DevSecOps 101
18 likes7,984 views
The document discusses DevSecOps, an evolution of DevOps that integrates security into the software development lifecycle, emphasizing the importance of early identification of security issues. It highlights best practices that involve people, processes, and technologies to foster a culture of shared responsibility for security, thus improving agility and compliance. The conclusion underscores the benefits of adopting DevSecOps, such as reduced costs and enhanced speed in addressing security vulnerabilities.
![Automation: OWASP ZAP CLI Quick Scan
./zap.sh -cmd -quickurl
http://example.com/ -quickprogress
Spidering
Active scanning
[====================] 100%
Attack complete
<?xml version="1.0"?><OWASPZAPReport version="2.5.0"
generated="Tue, 4 Oct 2016 09:31:53">
<site name="http://example.com" ...](https://image.slidesharecdn.com/devsecops101-180427142201/85/DevSecOps-101-31-320.jpg)
![OWASP ZAP API
● RESTish – ok, only uses GET requests
http(s)://zap/<format>/<component>/<operation>/
<op name>[/?<params>]
● Maps closely to the UI / code
● Theres a basic web UI for it
● And clients in various languages:
– Java, Python, Node JS, .Net, PHP, Go …](https://image.slidesharecdn.com/devsecops101-180427142201/85/DevSecOps-101-32-320.jpg)
DevSecOps 101
- 1. DevSecOps 101 Narudom Roongsiriwong, CISSP OWASP Meeting 3/2018 April 26, 2018
- 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● Head of IT Security, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Technical Team Member, National Digital Identity Platform project ● Contact: narudom@owasp.org
- 3. ““Software is eating the world!!!”Software is eating the world!!!” Marc Andreessen, co-founder and general partner of the ventureMarc Andreessen, co-founder and general partner of the venture capital firm Andreessen-Horowitz, also Netscape co-coundercapital firm Andreessen-Horowitz, also Netscape co-counder Source: The Wall Street Journal, August 20, 2011Source: The Wall Street Journal, August 20, 2011 https://www.wsj.com/articles/SB10001424053111903480904576512250915629460https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
- 4. SoftwareSoftware generates valuegenerates value when deployed for use and running,when deployed for use and running, notnot when we write it.when we write it.
- 5. Time Analysis Design Coding Testing 20% done (100% usable!) Agile Process Analysis Design Coding Testing Do we have half a solution yet? Traditional Process Agile = Early Value Time
- 6. What Is DevOps? Dev Integration Ops Communication Collaboration “It’s a movement of people who think it’s change in the IT Industry - time to stop wasting money, time to start delivering great software, and building systems that scale and last” Patrick DeBois, the "founder" of the DevOps movement. Plan Code Build Test Release Deploy Operate Monitor
- 7. DevOps Is ... ● An approach based on agile and lean principles in which business owners, development, operations, and quality assurance team collaborate to deliver software in a continuous stable manner ● An environment that promotes cross practicality, shared business tasks and belief ● A movement that improves IT service delivery agility ● A culture that promotes better working relationship within the company ● A set of practices that provides rapid, reliable software delivery
- 8. DevOps Continuous Delivery Continuous Integrtion AgileDevelopment Collaboration Plan Code Build Test ReleaseDeployOperate Without Automation, There Is No DevOps Plan Code Build Test Release Deploy Operate Monitor
- 9. DevOps Is Eating the World!!! ● Imagine solving the world’s problems faster by collaborating and taking responsibility. ● In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation. ● With the goal of solving customer problems faster, no wonder DevOps is taking over. Over Past 10 Years
- 10. Cloud Is Eating the World!!! ● Public Cloud adoption is accelerating at a rapid pace… ● Software defined environments allow scale to happen and more decisions to be made daily… ● More people can experiment, learn and fail at a rapid pace to solve for customer demand…. ● Creativity is the next frontier…
- 11. Is Security Blocking the World? “This is the end of security as we know it… and isn’t it a good thing!” -Josh Corman @petecheslock
- 12. The Urgency of Dev with Integrated Security ● Development without integrated security and compliance will fail; – progressive orgs have prioritized security due to uptime and compliance concerns – accelerating the need for agility and a curated OSS-dev portfolio. ● Security-led development will be a priority for 90% of orgs by 2020. IDC FutureScape: Worldwide Developer and DevOps 2018 Predictions, November, 2, 2017
- 13. What is DevSecOps? DevSecOps is the answer to integrating these various challenges into a coherent and effective approach to software delivery. It is a new method that helps identify security issues early in the development process rather than after a product is released. IS IS NOT A Mindset and Holistic Approach A One-Size-Fits-All Approach A Collection of Processes & Tools A Single Tool or Method A Means of Security & Compliance Integrated to Software Just a means of adding Security into Continuous Delivery A Community Driven Effort Invented by Vendors A Strategy Driven by Learning and Experiments A Strategy Driven by Perfection and Compliance
- 14. Plan Code Build Test Release Deploy Operate Monitor DevSecOps: Integrate Security Into DevOps Policies Threat Model Static Analysis Code Review Penetration Testing Compliance Validation Log Audit Threat Intelligence Monitor Detect Response Recover
- 15. The Main Course ● Vulnerability (VA) Scans and Assessments ● Threat Modeling ● Secure Code Reviews (Static Code Analysis) ● Penetration Tests (PenTests) ● This applies to both Custom Apps and COTS Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 16. The Gravy ● Educating Developers on Secure Coding ● Practices with workshops, talks, lessons ● Secure Coding Standards ● Responsible/Coordinated Disclosure ● Secure code library and other reference materials, creating custom tools Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 17. The Dessert ● Bug Bounty Programs ● Capture The Flag (CTF) contests ● Red Team Exercises Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
- 18. Best Practices Successful security programs involve three intersecting parts: people, processes, and technologies. People People are the starting point of the DevSecOps implementation. Through ensuring proper training and restructuring of teams security will become a frame of mind rather than a hindrance. Processes DevSecOps aims to align and implement processes common to an enterprise to facilitate cooperation and achieve more secure development processes as a whole. Technology Technologies enable people to execute DevSecOps processes, which aim to reduce the enterprise attack surface and enable effective management of the technical security debt.
