Contenu connexe Similaire à Agile AppSec DevOps (20) Agile AppSec DevOps1. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
1
AGILE APPSEC DEVOPS
Secure Software Development
with Agile DevOps
robertGrupe, CISSP, CSSLP, PE, PMP
Tags :: Application, Software, Security, Development, AppSec, DevOps,
DevSecOps OWASP, Agile, Kanban, Scrum, Best Practices, Feature Driven
Development, FDD, Test Driven Development , TDD
2. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
2
Presentation Summary
How ...
Application Security (AppSec),
Secure Software Development Life Cycle (SSDLC)
is applied to
Development and IT Operations (DevOps)
in Agile, rapid software development and delivery.
Moving from
1. Waterfall/Agile: AppSec
2. Feature Driven Development: AppSec with DevOps
3. Test Driven Development (TDD): DevSecOps
3. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
3
Table of Contents
1. AppSec with DevOps: Feature Diven Development
1. Foundational Elements
2. DevSecOps: Security Driven Development
5. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
5
DevOps
Dev
• Plan: Requirements, Architecture, Schedule
• Create: Design, Coding, Build
• Verify: Test
• Package: Pre-Production Staging
Ops
• Release: Coordinating, Deploying
• Configure: Infrastructure, Applications
• Monitor: Performance, Use, Metrics
DevOps
Collaboration of software delivery teams:
• Developers;
• Operations;
• Quality Assurance: Testers
• Management;
• ... etc.
Continuous Development
automate delivery, focuses on
• Bringing together different
processes;
• Executing them more quickly and
more frequently.
6. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
6
SSDLC (SDLC with AppSec)
Requirements
(Scoping)
Design
Implementation
(Development)
Verification
(Test)
Release
• AppSec
Requirements
(User Stories
with
Acceptance
Criteria)
• Security &
Regulatory Risk
Assessment
• Frameworks
Patterns
• Analyze Attack
Surface
• Threat
Modeling
• Approved Tools
• Deprecate
Unsafe
Functions
• Static Analysis
• Unit Tests/
User Story
Acceptance
• Dynamic
Analysis
• Fuzz Testing
• Attack Surface
Review
• Penetration
Testing
• Deferred
Defects
Risk
Acceptance
• Go/No-Go
7. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
7
Application Security Requirement
Foundation
• AppSec Requirements Library
• Use Cases with Acceptance Criteria
• Compliance Traceability
• Feature Use Case Process Flow Diagrams
• Architecture, Components, Patterns
• Prototypes
• Risk Assessment Threat Modeling Intake
• Context Diagram
• Data Flow Diagram
• Data Map & Model
• Process Flow Diagrams
8. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
8
Agile: Scrumban FDD*
• Kanban workflow†
• Scrum development
Ideas Features
w/User
Stories
Design Dev Test
Static
Test
Dynamic
Final
Approval
Release
WIP Limit
* Feature Driven Development
† Adaptive Software Development
9. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
9
Phase 1 (Foundational) AppSec DevOps:
Security Feature Driven Development
• User Stories
• Assess Risks
• Frameworks/Patterns
• Attack Analysis
• Threat Modeling
• Approved Tools
• Deprecate Functions
• Static Analysis
• Unit Tests
• Dynamic Analysis
• Fuzz Testing
• Attack Review
• Penetration Testing
• Risk Acceptance
• Go/No-Go
• Logs
• Alerts
• Management
• Usage
• Changes
• Vulnerabilities
• Dashboards & Reports
11. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
11
Host Platform Prerequisites
0.01 Minimum required platform components
0.02 Fully patched and up-to-date platform
0.03 Vulnerability free Components & Development Framework
0.04 Host firewall-ing: only required ports
0.05 Anti-malware scanning
0.06 Load balancing
0.07 Resiliency – failover
0.08 Backups – encrypted
0.09 Certificate Management
0.10 Key Management
0.11 Access Management: least privilege roles for admin & maintenance
12. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
12
Application Defense
• Inside-Out (the network is porous)
• 1. Design Threat Analysis
• 2. SAST (Static Security Testing) in IDE
• 3. SAST in builds
• 4. Secure Code Reviews (optional / out-of-band)
• 5. DAST (Dynamic Security Testing)
• 6. QA of requirements (white box)
• 7. Fuzzing (As required, based on risk: QA Pen Test)
• Outside-In
• 8. Pen Test Suite
• 9. Public Bug Bounty Program
• Responsive/Active Defense - detection & response
• 10. RASP (Runtime Application Self-Protection Security): Logging, with
automated response
• 11. SIEM (Security Information and Event Management: Dashboards with auto
alerts
• 12. Training (reducing detected vulnerabilites)
13. Red7:|:applicationsecurity
© Copyright 2017 Robert Grupe. All rights reserved.
13
Phase 2 DevSecOps:
Security Test Driven Development
• Threat Analysis
• CI Training
• SAST in IDE
• SAST in build mgmt
• Automated Security
Requirements QA
• DAST
• RASP
• SIEM
• Secure Code Review
• Fuzzing (PenT)
• Bug Bounty
Notes de l'éditeur Bio
From Fortune 100 to start-up companies, Robert Grupe is an international professional with practitioner, leader, and consultant experience in market strategy, development, and support for global leaders in aerospace, electro-optic, information security, and health care industries.
Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and Project Management Professional (PMP). https://en.wikipedia.org/wiki/DevOps
https://en.wikipedia.org/wiki/DevOps_toolchain
Plan Tools: Atlassian (JIRA/Confluence), CA Technologies, iRise and Jama Software
Create Tools: Bitbucket, GitLab, GitHub, Electric Cloud, and CFEngine
Verify Tools: * Test automation (ThoughtWorks, IBM, HP), * Static analysis (Parasoft, Microsoft, SonarSource), * Test Lab (Skytap, Microsoft, Delphix), and * Security (HP, IBM, Trustwave, FlawCheck).
Packaging Tools: Jfrog’s Artifactory, SonaType Nexus repository, and Inedo’s ProGet.
Release Tools: Automic, Inedo, VMware, and XebiaLabs* application release automation* deployment automation* release management
Configure Tools: Ansible, Chef, Puppet, Otter, and Salt* Continuous Configuration Automation, * configuration management, and * Infrastructure as Code tools.
Monitoring Tools: BigPanda, Ganglia, New Relic, Wireshark
http://www.microsoft.com/en-us/sdl/default.aspx https://en.wikipedia.org/wiki/Agile_software_development
https://en.wikipedia.org/wiki/Scrum_(software_development) From The Daily Drucker, 3/13