Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
THE THREE
WAYS
OF SECURITY
Jeff Williams
Co-founder and CTO
Contrast Security
1. TODAY’S “AVERAGE” APPLICATION IS A
SECURITY DISASTER
2. SOFTWARE IS LEAVING SECURITY IN THE
DUST
SOFTWARE
SECURITY
2000 2010 2020
SASTDAST
WAF
•Typical
enterprise has
hundreds...
3. SOFTWARE SUPPLY CHAIN SECURITY IS
TOTALLY BROKEN
Jan Feb Mar Apr May Jun Jul Aug Sept Oct
March 7
CVE-2017-5638
Disclos...
DIAGNOSIS: GOALS UNCLEAR, TIME WASTED
What we are delivering: What we must deliver:
 Right defenses in place
 Defenses a...
DEV
SEC
OPS
PUPPY MONKEY BABY
SO WHAT IS DEVOPS?
https://itrevolution.com/the-three-ways-principles-underpinning-devops/
The “Three Ways”
1. Establish w...
Small
batch
sizes
Tight
feedback
loops
Swarm on
problems
Optimize for
downstream
consumers
Produce
awesome
software
QUESTION: CAN DEVOPS HELP SECURITY?
• Problem: software is poor
quality, late, slow, and doesn’t
provide business value.
•...
Static
Analysis
Dynamic
Scanning
WAF
Pen
Testing
DEV
OPS
!=
SHOVING
LEGACY
SECURIT
Y TOOLS
AND
PROCES
SEC
The
“Three Ways”
of Security*
1. Establish security work flow
• Build a concrete security story over time
• Enable develop...
The First
Security Way
Establish Security Work Flow
Optimize delivery of security
work that is valued by the
business
Business
Security
Projects
Building defenses, compliance,
reporting, etc…
1
Internal
Security
Work
Threat modeling, securi...
* Shamelessly lifted from the Rugged Software Project
Your security story maps
threat model ➡️
defense strategy ➡️
defense...
Leverage existing DevOps
processes and tools
Refactor
monolithic security
tasks into small
batch sizes.
Deliver
security o...
FIRST WAY –
WORK ON BIGGEST THREATS, ONE AT A TIME
Add a single risk to
threat model
• Create JIRA ticket:
Prevent XXE
Cre...
The Second
Security Way
Ensure Instant
Security Feedback
Establish tight security
feedback loops across the
lifecycle
SECOND WAY –
ENABLE SELF-INVENTORY
•You need to know
the exact version of
every app, api, and
library running on
every ser...
SECOND WAY –
GET REAL APPLICATION THREAT INTELLIGENCE
Establish the
infrastructure to…
• Know who is
attacking you
• Know ...
SECOND WAY –
ESTABLISH A REALTIME APPSEC CONTROL
PLANE
PRODDEV TEST
APIs ContainersPrivate
Public Cloud
APIs ContainersPri...
The Third
Security Way
Build Security Culture
A culture that constantly
advances security with the
threat through
experime...
THIRD WAY –
MIGRATE TO “POSITIVE” SECURITY
Testing for all the ways you
might introduce XSS
Testing to verify
your XSS def...
THIRD WAY –
ACCELERATE THE EVOLUTION OF YOUR
SECURITY STORY
Celebrate new big
risks without
recrimination
Focus on strengt...
THIRD WAY –
PROMOTE SECURITY IN SUNSHINE
AppSec
Visibility
Cycle
Audit
Developers
Infosec
Legal
Architects
Users
Research
...
TRUST
“Don’t hate the playa
Hate the game”
-- Ice T
BLAME
The first rule of security is…
…You do not talk about security
HIDE
The
“Three Ways”
of Security*
* Shamelessly adapted from The Phoenix Project, by Gene Kim
1. Establish security work flow
...
CLOSING THOUGHTS – TURNING SECURITY
INTO CODE
•Don’t focus on how
to build software
securely…
•Make software
security into...
Ask me anything.
@planetlevel
contrastsecurity.com
LEADER
Software
Development
Solution
Prochain SlideShare
Chargement dans…5
×

