SlideShare uma empresa Scribd logo

AppSec How-To: Achieving Security in DevOps

Checkmarx
Checkmarx

How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.

Tecnologia
1 de 5
Baixar para ler offline
Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com

Recomendados

A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 

Recomendados

A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
Zane Lackey
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
DevSecCon
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
Nickleus Jimenez
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
Jeff Williams
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
DevSecCon
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
Techugo
 

Mais conteúdo relacionado

Mais procurados

"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 

Mais procurados (20)

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering Organization
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
DevSecOps outline
DevSecOps outlineDevSecOps outline
DevSecOps outline
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
 

Semelhante a AppSec How-To: Achieving Security in DevOps

DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
Techugo
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
Ajeet Singh
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
Helen Bravo
 

Semelhante a AppSec How-To: Achieving Security in DevOps (20)

10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
DevSecOps Security: Is it Necessary?
DevSecOps Security: Is it Necessary?DevSecOps Security: Is it Necessary?
DevSecOps Security: Is it Necessary?
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 

Mais de Checkmarx

10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
Checkmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 

Mais de Checkmarx (10)

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
 
How Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code AnalysisHow Virtual Compilation Transforms Static Code Analysis
How Virtual Compilation Transforms Static Code Analysis
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

AppSec How-To: Achieving Security in DevOps

  • 1. Source Code Analysis Made Easy The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. What is DevOps all about? DevOps is a continuous development process where small features and bug fixes are frequently deployed within short periods of time. As a new development methodology, DevOps is not restricted anymore to young start-ups. Numerous large enterprises such as Facebook, Netflix, Etsy, LinkedIn and Twitter have already adopted DevOps. Amazon, which closely follows the DevOps model, is known to have more than 1000 deployments an hour. 1 Tradition vs. Disruption: Web application controls in a DevOps environment Can traditional Web application security controls fit in a disruptive DevOps environment? Let’s take a look at the common Web application security toolbox: Penetration Testing. A most valuable method to test security, there is one inherent problem: it takes time. Whether penetration testing is performed internally, or by a third-party, it takes a few days to test the application and then some time to produce the findings. When findings are at last presented, it takes time to analyze the results, get the affected development groups together and prioritize the tasks. It’s not rare for a big project to produce a 300 page findings report after undergoing a three week assessment cycle, two days of a follow-up analysis, and an additional two weeks just to start incorporating the fixes within the development process. • 1 http://www.slideshare.net/AmazonWebServices/advanced-topics-session-1-continuous-deploymentpracticesonaws 1 www.checkmarx.com
  • 2. Source Code Analysis Made Easy • • Web Application Firewall (WAF). A WAF requires tuning and learning the application it protects. For applications that do not change much, configuration the WAF requires a few hours to a few days. But what happens when applications constantly change? The WAF in this case would require continuous configuration and is simply not a solution for such a dynamic process. Code Analysis. This method gained a bad reputation for simply being too slow. Whether it’s the setup time, running time or analysis time – anything that takes more than a few seconds cannot truly be integrated within DevOps. Required: A new secure Software Development Life Cycle (SDLC) approach The solution is to incorporate security already from the start of the development process. Consider the project from a security standpoint and make security a default process within the SDLC. These following steps can help you achieve this goal. Step 1: Plan for Security Research what technologies and processes you will run into throughout the development and deployment process. Accordingly, consider their security aspects: 1. Security in technology a. Identify non-secure components and frameworks. For example, some organizations analyze their entire code base to map all their non-secure patterns, frameworks and libraries. b. Choose a programming language which has built-in security patterns. Each new PHP release, for instance, deprecates non-secure patterns from previous versions. Similarly, almost all frameworks had security breaches and provide the required fixes for them. 2. Security in code development a. Map security sensitive code portions. Not all code is created equally. For example, security in your test library is definitely not as important as a password change mechanism, a user authentication mechanism or a credit-card processing mechanism. b. Place extra security care around sensitive code portions. Flag the sensitive code portions so that when changes are applied to those modules they trigger a code review, special testing, and a separate scan specifically for those modules. 3. Security in features a. Anticipate regulatory problems and plan for them. Eventually, you’ll hit regulations. Not preparing for them in advance will cost you later due to product changes, add-ons and modifications to already structured code. Design the incorporation of regulation aspects into the code. Design compliance verification into the process testing. 2 www.checkmarx.com