- 19. DevSecOps makes everyone responsible for security.
- 20. People: What Type of Skills Are Required? Dev Sec Ops Dev Sec Ops Dev Sec Ops Developer Sys Admin Security Engineer competency needed skill; functional
- 21. People: Security Champions Ensure that security is not a blocker on active development or reviews Be empowered to make decisions Work with AppSec team on mitigations strategies Help with QA and Testing Write Tests (from Unit Tests to Integration tests) Help with development of CI (Continuous Integration) environments Keep track of and stay up to date on modern security attacks and defenses Introduce body of knowledge from organizations such as OWASP (Top 10, Application Security Verification Standard, Testing Guide etc.)
- 22. Processes ● Version control, metadata, and orchestration ● Integration of processes ● Security tooling in CI/CD ● Compliance ● Security Architecture ● Incident Management ● Red Teams and Bug Bounties ● Threat Intelligence
- 23. Technologies ● Automation and Configuration Management ● Secure coding practices/Security as Code ● Host Hardening ● CI/CD for Patching ● Application-level Auditing and Scanning ● Automated Vulnerability Management Scanning ● Automated Compliance Scan ● Managing Secrets
- 24. How Hard Could It Be? Source Code CI Server Artifacts MonitoringDeployTest & Scan DevOps Code - Creating Value & Availability DevSecOps Code - Creating Trust & Confidence Credit: Shannon Leitz (@devsecops)
- 25. Automation and Configuration Management: Ansible
- 26. Application Level Auditing and Scanning: OWASP Dependency Check ● Project stated December 2011 (first published in 2012) ● Performs Software Composition Analysis – Reports known vulnerabilities for Java & .NET components – Experimental analyzers for Python, Ruby, PHP (composer), and Node.js ● Easy solution to the OWASP 2017 Top 10 – A9 Using components with known vulnerabilities ● Works as: – Command-line utility – Ant Task – Gradle Plugin – Jenkins Plugin – Maven Plugin – SonarQube Plugin
- 27. Automated Vulnerability Scanning: OpenVAS ● A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. ● All OpenVAS products are Free Software ● Most components are licensed under the GNU General Public License (GNU GPL)
- 28. Automated Vulnerability Scanning: OpenVAS CLI
- 29. Automated Vulnerability Scanning:: OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- 30. OWASP ZAP Functionality ● Man-in-the-middle Proxy ● Traditional and AJAX spiders ● Automated scanner ● Passive scanner ● Fuzzer ● Dynamic SSL certificates ● Support for a wide range of scripting languages ● Plug-n-Hack support ● Authentication and session support ● Powerful REST based API ● Integrated and growing marketplace of add-ons
- 31. Automation: OWASP ZAP CLI Quick Scan ./zap.sh -cmd -quickurl http://example.com/ -quickprogress Spidering Active scanning [====================] 100% Attack complete <?xml version="1.0"?><OWASPZAPReport version="2.5.0" generated="Tue, 4 Oct 2016 09:31:53"> <site name="http://example.com" ...
- 32. OWASP ZAP API ● RESTish – ok, only uses GET requests http(s)://zap/<format>/<component>/<operation>/ <op name>[/?<params>] ● Maps closely to the UI / code ● Theres a basic web UI for it ● And clients in various languages: – Java, Python, Node JS, .Net, PHP, Go …
- 33. OWASP ZAP Python API ● Install from pypi: pip install python-owasp-zap-v2.4 ● In your script: from zapv2 import ZAPv2 zap = ZAPv2() zap = ZAPv2(proxies={ 'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}) zap.urlopen(target) https://pypi.python.org/pypi/python-owasp-zap-v2.4
- 34. Managing Secrets: HSM ● Cryptographic Computing Hardware Module ● Protected Key Store ● Well-Defined Interface Protocol ● Hard to Compromise Hardware Security Module
- 35. Managing Secrets: Conjur ● A foundational secrets management service for DevOps environments, a core security capability for any environment ● An authentication, authorization and audit service for people, code and machines that runs independently of other DevOps platforms and tools to provide separation of concerns and duties and fine-grained access control ● A suite of open source integrations with leading CI/CD tools (Ansible, Puppet, Cloud Foundry) based on an Experience-Driven Design (XDD) development process. ● An architecture that is optimized for containerized environments ● Flexible, programmable tool (Rest API, CLI)
- 36. Conclusion ● DevSecOps addresses the need for pro-active, customer- focused security rather than reacts to data breaches or other cyberattacks. ● The benefits are cost reduction, speed of delivery, speed of recovery, compliance at scale, and threat hunting. ● DevSecOps provides the ability to detect and fix security issues earlier in the development process thus reducing greatly the cost associated with identifying and fixing them. ● Shifting security to the left through the use of people, processes and technology will help to achieve this goal.