Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
1
DevSecOps - Building Continuous
Security Into IT & App Infrastructures
John Pescatore, SANS
Chris Carlson, Qualys
2
Protecting Your Company From the Company It Keeps
 Business is increasingly
interconnected and interdependent
via softw...
3
What a Long Strange Trip It Has Been…
Sometimes the light's all shinin' on me,
Other times I can barely see.
4
The Basics of Cyber Risks
Risk = Threat x Vulnerability +/- Action
•Vulnerabilities are at the center
•Threat actors wil...
5
First there was DevOps
• Amazon: “DevOps is the combination of cultural philosophies, practices,
and tools that increase...
6
So, What is SecOps?
• SecOps: “Integrating security processes with IT acquisition,
development, administration and opera...
7
SecOps – Continuous Processes
Shield
Eliminate Root
Cause
Monitor/
Report
Policy
Assess
Risk
Baseline
Vuln Assessment/Pe...
8
Delivering Security Efficiency and Effectiveness
• Decrease the cost of dealing
with known threats
• Decrease the impact...
9
Digital Transformation
is driving
Business + IT + Security
10
#1 Engage Customers
#2 Empower Employees
#3 Optimize Operations
#4 Transform Products & Enable New Business
Models
Sour...
11
#1 Cyber Threats & Security Concerns
#1 Lack of Digitally-Skilled Workforce
#2 Lack of Supporting Government Policies a...
12
Not a Challenge – An Opportunity!
Business Transformation IT Transformation
IT Transformation Security Transformation
13
DevSecOps =/ DevOps + Security
14
If DevOps is about
Speed
Agility
Automation
15
False Approach ~ False Start ~ Failure
16
Security + DevOps = Revolt or Left Out?
Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-
flaming-to...
17
Food Safety is a Security Problem in
Manufacturing Pipeline
Source:
http://www.foodengineeringmag.com/articles/889
90-t...
18
Shift
Time
Shift
Technique
Shift
Tools
Shift Approaches
19
Shift Time
It’s not about doing the same things earlier …
... but an opportunity to do different and
better things earl...
20
Case Study: Financial Services Mobile Wallet
21
Security
Born in the Cloud: New
builds in AWS every 60 days
Automated Regression &
Test-Driven Development
Docker conta...
22
Qualys Case Study: Financial Services Mobile Wallet
23
Shift Techniques
Instead of thinking like a security person –
perimeter, gates, limiting access, closed…
... Think like...
24
Qualys Case Study: One of Largest Ecommerce Companies
25
Prevent Software Check-Ins
that use Vulnerable Libraries
Apply Technique
Tag Vulnerable Libraries in
Source Control
1
S...
26
Shift Tools
Find/Implement the right tools for the DevOps
Processes…
... But:
You may not need to procure new tools
API...
27
Qualys Case Study: Financial Investment Services
28
Qualys Case Study: Financial Investment Services
SolutionChallenge
400+ Web Apps in production
Web Security Assessment ...
29
Integrate Production Security Tool into DevOps
Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automa...
30
How can you get
started?
31
Next Week
• Take an accounting of
current security tools –
are they DevOps
friendly with APIs,
automation, or self-
ser...
32
Resources
• SANS : https://www.sans.org/webcasts/archive/2017
• SAFECode: https://www.safecode.org/
• SANS Difference M...
33
Acknowledgements
Thanks to our sponsor:
And also to our speakers and to our attendees:
Thank you for joining us today
©...
Prochain SlideShare
Chargement dans…5
×

1

Partager

Télécharger pour lire hors ligne

DevSecOps - Building Continuous Security Into IT & App Infrastructures

Télécharger pour lire hors ligne

Security teams must adapt security controls to the growing use of DevOps processes such as cloud services, Continuous Integration and Continuous Deployment. Many of them are adopting an approach of Security delivered as a service, or DevSecOps.

In this webcast, SANS Senior Analyst John Pescatore joins Chris Carlson, VP Product Management for Qualys Cloud Agent Platform, discuss how DevSecOps helps security teams work with DevOps to embed continuous security into IT and application infrastructure, and how to get started and build a DevSecOps program for improved and automated auditing, compliance, and control of applications.

The presentation covers:
• How and why security teams are partnering with app developers and sysadmins to build continuous security capabilities that are embedded into the fabric of IT and application infrastructures
• The key elements of DevOps and modern cloud architecture models driving quality and rapid technical innovation, and how they successfully drive business value
• Why applying DevOps and cloud architecture models to security delivers business value such as lower overall risk, capital expense, and operating costs
• Methods to build DevSecOps into both cloud-first and cloud migration infrastructure deployments and achieve common business benefits in either environment
• The initial steps security teams can take right away to engage application and DevOps counterparts in DevSecOps, and milestones to achieve for quick wins with business value as well as control in active projects.
• Case studies on three industry leaders in how security is applied to DevOps to support secure digital transformation projects.

