SlideShare a Scribd company logo

Secure DevOPS Implementation Guidance

Download as PPTX, PDF
Tej Luthra
Tej Luthra

Awareness and Guide to a Practical Implementation. Discover how to automate security testing, and ensure every bit of code is scanned before it leaves the developer’s hands https://bsidesdc2018.busyconf.com/schedule#day_5acff470ec4a15f24e000036

Technology
1 of 26
Secure DevOps Awareness & a Guide to Practical Implementation BSides 2018 01 June 30, 2019 Merlin International, Inc.
Merlin International June 30, 2019 2 Tej Luthra VP Engineering CyberSecurity and Security Analytics At Merlin International, Tej Luthra is building and leading a development team responsible for the integration of existing technologies and the development of new solutions that address organizations’ most pressing cybersecurity challenges. Devesh Arora Dir. Engineering Software Development & Web Services At Merlin International, Devesh Arora is leading a team responsible for development of front-end & microservices along with the secure DevOps strategy and implementation.
June 30, 2019 3 Agenda
Opportunity June 30, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.Opportunity January 16, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.
What is DevOPS June 30, 2019 5 Secure DevOps DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous • Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches • Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build • Continuous Testing, Quality, Security, Governance, and so on …
Why DevOPS June 30, 2019 6 Secure DevOps Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016
The Ying and the Yang June 30, 2019 7 Secure DevOps Challenges organizations face • Adoption of DevOps practices introduces complications • Auditing standardized security controls • Constantly changing assets with CD • Segregation of duties • Tracking cloud assets, extreme virtualization • DHCP logging or NAC/802,1x • Especially when controlled by 3rd party And there are opportunities • Focus on fast deployment, continual improvement, and automation • Naturally forces collaboration with teams • Avoids last-minute manual audits • Continuously TVM Shift Left • Security teams engaged early • Design, Deploy, Security Reviews • Ability to influence future heartburns • Deploy small changes • With reduced risk • Enforces standardized configurations • Logging, alerting and security metrics
The full end-to-end product lifecycle June 30, 2019 8 Secure DevOps
Build & Unit Tests Containerize Package Code Commit Code quality Scan Continuous Integration Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon Continuous Integration Secure DevOps June 30, 2019
Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod C o d e P r o m o t i o n Manual Continuous Delivery Release Management Logging & Monitoring Secure DevOps June 30, 2019
Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod A u t o m a t e d C o d e P r o m o t i o n Continuous Deployment Release Management Logging & Monitoring Secure DevOps June 30, 2019
Route to Secure DevOPS 6/30/2019 12 Secure DevOps Why • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
Security lifecycle in DevOPS June 30, 2019 14 Common action items including static & dynamic code analysis, vulnerability scanning, anti- virus scans, and other similar integrity functions The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization Secure DevOps NIST 800-115: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Common Requirements June 30, 2019 15 Access Control Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Security Assessment System & Comm. Protection System & Information Integrity Secure DevOps
Guidance June 30, 2019 16 Secure DevOps Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible The entire DevOps life cycle needs to be secured Address Risk with continuous run time assessment, augment with existing cybersecurity framework
June 30, 2019 17 Secure DevOps Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge
Secure Configurations for HW & SW June 30, 2019 18 Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out Secure DevOps
Automated Deployment of Infrastructure and Software June 30, 2019 19 Use blue-green deployment scenario Same principles apply to “infrastructure as code” Early adopter scenarios Secure DevOps
Continuous Vulnerability Assessment and Remediation June 30, 2019 20 Secure DevOps Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnerabil ities Return time 25 ms # errros/1000 : 100 Visits / user 150 Patch Set A: Patch Set B:
Application Software Security June 30, 2019 21 Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Secure DevOps Trustwave Global Security Report
Controlled Use of Administrative Privileges June 30, 2019 22 The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features Secure DevOps
OWASP Top 10 Project Guidelines June 30, 2019 23 Secure DevOps •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets
Tooling that can help June 30, 2019 24 Identify actual and potential coding issues, including those identified in OWASP YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. Secure DevOps BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non- compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
Recommendations June 30, 2019 25 Adopt an immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps Scan for and remove known vulnerabilities and misconfigurations Scale your information security team into DevOps Treat all automation scripts, templates, images and blueprints with the same level of assurance Train individuals and establish good communication Identify and report on Business Risks Create a culture of Security, incorporate Static and Dynamic Testing Secure DevOps
Conclusion June 30, 2019 26 Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices Secure DevOps
Thank You tluthra@merlin-intl.com darora@merlin-intl.com

