SlideShare a Scribd company logo

Application Security in a DevOps World

CA Technologies, profile picture
CA Technologies

The document discusses the importance of application security (AppSec) in a DevOps environment, highlighting the risks associated with modern application development practices. It emphasizes the need for integration and collaboration between development and security teams, as well as the adoption of training programs to improve security measures. Additionally, it outlines strategies for improving AppSec, such as automated testing, security champions, and remediation guidance.

Technology
1 of 31
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Application Security in a DevOps World Peter Chestna DST37T DEVSECOPS Director of Developer Engagement Veracode
2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS © 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of This Presentation
3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Who am I? • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna
4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Goals  Why is AppSec important?  How is DevOps changing application development?  How is AppSec traditionally done?  What needs to change? – What to build – What to measure – How to help
5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Applications Are as Risky as Ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message 39% 35% 28% 16%
6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Lack of App Security is Damaging Companies
7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS High Profile Breaches Through the App Layer How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen. Financial Institution How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs. Financial Institution How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients Healthcare Provider How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers Retailer
8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Business Mandate
9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Compressed Timelines & Smaller Teams Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Waterfall Technology Agile DevOps
11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Definition of DevOps
12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS What’s a DevOps Team? DevOps Team
13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevOps – Process: Where is security? Security
14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Agile – Process for DevOps Copyright 2005, Mountain Goat Software
15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Is this your current AppSec program?
16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS They/We know it’s coming…
17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Which outcome do you see? @PeteChestna
18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy  Relationship & Accountability  Integration & Automation  Training & Remediation Coaching  Security Champions
19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Relationships  Who is your peer in development/security?  Do you meet with them?  Do you understand each others goals?  Are you sympathetic to each others struggles?
20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Accountability  Shared between development and security  Part of annual goals for both teams  Measured and reported regularly
21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*
22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Training  Security teams can help developers by providing training, either through eLearning or in-person instructor-led training  Think about targeted training based on policy violations CA Veracode State of Software Security 2017
23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Training
24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Remediation Coaching @PeteChestna CA Veracode State of Software Security 2017
25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Security Champions  Eyes and ears of security  Specialized training – Basic security concepts – Threat modeling – Grooming guidelines – Secure code review training – Security controls – CTF Exercises  Escalate when necessary
26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design Strategy - DevOps (Shift Left & Monitor) Runtime Application Self Protection Training (eLearning, instructor led, metadata driven)
27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Bridge the Gap Between Development and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions
28 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Recommended Sessions SESSION # TITLE DATE/TIME DST43T The CA Technologies Veracode Platform: 360 Degree View of Your Application’s Security 11/15/2017 at 12:45 pm DST50T How Components Increase Speed & Risk 11/15/2017 at 1:45 pm DST40T Scale Your Application Security Program Effectively with the Right Program Management Model 11/15/2017 at 3:30 pm DST41T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
29 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Must See Demos Securing Apps from Dev to Production CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance Manage Your Software Risk Open Sourced Component Scanning Developer Training on Secure Coding Integrations into Your Dev Tools 301 Manage Your Software Risk CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance 506P 509P DevOps-CD SecuritySecurity
30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Stay connected at https://community.veracode.com Thank you.
31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevSecOps For more information on DevSecOps, please visit: http://cainc.to/CAW17-DevSecOps

More Related Content

PDF
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
PDF
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
PDF
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
PDF
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
PDF
Securing 100 products - How hard can it be?
Priyanka Aash
 
PDF
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
PDF
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
PDF
Dev week cloud world conf2021
Archana Joshi
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
CA Technologies
 
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Securing 100 products - How hard can it be?
Priyanka Aash
 
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
Dev week cloud world conf2021
Archana Joshi
 

What's hot (20)

PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
How to transform developers into security people
Priyanka Aash
 
PDF
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
PDF
Collaborative security : Securing open source software
Priyanka Aash
 
PPTX
Veracode - Inglês
DeServ - Tecnologia e Servços
 
PPTX
DevOps and the Future of Enterprise Security
Frank Kim
 
PPTX
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
PPTX
Ten Tenets of CISO Success
Frank Kim
 
PDF
Zero to Ninety in Securing DevOps
DevSecOps Days
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PPTX
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
PDF
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
PDF
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
PDF
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PDF
A worldwide journey to build a secure development environment
Priyanka Aash
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
PPTX
A journey from dev ops to devsecops
Veritis Group, Inc
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
How to transform developers into security people
Priyanka Aash
 
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
 
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
Collaborative security : Securing open source software
Priyanka Aash
 
