Contenu connexe Similaire à Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial Insights to the DoD (20) Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial Insights to the DoD1. © 2020 Denim Group – All Rights Reserved
Thanks for joining our webinar!
We will begin shortly.
ATO with ThreadFix – Bringing Commercial Insights to the DoD
Presented by John Dickson and Dan Cornell
AF Contract: FA864920P0045 (SBIR Phase I)
CAGE: 3UNB6
2. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
ATO with ThreadFix – Bringing
Commercial Insights to the DoD
AF Contract: FA864920P0045 (SBIR Phase I)
CAGE: 3UNB6
John B. Dickson, CISSP #4649
Principal, Denim Group
@johnbdickson
Dan Cornell, CTO
@danielcornell
3. © 2020 Denim Group – All Rights Reserved
Overview
• Commercial Insights
• ThreadFix in a CI/CD Workflow
• Walkthrough
4. © 2020 Denim Group – All Rights Reserved
John Dickson, CISSP
• Ex-USAF Intel & Cyber Officer
• AFIWC and early AFCERT member
• 20+ years in commercial security
• Security Author and Speaker
5. © 2020 Denim Group – All Rights Reserved
Dan Cornell
• Founder and CTO of Denim Group
• Software developer by background
• OWASP San Antonio co-leader
• 20 years experience in software
architecture, development, and
security
6. © 2020 Denim Group – All Rights Reserved
Advisory Services Assessment
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
How we can help:
Denim Group is solely focused on helping build resilient
software to withstand sophisticated attacks
• Help industry build secure software
• Web, mobile, ioT, and cloud testing leader
• DevSecOps leader
7. © 2020 Denim Group – All Rights Reserved
Commercial Trends
• Business wants instant features and functions
• Pressure to push products to services to the market faster with a
better customer experience
• Time to market beats many other considerations
• Heavy use of user behavior analytics to customize buying
experience
• Internal customers are becoming better at appreciating product
quality
• Centralized IT becoming fragmented
• https://www.denimgroup.com/resources/whitepaper/security-the-other-side-
of-digital-transformation/
8. © 2020 Denim Group – All Rights Reserved
While Tech Stack Changing…
• Microservices
• Serverless Applications
• New(er) Languages & Frameworks
• All via CI/CD Pipelines
• All Landing in Cloud!
9. © 2020 Denim Group – All Rights Reserved
Impact to Commercial World
• Rollout of new features measured in days
& weeks, not months
• Connected systems throughout the
organization
• Organizational changes are accelerating
• Security might be a consideration, but
time-to-market considerations are
paramount
10. © 2020 Denim Group – All Rights Reserved
What DoD can Learn from
Commercial
• Security must be mindfully baked into
DevSecOps pipelines
• Tailored to tech stack and mission function
• The shift to microservices will necessitate
DevSecOps
• Need automation to certify the build
• Need automation for alternative workflow if
you ”break the build”
11. © 2020 Denim Group – All Rights Reserved
ThreadFix
Commercial Use
• Integrates security and DevOps
• Aggregates and consolidates
vulnerabilities
• Reports and helps prioritize
remediation
• Reduces time to remediation
• Enables security automation for
assessment and authorization
processes
• Enables responsive, timely and
secure software capabilities
11
12. © 2020 Denim Group – All Rights Reserved
How ThreadFix is Used Today
• ThreadFix is used by DoD and IC
Develop/Operations (DevSecOps)
programs
• ThreadFix enables agencies to automate
capability development and the Risk
Management Framework (RMF)
• ThreadFix helps avoid delays saving the
government approximately $2M
13. © 2020 Denim Group – All Rights Reserved
Problem/Opportunity
Air Force struggles with the
software development process
not meeting warfighter needs.
Impact
Enables secure automated
capability development for
accreditation processes
Proposed Solution
A security platform for
DevSecOps software factories
to enable secure development
and faster accreditation.
ThreadFix: DevSecOps Vulnerability Management Platform
13
“This technological innovation is a pivotal investment in protecting software systems that power our nation’s critical
infrastructure and e-commerce industries.” Keven E. Greene, Department of Homeland Security Science & Technology
Cyber Security Division Program Manager
14. © 2020 Denim Group – All Rights Reserved
Key Takeaways
• ThreadFix Application Vulnerability Management Platform for
USAF Software Development, Security and Operations
• ThreadFix has proven to reduce mean to resolution (MTTR) by up
to 44%.
• ThreadFix has patented hybrid analysis technology which provides
better vulnerability merge capabilities resulting in fewer false
positives.
• ThreadFix builds security into the development process by
integrating into DevSecOps pipeline tools, significantly reducing
the time and cost to field new software applications and remediate
vulnerabilities.
15. © 2020 Denim Group – All Rights Reserved
ThreadFix – Orchestrate
Build Security into Development:
• Integrate automated security
into CI/CD
• Orchestrate scans
• Rapid pass/fail/warn based on
predefined policies
• Auto creation of bugs for Dev
Team
Dev (CI/CD) Security
Auto build
Sec check
Sec pass/fail/warn
Bug
Trackers
Bugs (Sec Vulns)
Scanners
Auto
execute
scanners
An example of ThreadFix’s security orchestration
16. © 2020 Denim Group – All Rights Reserved
Authority to Operate
• Using FedRamp as an example:
• https://www.fedramp.gov/issuing-an-authority-
to-operate/
• https://www.fedramp.gov/assets/resources/do
cuments/Agency_Authorization_Playbook.pdf
• https://www.fedramp.gov/assets/resources/te
mplates/Agency-ATO-Report-Template-
Version.pdf
16
17. © 2020 Denim Group – All Rights Reserved
Challenges with Traditional
Approaches
• Slow
• Manual
• Documentation-centric
• But it does not have to be done this way
• Lock down the aspects that have far less drift
• Use technology to accelerate the parts that
move quickly
17
18. © 2020 Denim Group – All Rights Reserved
Thinking (and Moving) Fast and Slow
18
19. © 2020 Denim Group – All Rights Reserved
Thinking (and Moving) Fast and Slow
• Some aspects of the ATO documentation move
slowly
• Overall system architecture
• Other aspects move faster, but not terribly so
• Testing plans
• Other aspects need to be fully re-run for every
version
• Results of specific testing activities
• Infrastructure testing
• Database testing
• Application testing
• Manual testing
19
20. © 2020 Denim Group – All Rights Reserved
Accelerating via ThreadFix
• Creating a centralized view
• Network/infrastructure
• Application: SAST/DAST/IAST/SCA
• Other results as-needed
• Orchestration and automation
• CI/CD pipelines
• Normalization and de-duplication
• Patented techniques for making sense of disparate
data sources
• Policy reporting
• OWASP Top 10
• DISA STIG
20
22. © 2020 Denim Group – All Rights Reserved
Walkthrough
• Software Asset Management
• Result Consolidation
• CI/CD Build and Post-Build
• Reporting and Metrics
22
23. © 2020 Denim Group – All Rights Reserved
Tracking Software Assets
23
24. © 2020 Denim Group – All Rights Reserved
Consolidated/Comprehensive View
24
26. © 2020 Denim Group – All Rights Reserved
CI/CD Post-Build
26
27. © 2020 Denim Group – All Rights Reserved
Managing Policies/Criteria
27
28. © 2020 Denim Group – All Rights Reserved
Metrics and Reporting
28
29. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
@denimgroup
www.denimgroup.com
@johnbdickson
@danielcornell