Recommended

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 

Recommended

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDBatyr Nuryyev
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWSAmazon Web Services
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CDHoang Le
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with JenkinsVietnam Open Infrastructure User Group
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 

More Related Content

What's hot

[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...Simplilearn
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDBatyr Nuryyev
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CDHoang Le
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 

What's hot (20)

DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Introduction to CI/CD
Introduction to CI/CDIntroduction to CI/CD
Introduction to CI/CD
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 

Similar to Secure DevOPS Implementation Guidance

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...Synopsys Software Integrity Group
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideHCLSoftware
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerHCLSoftware
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentPanoptica
 

Similar to Secure DevOPS Implementation Guidance (20)

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secops
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Security that Scales with Cloud Native Development
Security that Scales with Cloud Native DevelopmentSecurity that Scales with Cloud Native Development
Security that Scales with Cloud Native Development
 

Recently uploaded

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Secure DevOPS Implementation Guidance

  • 1. Secure DevOps Awareness & a Guide to Practical Implementation BSides 2018 01 June 30, 2019 Merlin International, Inc.
  • 2. Merlin International June 30, 2019 2 Tej Luthra VP Engineering CyberSecurity and Security Analytics At Merlin International, Tej Luthra is building and leading a development team responsible for the integration of existing technologies and the development of new solutions that address organizations’ most pressing cybersecurity challenges. Devesh Arora Dir. Engineering Software Development & Web Services At Merlin International, Devesh Arora is leading a team responsible for development of front-end & microservices along with the secure DevOps strategy and implementation.
  • 3. June 30, 2019 3 Agenda
  • 4. Opportunity June 30, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.Opportunity January 16, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.
  • 5. What is DevOPS June 30, 2019 5 Secure DevOps DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous • Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches • Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build • Continuous Testing, Quality, Security, Governance, and so on …
  • 6. Why DevOPS June 30, 2019 6 Secure DevOps Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016
  • 7. The Ying and the Yang June 30, 2019 7 Secure DevOps Challenges organizations face • Adoption of DevOps practices introduces complications • Auditing standardized security controls • Constantly changing assets with CD • Segregation of duties • Tracking cloud assets, extreme virtualization • DHCP logging or NAC/802,1x • Especially when controlled by 3rd party And there are opportunities • Focus on fast deployment, continual improvement, and automation • Naturally forces collaboration with teams • Avoids last-minute manual audits • Continuously TVM Shift Left • Security teams engaged early • Design, Deploy, Security Reviews • Ability to influence future heartburns • Deploy small changes • With reduced risk • Enforces standardized configurations • Logging, alerting and security metrics
  • 8. The full end-to-end product lifecycle June 30, 2019 8 Secure DevOps
  • 9. Build & Unit Tests Containerize Package Code Commit Code quality Scan Continuous Integration Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon Continuous Integration Secure DevOps June 30, 2019
  • 10. Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod C o d e P r o m o t i o n Manual Continuous Delivery Release Management Logging & Monitoring Secure DevOps June 30, 2019
  • 11. Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod A u t o m a t e d C o d e P r o m o t i o n Continuous Deployment Release Management Logging & Monitoring Secure DevOps June 30, 2019
  • 12. Route to Secure DevOPS 6/30/2019 12 Secure DevOps Why • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/
  • 13. Security lifecycle in DevOPS June 30, 2019 14 Common action items including static & dynamic code analysis, vulnerability scanning, anti- virus scans, and other similar integrity functions The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization Secure DevOps NIST 800-115: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
  • 14. Common Requirements June 30, 2019 15 Access Control Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Security Assessment System & Comm. Protection System & Information Integrity Secure DevOps
  • 15. Guidance June 30, 2019 16 Secure DevOps Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible The entire DevOps life cycle needs to be secured Address Risk with continuous run time assessment, augment with existing cybersecurity framework
  • 16. June 30, 2019 17 Secure DevOps Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge
  • 17. Secure Configurations for HW & SW June 30, 2019 18 Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out Secure DevOps
  • 18. Automated Deployment of Infrastructure and Software June 30, 2019 19 Use blue-green deployment scenario Same principles apply to “infrastructure as code” Early adopter scenarios Secure DevOps
  • 19. Continuous Vulnerability Assessment and Remediation June 30, 2019 20 Secure DevOps Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnerabil ities Return time 25 ms # errros/1000 : 100 Visits / user 150 Patch Set A: Patch Set B:
  • 20. Application Software Security June 30, 2019 21 Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Secure DevOps Trustwave Global Security Report
  • 21. Controlled Use of Administrative Privileges June 30, 2019 22 The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features Secure DevOps
  • 22. OWASP Top 10 Project Guidelines June 30, 2019 23 Secure DevOps •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets
  • 23. Tooling that can help June 30, 2019 24 Identify actual and potential coding issues, including those identified in OWASP YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. Secure DevOps BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non- compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.
  • 24. Recommendations June 30, 2019 25 Adopt an immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps Scan for and remove known vulnerabilities and misconfigurations Scale your information security team into DevOps Treat all automation scripts, templates, images and blueprints with the same level of assurance Train individuals and establish good communication Identify and report on Business Risks Create a culture of Security, incorporate Static and Dynamic Testing Secure DevOps
  • 25. Conclusion June 30, 2019 26 Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices Secure DevOps

