SlideShare une entreprise Scribd logo

SecDevOps Risk Workflow - v0.6

Dinis Cruz
Dinis Cruz

Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood. The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.

Technologie
1  sur  90
Télécharger pour lire hors ligne
SecDevOps Risk Workflow v0.6 InfoSecWeek, Oct 2016 @DinisCruz
Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training • JBI Training, others • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz
• Get it for free at https://leanpub.com/secdevops Based on “SecDevOps Risk Workflow” book
APPSEC, INFOSEC, POLLUTION
• (unit) Test - For me a test is anything that can be executed with one of these Unit Test Frameworks: https:// en.wikipedia.org/wiki/List_of_unit_testing_frameworks • RISK - Abuse the concept, found RISK to be best one for the wide range of issues covered by AppSec, while being understood by all players • 100% Code Coverage - not the summit, but base-camp (i.e. not the destination). And 100% code is not enough, we really need 500% or more Code Coverage) • AppSec ~= Non Functional requirements - AppSec is about understanding and controlling app’s unintended behaviours Disclaimers
• InfoSec is about: – Networks, Firewalls, Server security, Anti-virus, IDS, Logging, NOC, Policies, end-user security, mobile devices, AD/Ldap management, user provisioning, DevOps, …. • AppSec is about: – code, apps, CI, secure coding standards, threat models, frameworks, code dependencies, QA, testing, fuzzing, dev environments, DevOps, …. • If your ‘InfoSec’ team/person cannot code (and would not be hired by the Dev team), then that is NOT AppSec. • Both are equally important, but InfoSec is much more mature, has bigger budgets and is understood by the business AppSec vs InfoSec
The Pollution analogy
• The developers are the ones who pays the debt • Pollution is a much better analogy • The key is to make the business accept the risk (i.e the debt) – make sure it is your boss who gets fired (all the way to the board) • Which is done using the JIRA RISK Workflows Technical Debt is a bad analogy
RISK WORKFLOW
RISK Workflow (using JIRA in Cloud)
Key for AppSec JIRA workflow is this button
CSO POINT VIEW
• Create an environment and workflow where Security (InfoSec and AppSec) is an enabler. • Allow the business to ship faster with quality, security and assurance • InfoSec protects the organisation and operations • AppSec protects the code created, used and bought • Developers code in environments where it is very hard to create security vulnerabilities • Applications run in environments where security exploits are contained and visible • Align business risk appetite with reality (using proposed Risk Workflow to allocate responsibility at the correct level) What type of security organisation to create
• Give security teams a mandate to focus on Quality, Testing and Engineering • Create a network of Security Champions • Become the ‘Department of Yes’ • Measure code pollution using Risk Workflow • Understand that developers are key players and need to be trusted • Testing and Quality are core business requirements (and what gives you speed) • Create an central AppSec team (usually there is only an InfoSec team) How to embed security into the culture
• Security policies are the foundation of decisions • They underpin the reason behind actions and risk accepted • But, if not based on reality, most policies will NOT be – read – followed – enforced • For policies to work they need to be customised to its target (for example Secure coding standards for App XYZ) • They also need to be delivered in the target’s environment (for example IDE) What about security policies?
• If you don’t – have an AppSec team – do Threat Models – do weekly code reviews and security assessments – have embedded security automation automation in your SDL pipeline – have secure coding standards, bug-bounties, dependency management – …. and many other other AppSec activities • Where is security going to come from? • without them … there will be massive security vulnerabilities in code and apps used • and your security model is based on the ‘skill level and business model’ of your attackers Security magic pixie dust
DEVOPS AND SECDEVOPS
Cost of IT Failure https://www.youtube.com/watch?v=877OCQA_xzE
DevOps https://en.wikipedia.org/wiki/DevOps http://www.bogotobogo.com/DevOps/ DevOps_Jenkins_Chef_Puppet_Graphite_Logstash.php
What is DevOps http://www.slideshare.net/AmazonWebServices/securing-systems-at-cloud-scale-with-devsecops
Deploy, deploy, deploy https://github.com/blog/1241-deploying-at-github
It is all code http://www.enhops.com/devops
All this to manage code http://www.soa4u.co.uk/2015/04/a-word-about-microservice-architectures.html
SecDevOps https://www.linkedin.com/pulse/devsecops-secdevops-difference-kumar-mba-msc-cissp-mbcs-citp
Scrum process http://blog.xebia.com/wp-content/uploads/2013/08/scrum-process.jpg
DevSecOps http://www.slideshare.net/AmazonWebServices/sec405-enterprise-cloud-security-via-devsecops-aws-reinvent-2014