sur

2017-11 Three Ways of Security - OWASP London Slide 1 2017-11 Three Ways of Security - OWASP London Slide 2 2017-11 Three Ways of Security - OWASP London Slide 3 2017-11 Three Ways of Security - OWASP London Slide 4 2017-11 Three Ways of Security - OWASP London Slide 5 2017-11 Three Ways of Security - OWASP London Slide 6 2017-11 Three Ways of Security - OWASP London Slide 7 2017-11 Three Ways of Security - OWASP London Slide 8 2017-11 Three Ways of Security - OWASP London Slide 9 2017-11 Three Ways of Security - OWASP London Slide 10 2017-11 Three Ways of Security - OWASP London Slide 11 2017-11 Three Ways of Security - OWASP London Slide 12 2017-11 Three Ways of Security - OWASP London Slide 13 2017-11 Three Ways of Security - OWASP London Slide 14 2017-11 Three Ways of Security - OWASP London Slide 15 2017-11 Three Ways of Security - OWASP London Slide 16 2017-11 Three Ways of Security - OWASP London Slide 17 2017-11 Three Ways of Security - OWASP London Slide 18 2017-11 Three Ways of Security - OWASP London Slide 19 2017-11 Three Ways of Security - OWASP London Slide 20 2017-11 Three Ways of Security - OWASP London Slide 21 2017-11 Three Ways of Security - OWASP London Slide 22 2017-11 Three Ways of Security - OWASP London Slide 23 2017-11 Three Ways of Security - OWASP London Slide 24 2017-11 Three Ways of Security - OWASP London Slide 25 2017-11 Three Ways of Security - OWASP London Slide 26 2017-11 Three Ways of Security - OWASP London Slide 27 2017-11 Three Ways of Security - OWASP London Slide 28 2017-11 Three Ways of Security - OWASP London Slide 29 2017-11 Three Ways of Security - OWASP London Slide 30
Prochain SlideShare
What to Upload to SlideShare
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

1 j’aime

Partager

Télécharger pour lire hors ligne

2017-11 Three Ways of Security - OWASP London

Télécharger pour lire hors ligne

Translating the DevOps "Phoenix Project" "Three Ways" for security. Was recorded... will add link later.