Editor's Notes

  1. Ensuring the confidentiality, integrity and availability of digital assets in the cloud
  2. DevOPS practices presents a unique opportunity to deliver more secure code by integrating security practices into the pipeline. There is a wide variety of open source and commercial tools that allow the creation Secure DevOps pipelines that assist with the security and information assurance function. By integrating the performance of security testing and scanning as part of the build and deploy process, Secure DevOps allows the ability to deliver Continuous Information Assurance In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame. From conversations with clients and by analyzing successful DevSecOps initiatives, we have seen what works, what doesn't and which approaches have the most success.
  3. While DevOps may be overhyped, oversold, and oversubscribed right now, those who approach it as a journey, not a destination, are finding incredible business value. You’ve heard all the reasons why DevOps won’t work: issues with compliance, ITIL, security, production availability, architectural complexity, and so on. But the benefits it can deliver—faster delivery, quality, and security—are within reach. The question is, How do you start the move from silos to streamlined development pipelines? Application Packaging ensures that you have a trusted handoff between development teams and operations teams.  Developers can focus on what they do best, developing and maintaining their software. Operations can focus on what they do best, enforcing security and improving application deployment and management through orchestration and automation.  The Application Package ensures that you have a versionable, maintainable asset at the center of the process. Application Packaging is Application-Centric DevOps. Continuous Integration/Continuous Deployment (CI/CD) reducing the time and effort it takes to test and deploy code into production rapid automation enabled by cloud platforms and cloud native technologies Don’t forget Continuous [ Testing (CT), Quality (CQ), Delivery (CDe), Security (CS)] Secure DevOPS help address the needs of regulation and compliance integration of security scans and reviews as part of the CICD process
  4. Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Not about specific tools, but improves adoption Bringing teams together, agile on steroids Organized not from a project delivery standpoint, but have a more product delivery focus Give Dev teams capability to deploy and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Aims at removing bottlenecks, conflicts, and risk from the lifecycle between business decision and customer outcome The 2015 Puppet Labs State of DevOps Report shows organizations achieving 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America cites 6x reduction in production defects Ticketmaster Reduced their Mean Time to Repair by 90% Businesses are looking to accelerate the delivery of production quality software with fewer defects, and better security. Continuous Integration/Continuous Deployment (CI/CD) also known as DevOps is a rapidly maturing practice for reducing the time and effort it takes to test and deploy code into production. The rapid automation of the integration and deployment activities is common especially on cloud-based platforms. Adding security testing into the DevOps pipeline can help address the needs of regulated, compliance and public sector focused organizations. This white paper describes the use of open source technologies and commercial packages to design and deploy a Secure DevOps pipeline. Tools such as Yasca, SonarQube, and OpenSCAP amongst others when integrated with vulnerability scanners such as Tenable Nessus, HP Fortify and others provide a robust SecDevOps implementation. Since the first DevOps Days conference was held in 2009, adoption of DevOps strategies has been growing rapidly, with 25% of global IT companies predicted to have moved towards DevOps by 2016 (Gartner, 2015). The very definition of DevOps is still evolving, but most agree it encompasses a set of cultural values in addition to the tools and practices that enable continuous delivery (Loukides, 2015). Continuous delivery provides a competitive advantage to software companies (Humble, 2014) by lowering the risk and cost associated with releases. It also enables near-immediate feedback on new features; practicing continuous delivery requires collaboration and empathy amongst the teams involved in the delivery process (Fowler, 2013). Configuration management systems automate the provisioning of new systems, enforcing consistent application installation, system and application configuration across classes of servers. The configuration information lives in a source code repository, and systems such as Chef, Puppet, Salt, or Ansible allow developers to treat the configuration of the servers that will run application software as code. This “infrastructure as code” can itself be versioned and tested, providing assurances that identical configurations will be in place everywhere, and improving the odds that software that tested fine in the staging system will be fine in production as well (Riley, 2014). Finally, an automated system for reliably moving software through the build -> deploy -> test -> release process is the key component (Humble & Farley, 2010) in any DevOps system. Continuous integration tools such as Jenkins make a formerly slow and error-prone task easy and repeatable, enabling the deployment of small changes and giving fast feedback about how the code operates and what customers think about new features. DevOps is becoming the preferred approach for the rapid development and continuous delivery of these new IT-enabled capabilities. Implemented correctly, DevOps offers IT organizations improved speed of development by embracing a collaborative philosophy that tears down traditional silos of development and operations. However, in most cases, security and compliance have been afterthoughts to DevOps.