Veracode - Inglês
DeServ - Tecnologia e Servços
 
DevOps and the Future of Enterprise Security
Frank Kim
 
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
Ten Tenets of CISO Success
Frank Kim
 
Zero to Ninety in Securing DevOps
DevSecOps Days
 
Demystifying DevSecOps
Archana Joshi
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
Tonex
 
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
When You Test Matters: Why Testing Early in the SDLC is Important
CA Technologies
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
A worldwide journey to build a secure development environment
Priyanka Aash
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
A journey from dev ops to devsecops
Veritis Group, Inc
 
Ad

Similar to Application Security in a DevOps World (20)

PDF
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
PPTX
Cisco Security as a foundation for SP Digitization
RhondaJolaoso
 
PPTX
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Flexera
 
PDF
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon
 
PPTX
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
MeseAK
 
PDF
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
PDF
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
CA Technologies
 
PDF
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
CA Technologies
 
PDF
Making Security Work—Implementing a Transformational Security Program
CA Technologies
 
PPTX
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
PDF
Mobile Payment Security with CA Rapid App Security
CA Technologies
 
PDF
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
PDF
CA's Vision for Business Automation
CA Technologies
 
PDF
CA's Vision for Business Automation
CA Technologies
 
PDF
Security and Data Breach
DevOps Indonesia
 
PDF
Introduction to Software Lifecycle Services 2018
Insight FR
 
PDF
From Rogue One to Rebel Alliance: Building Developers into Security Champions
Digital Transformation EXPO Event Series
 
PDF
Deliver the ‘Right’ Customer Experience without Compromising Data Security
SPLICE Software
 
PDF
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
PDF
Oracle Customer Engagement in a Digital World
Myles Freedman
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
CA Technologies
 
Cisco Security as a foundation for SP Digitization
RhondaJolaoso
 
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Flexera
 
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon
 
KiwiQA-Corporate-Presefvdvdxvxcvxcntation (2).pptx
MeseAK
 
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
CA Technologies
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
CA Technologies
 
Making Security Work—Implementing a Transformational Security Program
CA Technologies
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Mobile Payment Security with CA Rapid App Security
CA Technologies
 
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
CA's Vision for Business Automation
CA Technologies
 
CA's Vision for Business Automation
CA Technologies
 
Security and Data Breach
DevOps Indonesia
 
Introduction to Software Lifecycle Services 2018
Insight FR
 
From Rogue One to Rebel Alliance: Building Developers into Security Champions
Digital Transformation EXPO Event Series
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
SPLICE Software
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Oracle Customer Engagement in a Digital World
Myles Freedman
 
Ad

More from CA Technologies (20)

PPTX
CA Mainframe Resource Intelligence
CA Technologies
 
PDF
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
CA Technologies
 
PDF
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
CA Technologies
 
PDF
Case Study: How The Home Depot Built Quality Into Software Development
CA Technologies
 
PDF
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
CA Technologies
 
PDF
Case Study: Privileged Access in a World on Time
CA Technologies
 
PDF
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
CA Technologies
 
PDF
Case Study: Putting Citizens at The Center of Digital Government
CA Technologies
 
PDF
Keynote: Making Security a Competitive Advantage
CA Technologies
 
PDF
Emerging Managed Services Opportunities in Identity and Access Management
CA Technologies
 
PDF
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
CA Technologies
 
PDF
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
PDF
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
CA Technologies
 
PDF
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
CA Technologies
 
PDF
Blockchain: Strategies for Moving From Hype to Realities of Deployment
CA Technologies
 
PDF
Establish Digital Trust as the Currency of Digital Enterprise
CA Technologies
 
PDF
How Components Increase Speed and Risk
CA Technologies
 
PDF
Case Study: How The Home Depot Built Quality Into Software Development
CA Technologies
 
PDF
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
CA Technologies
 
PDF
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
CA Technologies
 
CA Mainframe Resource Intelligence
CA Technologies
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
CA Technologies
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
CA Technologies
 
Case Study: How The Home Depot Built Quality Into Software Development
CA Technologies
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
CA Technologies
 
Case Study: Privileged Access in a World on Time
CA Technologies
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
CA Technologies
 
Case Study: Putting Citizens at The Center of Digital Government
CA Technologies
 
Keynote: Making Security a Competitive Advantage
CA Technologies
 
Emerging Managed Services Opportunities in Identity and Access Management
CA Technologies
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
CA Technologies
 
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
CA Technologies
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
CA Technologies
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
CA Technologies
 