Watch the on-demand webcast: https://www.sans.org/webcasts/105720

DevSecOps - Building Continuous Security Into IT & App Infrastructures

  1. 1. 1 DevSecOps - Building Continuous Security Into IT & App Infrastructures John Pescatore, SANS Chris Carlson, Qualys
  2. 2. 2 Protecting Your Company From the Company It Keeps  Business is increasingly interconnected and interdependent via software  The bad guys have figured that out. So have the regulators  The “app cloud” exacerbates that trend, additional levels of “parties”  Software security/quality is a key factor in business success
  3. 3. 3 What a Long Strange Trip It Has Been… Sometimes the light's all shinin' on me, Other times I can barely see.
  4. 4. 4 The Basics of Cyber Risks Risk = Threat x Vulnerability +/- Action •Vulnerabilities are at the center •Threat actors will act •Threat delivery continually evolves •Effectiveness and timeliness of business security action separates high loss/low loss •Fewer Vulnerabilities •Faster mitigation action
  5. 5. 5 First there was DevOps • Amazon: “DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. ” • Not really much new, but key concepts: combine and faster
  6. 6. 6 So, What is SecOps? • SecOps: “Integrating security processes with IT acquisition, development, administration and operations practices to reduce vulnerabilities and more quickly mitigate exposures.” • Overcoming people/organizational barriers • Integrating processes, then tools and data flow Source: devops.tumblr.com
  7. 7. 7 SecOps – Continuous Processes Shield Eliminate Root Cause Monitor/ Report Policy Assess Risk Baseline Vuln Assessment/Pen Test Security Configuration Mitigate • FW/IPS • Anti-malware • NAC • Patch Management • Config Management • Change Management • Software Vuln Test • Training • Network Arch • Privilege Mgmt Discovery/Inventory • SIEM • Security Analytics • Incident Response Threats Regulations Requirements OTT Dictates
  8. 8. 8 Delivering Security Efficiency and Effectiveness • Decrease the cost of dealing with known threats • Decrease the impact of residual risks • Decrease the cost of demonstrating compliance • Reduce business damage due to security failures • Maintaining level of protection with less EBITDA impact • Increase the speed of dealing with a new threat or technology • Decrease the time required to secure a new business application, partner, supplier • Reducing incident cost ○ Less down time ○ Fewer customer defections • Security as a competitive business factor Efficiency Effectiveness
  9. 9. 9 Digital Transformation is driving Business + IT + Security
  10. 10. 10 #1 Engage Customers #2 Empower Employees #3 Optimize Operations #4 Transform Products & Enable New Business Models Source: https://news.microsoft.com/apac/2017/02/20/80-of-business- leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft- study/microsoft-digital-transformation-infographic-asia Digital Transformation – Priorities
  11. 11. 11 #1 Cyber Threats & Security Concerns #1 Lack of Digitally-Skilled Workforce #2 Lack of Supporting Government Policies and ICT Infrastructure #3 Uncertain Economic Environment #3 Lack of Leadership to Ideate, Plan, and Lead Digital Transformation Strategy Digital Transformation – Barriers
  12. 12. 12 Not a Challenge – An Opportunity! Business Transformation IT Transformation IT Transformation Security Transformation
  13. 13. 13 DevSecOps =/ DevOps + Security
  14. 14. 14 If DevOps is about Speed Agility Automation
  15. 15. 15 False Approach ~ False Start ~ Failure
  16. 16. 16 Security + DevOps = Revolt or Left Out? Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and- flaming-torches/
  17. 17. 17 Food Safety is a Security Problem in Manufacturing Pipeline Source: http://www.foodengineeringmag.com/articles/889 90-tech-update-metal-detection-xray-inspection-
  18. 18. 18 Shift Time Shift Technique Shift Tools Shift Approaches
  19. 19. 19 Shift Time It’s not about doing the same things earlier … ... but an opportunity to do different and better things earlier
  20. 20. 20 Case Study: Financial Services Mobile Wallet
  21. 21. 21 Security Born in the Cloud: New builds in AWS every 60 days Automated Regression & Test-Driven Development Docker containers abstracts applications from OS DevOps Qualys Case Study: Financial Services Mobile Wallet Commercial/Open Source vulnerabilities are detected & fixed on same release cadence Automated regression finds patch issues faster OS vulnerabilities are patched separate from Applications 1 2 3
  22. 22. 22 Qualys Case Study: Financial Services Mobile Wallet
  23. 23. 23 Shift Techniques Instead of thinking like a security person – perimeter, gates, limiting access, closed… ... Think like a developer: Automation API Integration Continuous Visibility Measure + Refine
  24. 24. 24 Qualys Case Study: One of Largest Ecommerce Companies
  25. 25. 25 Prevent Software Check-Ins that use Vulnerable Libraries Apply Technique Tag Vulnerable Libraries in Source Control 1 Shift Technique Automatically open tickets for Developers on security issues Apply Technique Vulnerabilities in Production are Treated as Defects Shift Technique 2 Excessive Remediation Times are escalated to CEO Apply Technique Open Vulnerabilities Reported to Business Unit VPs Shift Technique 3 Qualys Case Study: One of Largest Ecommerce Companies
  26. 26. 26 Shift Tools Find/Implement the right tools for the DevOps Processes… ... But: You may not need to procure new tools APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans
  27. 27. 27 Qualys Case Study: Financial Investment Services
  28. 28. 28 Qualys Case Study: Financial Investment Services SolutionChallenge 400+ Web Apps in production Web Security Assessment found they had a lot of “easily” mitigated app vulnerabilities Integrated the production Web Security Assessment tool into DevOps processes via API Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues Continuously assess Web Apps in the dev process so issues are not re-introduced Hard for developers to fix security issues in production 1 2 3
  29. 29. 29 Integrate Production Security Tool into DevOps Image Source: https://www.smashingmagazine.com/2015/01/basic-test-automation-for-apps- games-and-mobile-web/ Selenium Qualys WAS Jira Issues Selenium Qualys WAS Jira Issues
  30. 30. 30 How can you get started?
  31. 31. 31 Next Week • Take an accounting of current security tools – are they DevOps friendly with APIs, automation, or self- service UIs? • Identify development teams using DevOps – engage and discuss DevSecOps • Visible vs. Safe project • Cloud vs. On-premise Next Quarter • Integrate security tools into one development lifecycle • Security process(es) to overcome tool integration • Measure outcomes – # vulns identified/fixed before release • Host a vendor Summit – present your project roadmap and Evangelize DevSecOps Next 6 Months • Consolidate / select new security tool sets ($$ savings) • Implement self-service and API-based DevSecOps programs • Expand to more projects – foundational • Present at conferences and user groups on DevSecOps
  32. 32. 32 Resources • SANS : https://www.sans.org/webcasts/archive/2017 • SAFECode: https://www.safecode.org/ • SANS Difference Makers - https://www.sans.org/cyber-innovation-awards • Qualys: https://www.qualys.com • Questions: q@sans.org • @John_Pescatore • @Qualys
  33. 33. 33 Acknowledgements Thanks to our sponsor: And also to our speakers and to our attendees: Thank you for joining us today © 2017 The SANS™ Institute – www.sans.org
  • MathieuBouillaguet1