  5. Challenges organizations face Adoption of DevOps practices introduces complications Implementing and auditing standardized security controls Presenting issues such as constantly changing assets, continuous deployment Breakdown in traditional segregation of duties Tracking cloud assets, extreme virtualization DHCP logging or NAC/802,1x Especially when controlled by 3rd party And there are opportunities Focus on fast deployment, continual improvement, and automation Naturally forces collaboration with security teams Avoid last-minute manual audits and reviews Review various threats & vulnerabilities continuously Shift Left Security teams engaged early in the design process to ensure ability to deploy continuously and securely Reduces risk by deploying small changes rather than large complex ones Enforces standardized configurations for logging, alerting and security metrics
  6. Create the supporting CI pipeline to ensure that the necessary resources are in place before development begins. Include stakeholders from all the engineering disciplines such as development, test, data management, I&O and security as you develop each CI pipeline. Build a CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Assess and document current build processes and infrastructure. Periodically revisit these two steps to ensure that the CI pipeline continues to deliver the necessary results. Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application. Gather and monitor these metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits. Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, review the application portfolio and expand the use of CI to applications that will benefit the most.
  7. Begin each software development project by first creating the supporting CI pipeline to ensure that the necessary resources are in place before development begins. Begin the process of building your CI pipeline by specifying the desired outcomes to be achieved and the required artifacts to be generated. Next, assess and document your current build process and infrastructure. Use the first two steps to redesign your process to ensure that the CI pipeline delivers the necessary results. Establish baseline metrics — such as frequency and execution time of application builds, build and deployment failures, and repeated errors — before integrating each application, and monitor those metrics throughout the application life cycle. Use the baseline metrics to evaluate the success of each change, and adapt when changes to the process don't deliver the expected benefits. Choose an application with established (but not yet automated) build and deployment processes as your pilot. As the process matures, expand the process to other applications that are supported by your development organization.
  8. Why Criminals & hackers focus on weakness Leads to breaches A part of your security strategy Constantly Evaluate Business Risks Federal, State, Local, Regulatory Challenges Believed too costly Split between Functionality and Speed Private / Behind a firewall Find and Fix Tools and Resources Considerations Risk Assessments Policy – Procedures – Processes Regulatory – PCI, HIPAA, FISMA Physical Infrastructure Methodology Data Strategy Mapping, Collection, Storage, Cleaning Decommissioning and Retention Threat Modeling Testing
  9. Challenges audit of a security program relative immaturity and lack of corporate backing Tools new to the market or are open-sourced reliance on IaaS and PaaS reduces control and visibility at the hardware and network layer the flexibility of Cloud providers to quickly scale up and down Make them attractive in DevOps environments The CI/CD or DevOps Security lifecycle begins with code development and integration. As the code is committed for deployment, the CI/CD security processes are activated. Common action items including static code analysis, vulnerability scanning, anti-virus scans and other similar integrity functions. The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization. In order to comply with NIST requirements for applying secure engineering principles, application developers should utilize code analysis utilities to ensure safe coding practices are followed. Project teams should leverage code analysis utilities as early as possible in the development lifecycle. the project will experience fewer delays and incidents of rework due to flaws and other security concerns At a minimum, code analysis should be performed as code modules are completed, but it is not necessary for modules to be completely finished for code review to be useful. Commit Code to CI/CD s application code is committed to the CI/CD branch in the git repository CI/CD performs a security review utilizing automated static code analysis tools.
  10. Compliant Architecture Identify compliance & requirements first Select eligible services through trusted sources and suppliers Create cloud-native solution architecture Continuous Monitoring and Management Implement tools for governance, security and cloud operations Define processes and assign roles Define artifacts and operate against SLA’s Accreditations and Authorization Document system security plan Create security backlog in plan of actions and milestones Incident response plan