Livres associés

Gratuit avec un essai de 30 jours de Scribd

Tout voir

2017-11 Three Ways of Security - OWASP London

  1. 1. THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security
  2. 2. 1. TODAY’S “AVERAGE” APPLICATION IS A SECURITY DISASTER
  3. 3. 2. SOFTWARE IS LEAVING SECURITY IN THE DUST SOFTWARE SECURITY 2000 2010 2020 SASTDAST WAF •Typical enterprise has hundreds or thousands of applications •Applications are by far the leading cause of breaches (Verizon DBIR)
  4. 4. 3. SOFTWARE SUPPLY CHAIN SECURITY IS TOTALLY BROKEN Jan Feb Mar Apr May Jun Jul Aug Sept Oct March 7 CVE-2017-5638 Disclosed, Apache releases fixed version March 8 We observed widespread attack probes Mid-May Equifax breach occurs July 29 Equifax learns of breach Sept 7 Equifax discloses, Four more Struts2 CVEs disclosed Equifax ignores Protected DisasterLivin’ la vida loca Prepared Equifax unaware
  5. 5. DIAGNOSIS: GOALS UNCLEAR, TIME WASTED What we are delivering: What we must deliver:  Right defenses in place  Defenses are effective  Attacks detected/blocked  “I ran a scanner” Application/API portfolioApplication/API portfolio
  6. 6. DEV SEC OPS PUPPY MONKEY BABY
  7. 7. SO WHAT IS DEVOPS? https://itrevolution.com/the-three-ways-principles-underpinning-devops/ The “Three Ways” 1. Establish work flow 2. Ensure instant feedback 3. Culture of experimentation
  8. 8. Small batch sizes Tight feedback loops Swarm on problems Optimize for downstream consumers Produce awesome software
  9. 9. QUESTION: CAN DEVOPS HELP SECURITY? • Problem: software is poor quality, late, slow, and doesn’t provide business value. • Approach: DevOps • Outcomes: • 5x lower change failure rate • 96x faster MTTR service • 2x likely to exceed bus. goal • Problem: security is poor quality, late, slow, and doesn’t provide business value. • Possible Approach: DevOps • Required Outcomes: • 10x increase in portfolio coverage? • 80% reduction in vulns to prod? • 0x increase in time to market?
  10. 10. Static Analysis Dynamic Scanning WAF Pen Testing DEV OPS != SHOVING LEGACY SECURIT Y TOOLS AND PROCES SEC
  11. 11. The “Three Ways” of Security* 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work 2. Ensure instant security feedback • Enable self-inventory • Get real application threat intelligence • Create security notification infrastructure 3. Build a security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine” * Shamelessly adapted from The Phoenix Project, by Gene Kim
  12. 12. The First Security Way Establish Security Work Flow Optimize delivery of security work that is valued by the business
  13. 13. Business Security Projects Building defenses, compliance, reporting, etc… 1 Internal Security Work Threat modeling, security architecture, security research, vulnerability assessment, tools 2 Operational Security Jobs Remediation, updates, analytics, alerts, tickets, etc… 3 Unplanned Security Tasks Security “firefighting,” response, recovery, public relations, etc… 4 UMM…. WHAT IS SECURITY “WORK”?
  14. 14. * Shamelessly lifted from the Rugged Software Project Your security story maps threat model ➡️ defense strategy ➡️ defenses ➡️ assurance Making security concrete: • Enables communication • Aligns your team • Expose gaps and priorities • Creates line-of-sight FIRST WAY – BUILD A CONCRETE SECURITY STORY OVER TIME
  15. 15. Leverage existing DevOps processes and tools Refactor monolithic security tasks into small batch sizes. Deliver security one little piece at a time FIRST WAY – ENABLE DEVELOPMENT TO BUILD SECURITY
  16. 16. FIRST WAY – WORK ON BIGGEST THREATS, ONE AT A TIME Add a single risk to threat model • Create JIRA ticket: Prevent XXE Create defense strategy • Update JIRA Ticket • Standardize parser config • Log & block attacks Implement defense • XML library • Update training Establish continuous assessment • Research typical failures • Build custom test cases • Enable IAST XXE rule Establish attack protection • Enable RASP XXE rule Monitor DEV and OPS • Vulns go to JIRA with Slack alert • Attacks go to Splunk and VictorOps Do you really need security experts for all these tasks? XXE Updated Security Story
  17. 17. The Second Security Way Ensure Instant Security Feedback Establish tight security feedback loops across the lifecycle
  18. 18. SECOND WAY – ENABLE SELF-INVENTORY •You need to know the exact version of every app, api, and library running on every server in every environments •Not hard to fully automate self- inventory DEV Internal APIs ContainersPrivate Public Cloud OPS Automatic Application Inventory
  19. 19. SECOND WAY – GET REAL APPLICATION THREAT INTELLIGENCE Establish the infrastructure to… • Know who is attacking you • Know what techniques they’re using • Know what they’re targeting • … and protect within hours Equifax Attack
  20. 20. SECOND WAY – ESTABLISH A REALTIME APPSEC CONTROL PLANE PRODDEV TEST APIs ContainersPrivate Public Cloud APIs ContainersPrivate Public Cloud APIs
  21. 21. The Third Security Way Build Security Culture A culture that constantly advances security with the threat through experimentation and learning
  22. 22. THIRD WAY – MIGRATE TO “POSITIVE” SECURITY Testing for all the ways you might introduce XSS Testing to verify your XSS defense Measure positive security directly from your running application
  23. 23. THIRD WAY – ACCELERATE THE EVOLUTION OF YOUR SECURITY STORY Celebrate new big risks without recrimination Focus on strength and simplicity The faster you cycle, the faster you get secure
  24. 24. THIRD WAY – PROMOTE SECURITY IN SUNSHINE AppSec Visibility Cycle Audit Developers Infosec Legal Architects Users Research Business Monitor Threat Create Security Story Define Security Defenses Implement Security Defenses Share Intelligence Understand Laws Verify Compliance Understand Stakeholders We Trust We Blame We Hide
  25. 25. TRUST
  26. 26. “Don’t hate the playa Hate the game” -- Ice T BLAME
  27. 27. The first rule of security is… …You do not talk about security HIDE
  28. 28. The “Three Ways” of Security* * Shamelessly adapted from The Phoenix Project, by Gene Kim 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work 2. Ensure instant security feedback • Enable self-inventory • Get real application threat intelligence • Create security notification infrastructure 3. Build security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine”
  29. 29. CLOSING THOUGHTS – TURNING SECURITY INTO CODE •Don’t focus on how to build software securely… •Make software security into something you build!
  30. 30. Ask me anything. @planetlevel contrastsecurity.com LEADER Software Development Solution
  • AldoAlves3

    Oct. 12, 2019

Translating the DevOps "Phoenix Project" "Three Ways" for security. Was recorded... will add link later.

Vues

Nombre de vues

199

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

2

Actions

Téléchargements

8

Partages

0

Commentaires

0

Mentions J'aime

1

×