25. Every 2 weeks 1.30 PM UK Time
Cyber #MentoringMonday
Podcast
@FrankSEC42
26. Cyber Security Awards 2020
Cloud Security Influencer of the Year
Submission – 10 of May 2020 (TBD)
Ceremony 4 July
2020
#CYSECAWARDS20https://cybersecurityawards.com/
https://cloudsecurityalliance.org.uk
Submit: info@cybersecurityawards.com
Info:
Intro
Thank you for being here and a thanks to Whitehall media for organizing this event
What are we going to talk about?
<pause?>
… oh yes phenix and the death of infosec
<pause?>
…oh sorry you thought you would have a future as security people? Well yes and no…
<smile & pause>
Who has read harry potter here?
Who knows here what is a phenix?
And how does a phenix relate to infosec??
Today we are going to talk about how the infosec program is reborn under a rain of fire inside the dev-ops world
Agenda for today
Agenda for today
- Author
- Quick background
- Evolution of DEVOPS in Security Phoenix
- Security Phoenix – Visualization & Security Phoenix Tech
- Security Phoenix – Security Ops
- Security Phoenix – Governance & Education
- Trust & Verify / License to operate
Conclusions
Q&A
Quick background about Francesco…me…as you might have noticed my favorite colors are black and red.
I’m a Cybersecurity Cloud Expert and CISO/Advisor. I’m an active Public Speaker, as you can see, researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2.
I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks
I help international organization of different industries and sizes financial services, banking, Telco and thig gives me different prospective on the security problem
One important theme that I put in all the presentation is that that Security is everybody job and we will see why
Also
The key to success in security is to make it frictionless
So what is DEV-OPS?
Opening: So, what are we talking about? DEVOPS and Security. What the hek is devops?
DEVOPS is a mythological beast… where you merge the development community with the operational community to have a single animal that is responsible of the lifecycle of their own application
Is continuous integration between DEVelopment and OPerationS (continuous integration)
Why is so actual today? Because of the speed of delivery
So how do we add another element in this picture (Sec) … Security Phoenix is where DEV-OPS reborn as a mythological animal with security at heart
So what are the different part of a phoenix?
With at their head people and education (head)
Design (wing)
Build & Test (wing)
Operate is at the heart (heart)
Guided by governance and risk management (tail)
Can a bird fly without wings or with just one wing? Maybe but really badly
Can a bird fly without a head? Don’t think so
Can a bird have direction without a tail
But ultimately security is about our people as they are our herald! Security is everybody’s job
Let’s see why
Why Is security Important
Major breaches over the years…let’s think about the dark knights
We can’t scale! We need more security people !
I’ll let this image sink in for a second. Those are just the major breaches over the years. Most of them were due to mistakes like unpatched systems, exposed databases, password guessing, brute force.
What all those breaches have in common?
Complex Nation state act – no
Complex and intricated cyber attacks – Sometimes
Missing the basics (e.g. patching ) and human error is the answer you are really searching for.
By doing the basic right you will be better off than 80% of other organizations
This explains why security is everyone's responsibility? Because we all get affected by it!
https://blog.storagecraft.com/7-infamous-cloud-security-breaches/
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
A lot of the breaches have similarities:
Basic patching
Server exposed without credentials
Setting the context
Just to let you know what the malicious actors have been up to:
Just to give some prospective:
Size of the breaches (orange interesting stories)
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
So how does security fit in DEV-OPS?
Done badly the existing governance and controls get forced onto the new world
Done correctly security becomes almost transparent
So how do we do it correctly? With Security Phoenix! Security Function is reborn!
Let’s analyze the phoenix
What would you get out of the pillar?
Trust of the developers – Embedding security in the DEV-OPS pods. Key enabler for doing this at scale? Trust & Verify and License to operate
How to fix vulnerability at scale? The concept of Triage and Visualization
Upskill and fill the gap in security:
Keep people accountable: Security Governance
Shift Left & Design – not talking much here
So let’s see the people aspect: Trust & Verify and license to operate
Problem that we are trying to solve>How to fix the problem at scale and at pace
DEV-SEC-OPS
Ultimately is all about our people & Education
People are the first line of defiance for your business
What are the key concept of Security Phoenix?