What is DevSecOps
What about the code? AppSec? http://www.slideshare.net/AmazonWebServices/sec320-leveraging-the-power-of-aws-to-automate-security-compliance
• Fixing and Securing the DevOps pipeline is not enough – In fact that is actually the ‘easy’ part • We also need to fix the developers workflow and secure the code they create – Threat Models – Security knowledge in the IDE – Security Champions – Risk Workflows that reward visibility and non-functional requirements Since everything is code, code is root cause
• Interesting debate at the moment in the industry • For me Sec-DevOps is about adding security to DevOps • Dev-SecOps is about adding development practices to Security operations • I like the idea that SecDevOps when done right – becomes just DevOps, which when the Ops are done right, – should become just Dev SecDevOps or DevSecOps
SECURITY CHAMPIONS
Security Champions (SC) http://blog.diniscruz.com/2015/10/what-are-security-champions-and-what-do.html
If you don’t have an SC, get a Mug
JIRA WORKFLOW
1.Open JIRA issues for all AppSec issues 2.Write passing tests for issues reported 3.Manage using AppSec RISK workflow 1.Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close 2.Accept Risk Path: Open, Accept Risk, Approve Risk, (Expire Risk) 4.Automatically report RISK’s status Proposed JIRA workflow
RISK Workflow (using JIRA in Cloud)
PATH #1 - Fix issue
PATH #2 - Accept and Approve RISK
PATH #2 - Variation when risk not approved
‘FIX’ PATH
Issue: Data_Files.set_File_Data - Path Traversal
Status: OPEN
Status: IN PROGRESS
Status: ALLOCATED FOR FIX
Status: FIXING
Status: TEST FIX
Status: FIXED
PATH ‘RISK ACCEPT/APPROVE’
RISK: Support for coffee allows RCE
Status: OPEN
Status: IN PROGRESS
Status: AWAITING RISK ACCEPTANCE
Status: RISK ACCEPTED
Status: RISK APPROVED
Status: RISK APPROVED EXPIRED
All status changes are tracked
KEY CONCEPTS FOR JIRA RISK WORKFLOW
Key for AppSec JIRA workflow is this button
• This is a separate JIRA repo from the one used by devs – I like to call that project ‘RISK’ – This avoids project ‘issue creation’ politics and ‘safe harbour for: • known issues • ’shadow of a vulnerability’ issues • ‘this could be an problem…’ issues • ‘app is still in development’ issues – When deciding to fix an issue: • that is the moment to create an issue in the target project JIRA (or whatever bug tracking system they used) – When issue is fixed (and closed on target project JIRA): • AppSec confirms fix and closes RISK Separate JIRA project
• Key is to understand that issues need to be moving on one of two paths: – Fix – Risk Accepted (and approved) • Risks (i.e. issues) are never in ‘Backlog’ • If an issue is stuck in ‘allocated for fix’, then it will be moved into the ‘Awaiting Risk Acceptance’ stage Always moving until fix or acceptance
• If you don’t have 350+ issues on your JIRA RISK Project, you are not playing (and don’t have enough visibility into what is really going on) • Allow team A to see what team B had (and scale due due to issue description reuse) • Problem is not teams with 50 issues, prob is team with 5 issues • This is perfect for Gamification and to provide visibility into who to reward (and promote) You need volume
• All issues identified in Threat Models are added to the JIRA RISK project • Create Threat models by – layer – feature – bug • … that is a topic for another talk Threat model
Mapping to InfoSec risks
Mapping JIRA Tickets to Tests
JIRA AppSec Dashboards
Weekly emails with Risk status
• Components (one per team or project) • Labels (to add metadata to issues, for OWASP Top 10) • Links – connect with internal/external issues and – external resources • Auto emails • Copy and paste of images into description • Markdown • Security restrictions (use with care) • Security lock certain actions • Extra workflow actions for example when moving state) • Create APPSEC JIRA project for AppSec related tasks (like ‘Create Threat Model for app XYZ’) Other powerful JIRA features
GITHUB RISK WORKFLOW
Using GitHub (instead of JIRA)
Example with DoS issue
TDD
• For TDD to be productive you need – Real time unit test execution (when hands lift) – Real time code coverage • TDD focus needs to be on – making developers more productive – preventing developers from switching context • If 99% code coverage doesn’t happen ‘by default’ TDD workflow is not working TDD
TDD in WebStorm with WallabyJS
What happens when you increase attack surface
You want a test to fail
TDD in WebStorm with WallabyJS • … but is a topic for another talk :)
OWASP
• Best AppSec conferences of the year • 100s of chapters around the world • 100s of research projects on AppSec • All released under OpenSource and Creative Common licenses • Best concentration of AppSec talent in the world • Please join, collaborate, participate Epicentre of Application Security
Conferences
Chapters
Chapters - Europe
Projects - Flagship
Projects - Labs
Projects - Incubator
Summit - 2008
Summit 2011
Corporate Members
Thanks, any questions @diniscruz dinis.cruz@owasp.org

