Embracing the Rise of SecDevOps
1 like390 views
The document outlines the rise of SecDevOps, emphasizing its role in enhancing security and operational practices in software development. It presents research findings on the benefits and performance improvements related to the adoption of SecDevOps methodologies while also highlighting barriers to success in terms of vulnerability remediation and organizational challenges. Best practices and tooling solutions are recommended to foster a proactive security culture and streamline processes.
Embracing the Rise of SecDevOps
- 1. Embracing the Rise of SecDevOps Tenable Research Engineers
- 2. Embracing the Rise of SecDevOps Thomas Cappetta Tenable Research Vulnerability Research Engineer
- 3. - Cyber Security, DevOps, Cloud Computing - CISSP - Constantly Studying DevOps & Offensive Security - Mentoring & Leadership • Active: 3yrs. Asst. Coaching Youth Sports (volunteer) • Previous: Identifying, Leading, & Mentoring Organizational Talent within SecOps & Engineering. • Previous: Eagle Scout About Cappetta 2
- 4. ● ... a set of business methodologies, operational procedures, & cultural practices proven to increase security, improve software quality, improve release frequency, & provide immediate insight into organizational exposures… SecDevOps Defined 3
- 5. “According to State of DevOps Reports by Puppet… ” High-Performing organizations which implement DevOps practices: • Deploy code 30 times more frequently • Have 50 percent fewer failures • Automated: • 33 % more of their configuration management • 27 % more of their testing • 30 % more of their deployments • 27 % more of their change approval processes Benefits 5
- 7. 7 DevOps vs. Security Researchers
- 8. Goal: § Disposable infrastructure § Automated Application Deployments § Continuous Patch Updates § Automated Release Testing § Autonomous Customer Service § Great Organizational Culture Best Practices 8
- 10. ● “a median of five days to gain access to a functioning exploit. In contrast, we learned, defenders take a median 12 days to assess for a vulnerability.” – Tenable Research ● “According to WhiteHat Security stats, the average time to fix a website vulnerability after it has been reported is 150-180 days.” – Tenable Research 2015 Barriers To Success – Tenable Research 10
- 11. ● EdgeScan- ● Layer 7 - Average time to close a discovered vulnerability is 67 Days ● Layer Network - Average time to close a discovered vulnerability is 62 Days ● Denim Group ● A 2013 industry study from White Hat Security revealed that the “Mean Time to Fix” for web application flaws categorized as “serious” averaged 193 days across all industries. ● In the same study, for one industry (Education) the figure jumped to 342 days of exposure Barriers To Success – Exposure Remediation 11
- 12. ● “The most common code vulnerability evident in static security testing during the software development process is Unpatched Libraries” - WhiteHatSec • Cyber Security is often viewed as an expense • Regular Code Deployments require Smaller Feature branches • Retrofitting Tooling into Pre-existing Monolithic Applications Barriers To Success – Generic 12
- 13. • Changes don’t meet expectations • Insecure Configurations • Unknown Assets & Exposures • Complex business workflows & Technical Debt Barriers To Success - Generic 13
- 14. • Automating the wrong things first • Continuous Delivery != Continuous Deployment • Lack of Metrics • Stale Test Automation • So Many Tools… Barriers To Success - DevOps 14
- 16. Branching - Simplified vs. Complex Features vs. Epics Barriers to Success – Git Workflow 16
- 17. • Constantly Evolving Exposures • Unknown External / Environmental Threats • Compartmentalized Organizations • Remediation Delay • Zero-Days • Constantly Evolving Tooling Barriers To Success – Threat Landscape 17
- 18. 18
- 21. - Invest in Tooling & Processes - Automate Repeatable Processes Process / Procedure Changes 21
- 22. Tooling / Processes: synopsys.com 22
- 23. • SecDevOps – Process & Tooling automation providing early detection/remediation of cyber exposure • BDD / Gherkin – Functional / Behavioral Use-Cases • Regular Code Deployments & smaller change sets • Infra/App as Code - disposable infrastructure Solution(s) 23
- 24. • Inspec – Configuration Mgmt. Verification • BDD-Security – Behavioral Security Testing • T-Pot – HoneyPot sensors to monitor threat landscape • Automation Breaks – Audit, Monitor, & fix it Solution(s) 24
- 25. • Collaboration / Prioritization – eg. JIRA / Slack / SalesForce • Invest in Research & Training by looking ahead • Inspire Innovation, accept failure w/o judgement, & celebrate success Culture 25
- 26. Technical References 26 Sans Secure DevOps Toolchain
- 28. ● Willingness to embrace failure in conquest of Excellence ● Enormous Appetites for Technical Expertise & Depth ● Willingness to empower innovation & invest in Research ● Ability to Influence the passion of employees Culture 28
- 29. 29
- 31. HoneyPot Automation – T-Pot 31
- 32. - Inspec infrastructure Inspec Your Assets 32