Establish Digital Trust as the Currency of Digital Enterprise
CA Technologies
 
How Components Increase Speed and Risk
CA Technologies
 
Case Study: How The Home Depot Built Quality Into Software Development
CA Technologies
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
CA Technologies
 
Case Study: Continuous Delivery in a Tech Debt Laden World by Talk Talk.
CA Technologies
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
A Presentation on Artificial Intelligence
memembruh336
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Encapsulation theory and applications.pdf
gurumoop
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Approach and Philosophy of On baking technology
30anthuong17
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 

Application Security in a DevOps World

  • 1. Application Security in a DevOps World Peter Chestna DST37T DEVSECOPS Director of Developer Engagement Veracode
  • 2. 2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS © 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of This Presentation
  • 3. 3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Who am I? • 25+ Years Software Development Experience • 11+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna
  • 4. 4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Goals  Why is AppSec important?  How is DevOps changing application development?  How is AppSec traditionally done?  What needs to change? – What to build – What to measure – How to help
  • 5. 5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Applications Are as Risky as Ever of all applications used some kind of hard-coded password of all applications use broken or risky cryptographic algorithms of all applications were vulnerable to open redirect attacks of all applications mix trusted and untrusted data in the same data structure or message 39% 35% 28% 16%
  • 6. 6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Lack of App Security is Damaging Companies
  • 7. 7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS High Profile Breaches Through the App Layer How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen. Financial Institution How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs. Financial Institution How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients Healthcare Provider How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers Retailer
  • 8. 8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Business Mandate
  • 9. 9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Compressed Timelines & Smaller Teams Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people
  • 10. 10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Waterfall Technology Agile DevOps
  • 11. 11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Definition of DevOps
  • 12. 12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS What’s a DevOps Team? DevOps Team
  • 13. 13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevOps – Process: Where is security? Security
  • 14. 14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Agile – Process for DevOps Copyright 2005, Mountain Goat Software
  • 15. 15 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Is this your current AppSec program?
  • 16. 16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS They/We know it’s coming…
  • 17. 17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Which outcome do you see? @PeteChestna
  • 18. 18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy  Relationship & Accountability  Integration & Automation  Training & Remediation Coaching  Security Champions
  • 19. 19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Relationships  Who is your peer in development/security?  Do you meet with them?  Do you understand each others goals?  Are you sympathetic to each others struggles?
  • 20. 20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Accountability  Shared between development and security  Part of annual goals for both teams  Measured and reported regularly
  • 21. 21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Integration & Automation Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing*
  • 22. 22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Training  Security teams can help developers by providing training, either through eLearning or in-person instructor-led training  Think about targeted training based on policy violations CA Veracode State of Software Security 2017
  • 23. 23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy - Training
  • 24. 24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Remediation Coaching @PeteChestna CA Veracode State of Software Security 2017
  • 25. 25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Strategy – Security Champions  Eyes and ears of security  Specialized training – Basic security concepts – Threat modeling – Grooming guidelines – Secure code review training – Security controls – CTF Exercises  Escalate when necessary
  • 26. 26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design Strategy - DevOps (Shift Left & Monitor) Runtime Application Self Protection Training (eLearning, instructor led, metadata driven)
  • 27. 27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Bridge the Gap Between Development and Security 1. Scan early & often 2. Integrate & automate 3. Take Training 4. Request Remediation Guidance 5. Be a security champion Development Security 1. Be involved in all phases 2. Define & explain policy 3. Provide Targeted Training 4. Provide Remediation Guidance 5. Recruit & train champions
  • 28. 28 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Recommended Sessions SESSION # TITLE DATE/TIME DST43T The CA Technologies Veracode Platform: 360 Degree View of Your Application’s Security 11/15/2017 at 12:45 pm DST50T How Components Increase Speed & Risk 11/15/2017 at 1:45 pm DST40T Scale Your Application Security Program Effectively with the Right Program Management Model 11/15/2017 at 3:30 pm DST41T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
  • 29. 29 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Must See Demos Securing Apps from Dev to Production CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance Manage Your Software Risk Open Sourced Component Scanning Developer Training on Secure Coding Integrations into Your Dev Tools 301 Manage Your Software Risk CA Veracode Static Analysis CA Veracode Web Application Scanning CA Veracode Greenlight CA Veracode Static Analysis CA Veracode Greenlight CA Veracode Remediation Guidance 506P 509P DevOps-CD SecuritySecurity
  • 30. 30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS Stay connected at https://community.veracode.com Thank you.
  • 31. 31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS DevSecOps For more information on DevSecOps, please visit: http://cainc.to/CAW17-DevSecOps