    Mar. 16, 2018

Security teams must adapt security controls to the growing use of DevOps processes such as cloud services, Continuous Integration and Continuous Deployment. Many of them are adopting an approach of Security delivered as a service, or DevSecOps. In this webcast, SANS Senior Analyst John Pescatore joins Chris Carlson, VP Product Management for Qualys Cloud Agent Platform, discuss how DevSecOps helps security teams work with DevOps to embed continuous security into IT and application infrastructure, and how to get started and build a DevSecOps program for improved and automated auditing, compliance, and control of applications. The presentation covers: • How and why security teams are partnering with app developers and sysadmins to build continuous security capabilities that are embedded into the fabric of IT and application infrastructures • The key elements of DevOps and modern cloud architecture models driving quality and rapid technical innovation, and how they successfully drive business value • Why applying DevOps and cloud architecture models to security delivers business value such as lower overall risk, capital expense, and operating costs • Methods to build DevSecOps into both cloud-first and cloud migration infrastructure deployments and achieve common business benefits in either environment • The initial steps security teams can take right away to engage application and DevOps counterparts in DevSecOps, and milestones to achieve for quick wins with business value as well as control in active projects. • Case studies on three industry leaders in how security is applied to DevOps to support secure digital transformation projects. Watch the on-demand webcast: https://www.sans.org/webcasts/105720

Vues

Nombre de vues

9 950

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

174

Actions

Téléchargements

48

Partages

0

Commentaires

0

Mentions J'aime

1

×