organizations such as
OWASP (Top 10, Application
Security Verification Standard,
Testing Guide etc.)
22. Processes
●
Version control, metadata, and orchestration
●
Integration of processes
●
Security tooling in CI/CD
●
Compliance
●
Security Architecture
●
Incident Management
●
Red Teams and Bug Bounties
●
Threat Intelligence
23. Technologies
●
Automation and Configuration Management
●
Secure coding practices/Security as Code
●
Host Hardening
●
CI/CD for Patching
●
Application-level Auditing and Scanning
●
Automated Vulnerability Management Scanning
●
Automated Compliance Scan
●
Managing Secrets
24. How Hard Could It Be?
Source
Code
CI Server Artifacts MonitoringDeployTest & Scan
DevOps Code - Creating Value & Availability
DevSecOps Code - Creating Trust & Confidence
Credit: Shannon Leitz (@devsecops)
26. Application Level Auditing and Scanning:
OWASP Dependency Check
● Project stated December 2011 (first published in 2012)
● Performs Software Composition Analysis
– Reports known vulnerabilities for Java & .NET components
– Experimental analyzers for Python, Ruby, PHP (composer), and Node.js
● Easy solution to the OWASP 2017 Top 10
– A9 Using components with known vulnerabilities
● Works as:
– Command-line utility
– Ant Task
– Gradle Plugin
– Jenkins Plugin
– Maven Plugin
– SonarQube Plugin
27. Automated Vulnerability Scanning: OpenVAS
● A framework of several services and tools offering a
comprehensive and powerful vulnerability scanning and
vulnerability management solution.
● All OpenVAS products are Free Software
● Most components are licensed under the GNU General Public
License (GNU GPL)
30. OWASP ZAP Functionality
● Man-in-the-middle Proxy
● Traditional and AJAX spiders
● Automated scanner
● Passive scanner
● Fuzzer
● Dynamic SSL certificates
● Support for a wide range of scripting languages
● Plug-n-Hack support
● Authentication and session support
● Powerful REST based API
● Integrated and growing marketplace of add-ons
32. OWASP ZAP API
● RESTish – ok, only uses GET requests
http(s)://zap/<format>/<component>/<operation>/
<op name>[/?<params>]
● Maps closely to the UI / code
● Theres a basic web UI for it
● And clients in various languages:
– Java, Python, Node JS, .Net, PHP, Go …
33. OWASP ZAP Python API
● Install from pypi:
pip install python-owasp-zap-v2.4
● In your script:
from zapv2 import ZAPv2
zap = ZAPv2()
zap = ZAPv2(proxies={
'http': 'http://localhost:8080',
'https': 'http://localhost:8080'})
zap.urlopen(target)
https://pypi.python.org/pypi/python-owasp-zap-v2.4
34. Managing Secrets: HSM
● Cryptographic Computing Hardware Module
● Protected Key Store
● Well-Defined Interface Protocol
● Hard to Compromise
Hardware Security Module
35. Managing Secrets: Conjur
● A foundational secrets management service for DevOps
environments, a core security capability for any environment
● An authentication, authorization and audit service for people,
code and machines that runs independently of other DevOps
platforms and tools to provide separation of concerns and duties
and fine-grained access control
● A suite of open source integrations with leading CI/CD tools
(Ansible, Puppet, Cloud Foundry) based on an Experience-Driven
Design (XDD) development process.
● An architecture that is optimized for containerized environments
● Flexible, programmable tool (Rest API, CLI)
36. Conclusion
● DevSecOps addresses the need for pro-active, customer-
focused security rather than reacts to data breaches or other
cyberattacks.
● The benefits are cost reduction, speed of delivery, speed of
recovery, compliance at scale, and threat hunting.
● DevSecOps provides the ability to detect and fix security
issues earlier in the development process thus reducing
greatly the cost associated with identifying and fixing them.
● Shifting security to the left through the use of people,
processes and technology will help to achieve this goal.