Trust the team but verify (dashboards, build vs fix)
License to operate: if you deploy quality code you have the license
Fixing vulnerabilities as everyday life (sprint)
Set thresholds (reduction of vulnerabilities and build vs fix)
This new mode of operation shall rely on the ability of the team to demonstrate they can operate securely and at pace
Transformation – License to Operate -> Trust your DEV-OPS but verify
As long as the DEV-OPS team operate under the license
Apply governance (light and heavy weight)
Make security everybody’s responsibility but provide resource to guide (during transformation)
The Whole concept relies on license to operate: if you promote good code, you good to go
How to verify:
Thresholds for reduction of vulnerabilities (Dashboards)
Thresholds for Build VS fix
Security Learning
Code Scanners -> Output in Phoenix DB -> Thresholds
Code Scanners -> Output in Jira ticket -> Threshold in Phoenix DB -> Build vs FIX tickets
Learning platform -> Output in Phoenix DB -> team doing training?
Teams triage and remediated locally to the pod
People aspect: Risk management & BUZ – not yet automated
If something can’t be updated/remediated than risk assessment (not covered here)
Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
The Pod Structure
Dev + Engineers – DEV + OPS
Sec Champions to show what good looks like
App Owner to guide the business for new feature
Sec Arch – To oversee the Design Part of application and review changes
Monitoring –
Appsec (day in day out Vuln Fixes
Dashboard and trending – what vulnerability to fix first
Build vs FIX - ensure the thresholds are healthy
Trust your developers and apply a ‘license to operate’ -> this can be removed
Apply governance (light and heavy weight) – faster for team that are compliant with security more scrutiny for team that are not
Visualize and keep everyone accountable – give the product owner the ability to see if new vulnerabilities are getting introduced
Make security resource available to the developers and document the fixes – produce internal reference for what security looks like for your org
The Whole concept relies on license to operate: if you promote good code, you good to go
How to verify:
Thresholds for reduction of vulnerabilities (Dashbaords)
Thresholds for Build VS fix
Scanners output in jira
Teams triage and remediated locally to the pod
If something can’t be updated/remediated than risk assessment (not covered here)
Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
Let’s see the visualization aspect behind the element discussed
Thresholds example (DEV)
Theme: Visualization helps both the teams working on the code and the application owner providing governance
The tools ultimately are not as intelligent as a developer but only provide suggestion on how to prioritize vulnerabilities
Scanners architecture
Different Scan at different stages
Divide DEV/Prod
Scanners individual dashboards for false positives
Aggregate the vulnerabilities in aggregators (e.g. Kennar)
Scanners dashboards to mark false positives or risk accept but make sure there is a process behind it
Triage of the vulnerabilities inside the scanners or feed into auto generation of thickets
For operation – Scan/Monitor & Bugfix (nothing else than a change)
Key thing here: Prioritize what to fix! Fixes will be in competition with feature! Is not all about security
OS & App – Scan and monitor – Rebuild frequently so you don’t have to worry
Framework – Scan & Patch – Rebuild App with latest (release cadence)
FOSS – open source components! Watch for Contributor account take over (refer to Netflix)
Libraries & Open source components – Scan & rebuild with new libraries - Rebuild App with latest (release cadence) – RISK management if you can’t update or no update is available
Code – From your DEV Pipeline – Those are your security code defect (internal or external bug bounty to detect which one is more dangerous
For open source vulnerabilities it takes a long time to fix
Why is that?
Because rebuilding is not always immediate
You say 0 days? I say normally a patch is between 16 and 94 days to be fixed…
That leaves a lot of exposure to yourself
So Let’s see the last aspect: Design and Education
Security governance in dev-sec-ops – Challenging
Definition of change: Small Changes vs security impacting changes
Change control & Security education – security review closer to the Application PODs
Initial design assessment
Improvements:
Pre approved services
Patterns
Standards into automation
Educate the Users -> Report vulnerability
Educate the Users -> Aware of social engineering
Hands on and hands-off training (OWASP great resource)
Security is hard and roles of the architect is changing
No 1 solution fits all, tailor this model to your organization!
Key concepts:
Trust And Verify
Vulnerability Management every day life
Automation vs people aspect – is a transformation
Data Driven Education
Governance at scale
Closing:
Ultimately there is no 1 solution that fits all and look at the security transformation as a people transformation. You can’t automate people but you can make people’s life easier using tool. Don’t let the tool use you but use the tool to prioritize the work