  11. Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible Bring continuous risk- and trust- based assessment Bring prioritization of application vulnerabilities The entire DevOps life cycle needs to be secured Including when new services are deployed into runtime operation Address Risk with continuous run time assessment, augment with Network- and host-based intrusion prevention systems (IPS) Web application firewalls (WAF) for protection against known vulnerabilities Runtime application self-protection Application monitoring and protection Botnet mitigation In-depth defense at the application layer
  12. Use of reusable libraries and frameworks This leads to a shift in focus for security scanning Majority risk can be addressed by identifying known vulnerabilities & misconfiguration Vulnerability assessment vendors are adapting their scanning capabilities Some toolchain element vendors like Docker are integrating this capability The importance of this best practice cannot be understated Breach at Equifax may have had a root cause of a known vulnerability issue in Apache Struts, as stated by Equifax. Likewise OpenSSL's Heartbleed Open-source software (OSS) presents a unique challenge The developer may simply cut and paste source code
  13. Once hardened configurations for operating systems and application components are developed, DevOps deployment tools and configuration management services like Puppet, Chef, Ansible and Salt greatly simplify the process of rolling these out to all systems and keeping the configurations in sync over time Docker and other container technologies are increasingly popular methods for deploying applications in DevOps environments, due to advantages in portability, efficiency in resource sharing and speed of deployment Docker also offers some security advantages, in the form of increased isolation of applications, particularly in multiWtenant environments Docker images, however, cannot be patched and updated or have running configuration changed on the fly; updated software or secure configuration must be baked in as part of the image build and new containers Deployed leading to situations where multiple container versions of varying security may be running https://www.cisecurity.org/benchmark/docker/
  14. Use blue-green deployment scenario Test and cutover with no downtime Subset of traffic may move to the green deployment Once traffic is fully cut over, the blue deployment gets decommissioned, or rollback Same principles apply to “infrastructure as code” Early adopter scenarios Used to turn new features on for particular sets of users Allow analysis of system or user behavior
  15. Continuous Vulnerability Assessment and Remediation Challenge: Keeping up with relentless pace of newlyWannounced vulnerabilities however, the focus on automation, testing, and continuous monitoring in DevOps environments can be advantageous; the same systems that allow automated deployments of new application code via thorough unit and functional testing provide a strong foundation for testing new patches Deployment strategies for BlueWGreen deployments and AWB testing allow gradual rollout and immediate feedback regarding issues and changes in system behavior Security scans that happen as part of the deployment process provide verification that updates address known issues and reach all intended targets
  16. Trustwave Global Security Report Vulnerabilities were found in 98% of the applications scanned Data leakage, cross-site scripting, SQL injection and authorization, among others Security assessments - PenTesting CICD Tools Advantages Jenkins, Hudson and similar tools provide easy support via plugins Code review and for running static analysis as part of the pipeline These acceptance tests should be designed to complete quickly and can be run before new code is even deployed to the integration/staging environment Further security testing, such as tests of security related functionality, vulnerability scanning, and application security scans can then be run in parallel to other acceptance testing within the staging environment
  17. In the DevOps model everyone has the potential to administer systems and debug production issues, controlling administrative credentials becomes even more important In a continuous deployment, “infrastructure as code” environment, the code itself acts as a privileged user These credential “secrets” must be used by the orchestration systems Secrets Management systems aim to role based access control and auditability to the DevOps system Configuration management systems like Chef and Puppet provide their own solutions for protecting secrets stored within the infrastructure code using public key encryption Kack more advanced features such as role based controlled access to the secrets, or full featured support for rotating passwords and SSH keys Secrets management systems like Hashicorp’s Vault and Conjur’s SSH Management solution provide methods to automatically provision temporary access via one-time passwords or SSH keys and to enable SSH key rotation for service accounts.
  18. When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include: How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Why not to embed keys or credentials in the application code or scripts The importance of patching How and why hackers will target admins for credential theft and how to avoid this Plugins Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. JLint Plugin. Uses J-Lint to scan Java .class files for issues. antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca plugins implement five (5) severity levels: 1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info