  • 3. Source Code Analysis Made Easy Step 2: Engage the Developers. And Be Engaged. DevOps places the developer at the center of the process. And it is the developer that is held responsible to a high code quality standard. How can security teams communicate also the seriousness and importance of security? Various companies have found the following recommendations helpful to bridge the security-developers gap: 1. Connect developers to security. Position a “security champion” in each development team. Share with the champion security articles on the threat landscape and hacking motivations. Go together to your local OWASP training. Make security training valuable. Instruct developers on effective reading of vulnerability descriptions, communicate the risk of vulnerable patterns in the code, and discuss correct mitigation strategies. Practice through security development exercises which present developers with their common and repeating coding issues. Share attack details. Relate developers to the actuality of security and hacking. Present the logs of hacking attempts to demonstrate how their secure coding practices prevented the attacks from succeeding. 2. Setup an online collaboration platform. For example, generate a discussion on any sharing and collaboration platform, such as Jive or Confluence, by post a security problem and presenting ways to solve or prevent the issue. Take this one step further and establish a collaboration platform just to share security issues. Have an open door approach. Be there when developers come to ask questions. For example, work with developers on how to fix and prevent the lesser known coding flaws. 3. Step 3: Arm the Developers. Provide the developers with the right tools to help them prevent and mitigate security vulnerabilities. 1. Secure frameworks Secure frameworks are your built-in tools for securing the code already at the base. Currently, there is a pretty nice range of secure frameworks to choose from. Examples include Spring Security, JAAS, Apache, Shiro, Java SE, Symfony2. Furthermore, Ruby on Rails has a very wide range of security solutions for input validations, authentication and session management. OWASP also provides an open-source security framework for various languages named ESAPI. 2. Use source code analysis tools for security feedback on the pre-commit stages Running a source code analysis tool is a seemingly contradiction to this article’s preface which considered it to be too slow. As mentioned, any delay due to security scanning cannot be tolerated in a DevOps environment which requires delivery every few minutes. But as the development environment changed, so have different scanners adapted in order to provide the development team with a rapid response. How can developers take advantage of these new scanning features? 3 www.checkmarx.com
  • 4. Source Code Analysis Made Easy - Run the scan on small chunks of code. Only scan the change between the last scan and the current scan. In this way, the scanner can scan small code portions without requiring the whole project to be set up and scanned for hours. Access the tool from within the development environment. Developers are responsible for testing their own code within their chosen IDE environment. This should also include testing the code for security. Developers can either do this through a code review or by using SCA tools. Only when the developers are confident that their code is secure, then they can commit the code into the source code repository. Step 4: Automate the Process The building block of DevOps is automation. The same should go for security. Security should first fit into the standard automated continuous deployment process. As a second step, apply application security testing tools – whether static or dynamic – that are capable to produce results in a very short time. 1. Integrate within your build (Jenkins, Bamboo, TeamCity, etc.) different application security tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). When the code is committed, the build – typically through tools such as Jenkins or Bamboo – should trigger the scan of both dynamic and static testing tools. The static testing tool performs a comprehensive scan in order to cover the case where several developers commit simultaneously. The dynamic testing tool works as a self-learning environment where it monitors the positive tests written for regular testing tools. The tool also runs inputs on negative tests to verify the catching of inputs not caught by the positive tests. 2. Fail the build if it does not pass the bar. We realize that at first you might be put off by the sound of this notion. But just like a high-priority bug that does not pass the development stage, security should be considered on the same rung of importance. Diagram 1: Security within Continuous Deployment 4 www.checkmarx.com
  • 5. Source Code Analysis Made Easy Step 5: Use Old Tools Wisely Don’t start throwing away the old tools immediately. These still come in handy – but used in different ways: • Penetration Testing. Ensure that your systems are military-grade by ordering a penetration testing on a periodic level, say every six months. At this stage, findings will be minor if non-existent – but these can act as a reassurance to your system. Additionally, have your customers perform penetration testing on your systems. First, this might be a requirement since some customers are required to audit third-party systems to meet compliance. Second, a cloud environment relationship is based on the trust between the provider and customer. Allowing customers to perform penetration testing on your systems will raise this level of confidence. When security is ingrained into your system, you have that assurance of zero findings. • Web Application Firewall (WAF). Use the WAF as a solution for the more stable parts of the Web App. Maintain the WAF by performing a fine-tuning every once in a while to ensure that the WAF still guards the main functions that do not change too often. • Code Review. Perform a code review for security sensitive code portions. Use a code review, for example, to ensure the security of authentication modules and credit-card handling modules. DevOps is Happening. Right Now. Last Word of Advice Security can and should be an integral part of a continuous deployment process. But start small to avoid being overwhelmed and making the process too hard to implement. Start with those features that are more accessible and less critical, and build up the security process from one deployment to the next. Eventually, you’ll achieve small successes as proved by the reduced amount of vulnerability feedback for those security-enhanced features. Go with these results to management and receive their support to start integrating security into each and every part of your development life cycle. 5 www.checkmarx.com