Recommandé

SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 

Recommandé

SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
Knoldus Inc.
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Tomas Honzak
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
Abdul_Mujeeb
 
DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)
Ahmed Misbah
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
DevOps
DevOpsDevOps
DevOps
Yoshan madhumal
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
Eficode
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
Aymeric Lagier
 
Devops
DevopsDevops
Devops
Daniel Fikre
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
Siddharth Joshi
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Dinis Cruz
 

Contenu connexe

Tendances

DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)
Ahmed Misbah
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
Matt Tesauro
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
Michelangelo van Dam
 

Tendances (20)

Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)DevOps for absolute beginners (2022 edition)
DevOps for absolute beginners (2022 edition)
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevOps
DevOpsDevOps
DevOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
Secure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart waySecure your Azure and DevOps in a smart way
Secure your Azure and DevOps in a smart way
 
Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)Secure Software Development Life Cycle (SSDLC)
Secure Software Development Life Cycle (SSDLC)
 
Devops
DevopsDevops
Devops
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevOps or DevSecOps
DevOps or DevSecOpsDevOps or DevSecOps
DevOps or DevSecOps
 

En vedette

En vedette (20)

SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easy
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating Security
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016Application Security at DevOps Speed - DevOpsDays Singapore 2016
Application Security at DevOps Speed - DevOpsDays Singapore 2016
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 

Similaire à SecDevOps Risk Workflow - v0.6

Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
Puma Security, LLC
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Amazon Web Services
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 

Similaire à SecDevOps Risk Workflow - v0.6 (20)

HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 

Plus de Dinis Cruz

Plus de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

SecDevOps Risk Workflow - v0.6

  • 2. Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training • JBI Training, others • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor • “I build AppSec teams….” • https://twitter.com/DinisCruz • http://blog.diniscruz.com • http://leanpub.com/u/DinisCruz
  • 3. • Get it for free at https://leanpub.com/secdevops Based on “SecDevOps Risk Workflow” book
  • 5. • (unit) Test - For me a test is anything that can be executed with one of these Unit Test Frameworks: https:// en.wikipedia.org/wiki/List_of_unit_testing_frameworks • RISK - Abuse the concept, found RISK to be best one for the wide range of issues covered by AppSec, while being understood by all players • 100% Code Coverage - not the summit, but base-camp (i.e. not the destination). And 100% code is not enough, we really need 500% or more Code Coverage) • AppSec ~= Non Functional requirements - AppSec is about understanding and controlling app’s unintended behaviours Disclaimers
  • 6. • InfoSec is about: – Networks, Firewalls, Server security, Anti-virus, IDS, Logging, NOC, Policies, end-user security, mobile devices, AD/Ldap management, user provisioning, DevOps, …. • AppSec is about: – code, apps, CI, secure coding standards, threat models, frameworks, code dependencies, QA, testing, fuzzing, dev environments, DevOps, …. • If your ‘InfoSec’ team/person cannot code (and would not be hired by the Dev team), then that is NOT AppSec. • Both are equally important, but InfoSec is much more mature, has bigger budgets and is understood by the business AppSec vs InfoSec
  • 8. • The developers are the ones who pays the debt • Pollution is a much better analogy • The key is to make the business accept the risk (i.e the debt) – make sure it is your boss who gets fired (all the way to the board) • Which is done using the JIRA RISK Workflows Technical Debt is a bad analogy
  • 10. RISK Workflow (using JIRA in Cloud)
  • 11. Key for AppSec JIRA workflow is this button
  • 13. • Create an environment and workflow where Security (InfoSec and AppSec) is an enabler. • Allow the business to ship faster with quality, security and assurance • InfoSec protects the organisation and operations • AppSec protects the code created, used and bought • Developers code in environments where it is very hard to create security vulnerabilities • Applications run in environments where security exploits are contained and visible • Align business risk appetite with reality (using proposed Risk Workflow to allocate responsibility at the correct level) What type of security organisation to create
  • 14. • Give security teams a mandate to focus on Quality, Testing and Engineering • Create a network of Security Champions • Become the ‘Department of Yes’ • Measure code pollution using Risk Workflow • Understand that developers are key players and need to be trusted • Testing and Quality are core business requirements (and what gives you speed) • Create an central AppSec team (usually there is only an InfoSec team) How to embed security into the culture
  • 15. • Security policies are the foundation of decisions • They underpin the reason behind actions and risk accepted • But, if not based on reality, most policies will NOT be – read – followed – enforced • For policies to work they need to be customised to its target (for example Secure coding standards for App XYZ) • They also need to be delivered in the target’s environment (for example IDE) What about security policies?
  • 16. • If you don’t – have an AppSec team – do Threat Models – do weekly code reviews and security assessments – have embedded security automation automation in your SDL pipeline – have secure coding standards, bug-bounties, dependency management – …. and many other other AppSec activities • Where is security going to come from? • without them … there will be massive security vulnerabilities in code and apps used • and your security model is based on the ‘skill level and business model’ of your attackers Security magic pixie dust
  • 18. Cost of IT Failure https://www.youtube.com/watch?v=877OCQA_xzE
  • 22. It is all code http://www.enhops.com/devops
  • 23. All this to manage code http://www.soa4u.co.uk/2015/04/a-word-about-microservice-architectures.html
  • 28. What about the code? AppSec? http://www.slideshare.net/AmazonWebServices/sec320-leveraging-the-power-of-aws-to-automate-security-compliance
  • 29. • Fixing and Securing the DevOps pipeline is not enough – In fact that is actually the ‘easy’ part • We also need to fix the developers workflow and secure the code they create – Threat Models – Security knowledge in the IDE – Security Champions – Risk Workflows that reward visibility and non-functional requirements Since everything is code, code is root cause
  • 30. • Interesting debate at the moment in the industry • For me Sec-DevOps is about adding security to DevOps • Dev-SecOps is about adding development practices to Security operations • I like the idea that SecDevOps when done right – becomes just DevOps, which when the Ops are done right, – should become just Dev SecDevOps or DevSecOps
  • 33. If you don’t have an SC, get a Mug
  • 35. 1.Open JIRA issues for all AppSec issues 2.Write passing tests for issues reported 3.Manage using AppSec RISK workflow 1.Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close 2.Accept Risk Path: Open, Accept Risk, Approve Risk, (Expire Risk) 4.Automatically report RISK’s status Proposed JIRA workflow
  • 36. RISK Workflow (using JIRA in Cloud)
  • 37. PATH #1 - Fix issue
  • 38. PATH #2 - Accept and Approve RISK
  • 39. PATH #2 - Variation when risk not approved
  • 49. RISK: Support for coffee allows RCE
  • 52. Status: AWAITING RISK ACCEPTANCE
  • 56. All status changes are tracked
  • 57. KEY CONCEPTS FOR JIRA RISK WORKFLOW
  • 58. Key for AppSec JIRA workflow is this button
  • 59. • This is a separate JIRA repo from the one used by devs – I like to call that project ‘RISK’ – This avoids project ‘issue creation’ politics and ‘safe harbour for: • known issues • ’shadow of a vulnerability’ issues • ‘this could be an problem…’ issues • ‘app is still in development’ issues – When deciding to fix an issue: • that is the moment to create an issue in the target project JIRA (or whatever bug tracking system they used) – When issue is fixed (and closed on target project JIRA): • AppSec confirms fix and closes RISK Separate JIRA project
  • 60. • Key is to understand that issues need to be moving on one of two paths: – Fix – Risk Accepted (and approved) • Risks (i.e. issues) are never in ‘Backlog’ • If an issue is stuck in ‘allocated for fix’, then it will be moved into the ‘Awaiting Risk Acceptance’ stage Always moving until fix or acceptance
  • 61. • If you don’t have 350+ issues on your JIRA RISK Project, you are not playing (and don’t have enough visibility into what is really going on) • Allow team A to see what team B had (and scale due due to issue description reuse) • Problem is not teams with 50 issues, prob is team with 5 issues • This is perfect for Gamification and to provide visibility into who to reward (and promote) You need volume
  • 62. • All issues identified in Threat Models are added to the JIRA RISK project • Create Threat models by – layer – feature – bug • … that is a topic for another talk Threat model
  • 66. Weekly emails with Risk status
  • 67. • Components (one per team or project) • Labels (to add metadata to issues, for OWASP Top 10) • Links – connect with internal/external issues and – external resources • Auto emails • Copy and paste of images into description • Markdown • Security restrictions (use with care) • Security lock certain actions • Extra workflow actions for example when moving state) • Create APPSEC JIRA project for AppSec related tasks (like ‘Create Threat Model for app XYZ’) Other powerful JIRA features
  • 70.
  • 71.
  • 73. TDD
  • 74. • For TDD to be productive you need – Real time unit test execution (when hands lift) – Real time code coverage • TDD focus needs to be on – making developers more productive – preventing developers from switching context • If 99% code coverage doesn’t happen ‘by default’ TDD workflow is not working TDD
  • 75. TDD in WebStorm with WallabyJS
  • 76. What happens when you increase attack surface
  • 77. You want a test to fail
  • 78. TDD in WebStorm with WallabyJS • … but is a topic for another talk :)
  • 79. OWASP
  • 80. • Best AppSec conferences of the year • 100s of chapters around the world • 100s of research projects on AppSec • All released under OpenSource and Creative Common licenses • Best concentration of AppSec talent in the world • Please join, collaborate, participate Epicentre of Application Security