  19. https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security-tools/ When code has been committed to the CI/CD Git repository the associated Jenkins job builds the code base. The Jenkins build invokes a Yasca scan of the committed code, which creates a Yasca report in HTML format as well as CSV format. The Yasca results CSV file is further processed and formatted into an xml document. After the Yasca file is processed, Sonar Scanner is invoked to analyze the created XML file using custom rules to map the Yasca results into the SonarQube dashboard. The OWASP Top 10 Project and similar publicly available guidelines are a great start.3 The training should include: How to build and maintain simple threat modeling scenarios (thinking like a bad guy) Input whitelisting, filtering and sanitization for user input and files SQL injection Cross-site scripting Cross-site request forgery Injection Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Why not to embed keys or credentials in the application code or scripts The importance of patching How and why hackers will target admins for credential theft and how to avoid this Plugins Grep Plugin. Uses external GREPfiles to scan target files for simple patterns. PMD Plugin. Uses PMD to parse and scan Java (and JSP) source code for issues. JLint Plugin. Uses J-Lint to scan Java .class files for issues. antiC Plugin. Uses antiC to scan Java and C/C++ source code for issues. FindBugs Plugin. Uses FIndBugs to scan Java class and Jar files for issues. Lint4J Plugin. Uses Lint4J to scan Java .class files for issues. Yasca plugins implement five (5) severity levels: 1 – Critical, 2–High, 3 – Warning, 4–Low, 5 – Informational SonarQube implements five (5) severity levels: • Blocker • Critical • Major • Minor • Info
  20. Adapt Your Security Testing Tools and Processes to the Developers, Not the Other Way Around Quit Trying to Eliminate All Vulnerabilities During Development Focus First on Identifying and Removing the Known Critical Vulnerabilities Don't Expect to Use Traditional DAST/SAST Without Changes Train All Developers on the Basics of Secure Coding, but Don't Expect Them to Become Security Experts Adopt a Security Champion Model and Implement a Simple Security Requirements Gathering Tool Eliminate the Use of Known Vulnerable Components at the Source Secure and Apply Operational Discipline to Automation Scripts Implement Strong Version Control on All Code and Components Adopt an Immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps so that developers never have to leave their continuous integration or continuous deployment toolchain environment. Scan for known vulnerabilities and misconfigurations in all open-source and third-party components. Ideally, build out a complete bill of materials using software composition analysis. Trying to remove all unknown vulnerabilities in custom code, which increases false positives Scale your information security team into DevOps by using a security champion model. Treat all automation scripts, templates, images and blueprints with the same level of assurance that you would treat any source code.
  21. Integrating security into DevOps to deliver "DevSecOps" requires changing mindsets, processes and technology Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent. If adopting a DevOPS framework, Information security must adapt to development processes and tools, not the other way around. But it doesn’t mean Organizations producing new applications and services using DevOps have the same responsibility to produce secure and compliant code as required by any other application. The success of the DevOps movement means that DevOps practices are being adopted by diverse organizations, from small startups to Fortune 500 companies. As the movement matures, security is no longer an afterthought and consensus is building about the right ways to integrate security best practices into the DevOps cultural and technical evolution. explosion in the numbers of tools available to help secure DevOps environments, from repository firewalls (Weeks, 2015) to new application scanners and security functional test infrastructures (DeVries, 2015), to new SSH Management solutions and the ability to scan Docker containers (Doran, 2015). DevOps philosophy and the typical microservices architecture is the freedom to choose the tools that are best for a particular culture and environment In a regulated environment, DevOps teams will need to involve security early in the process to ensure a smooth deployment for new features the opportunity for greater collaboration with security teams can only be a positive Step The glut of new security tools adapted for DevOps environments has the ability to provide new levels of visibility and automation for implementing security controls. Such new tools may not be fully mature, however, and may have flaws or lack features present in more established products. There is also a lack of precedent when it comes to using such tools for audit against security standards. As the shift towards DevOps continues, we can expect increased maturity for DevOps security tools and best practices that should make implementation of these important controls easier in the future. from a security perspective, this mindset can be advanced and has the potential to radically improve security by proactively "killing" workloads and replacing them with versions from a known good state