Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study
0 likes50 views
This document discusses leveraging DevOps and Agile development practices to transform application testing programs. It provides examples of how Cisco has implemented continuous security practices. Continuous security involves integrating security practices throughout the software development lifecycle, from threat modeling during design to running automated scans on code repositories and deployments. The document outlines Cisco's approach which focuses on continuous education, automation technologies, and governance to assess security risks holistically at all stages of development and operations.
Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study
- 1. © 2017 IBM Corporation Leverage DevOps & Agile Development to Transform Your Application Testing Program: Client Case Study
- 2. Speakers Shuchita Gupta Senior Software Client Architect & Leader IBM Sona Srinivasan Senior IT Architect, Global Architecture and Technology Services IT CISCO Systems, Inc. Alan Shimel Moderator, Editor-in-Chief DevOps.com 2
- 3. State of Application Security Average time to detect APT 256 days Average cost of a U.S. data breach $6.5M Percentage of breaches due to Web attacks 40% Sources: IBM X-Force Threat Intelligence 2015; 2016 Verizon Data Breach Investigations Report; 2016 Cost of Data Breach Study: Global Analysis Average size of a U.S. data breach 30K records 3
- 4. Conversations & Challenges How often should you think about security in the SDLC? Are automated DAST scans enough? Should I stop my release in a continuous delivery pipeline if my critical vulnerabilities aren't fixed? Can running SAST scans on each build reduce my need to run DAST scans? Should my user stories for security be incorporated in a sprint, or be a part of my design? Key: SAST – Static Application Security Testing DAST – Dynamic Application Security Testing 4
- 6. The Sec Ops Journey Conversations that launched with Agile The Steps to Cognitive Security Examples of Continuous Security Continuous Security at Cisco Adapting to Threats & Attacks Together 6 6
- 7. Continuous Security Example #1 Architecture & Security Requirements • Threat Modeling By Feature & Design - For every major application re-design or major feature change, Threat Models must be built based on the application’s design changes • Security assessments and User Stories Tie in, where security assessments answer the Who, Why and What of the feature and application. Documented Security Design Revisit of the data classification for data at Rest, and Transit • E.g.: Employee data on Company System becomes Customer Data on Insurance System, data changes classification from system to system, depending on the consuming application • Application Profiling at the time of Provisioning for baselining 7
- 8. Continuous Security Example #2 Running static security scans on GIT repo branches is considered continuous security with: • Code Tagging (E.g.: deployed code tags needs to have meta data about the code) with insights into code patterns (E.g.: Singleton Usages, Factory patterns etc. tied to security insights) • Developer Behaviors (E.g.: Developers who code in JAVA might need training in SQL Injections etc., novice developers might need training in XSS) • Code-branch Patterns (E.g.: Code reposes with fewer branches might have more to catch as branched code might be more modularized and secure) • Vulnerability Trends (E.g.: HR apps have SQL Injections, while Service X might have the most vulnerable code) • Types of Languages used tied to type of data classification (E.g.: Cisco is a big JAVA and PL/SQL Shop with movement towards Apex and Angular etc.…) 8
- 9. Continuous Security Example #3 Automated DAST is seen as continuous security with security benchmarking • Quality Pre-requisites for DAST – Can Deployment workflows check for Quality & Load Tests before running DAST scans? (Have QA bugs been fixed so DAST is spending more time on the security threat classes?) • Are the DAST Test environments close to Production and stable enough for graceful recovery from the DAST attacks (DMZ, Core Zone, Data Center, PaaS profile), especially in a continuous environment? Example - Network latency of the source call of the DAST scan to the Application Destination environment (Eg: India to Richardson) 9
- 10. Continuous Security Example #4 Management of Incident Response data and mapping to application attacks, environment attacks with: • Pre-Deployment Security Posture and: • SAST • DAST • Open Source Scanning • App Profiling (Cloud native, hybrid, on premise etc.) • Penetration Test Results • Post-Deployment Security Posture of: • Applications • Data • Environment 10
- 12. Development Platform as a Service Cloud Apps Apps Built Apps Bought Web Mobile Mobile Web DAST Deployment …… Repo Mgmt. Binary Executable Mgmt. Executable Mgmt. …… …… …… …… Binary Analyzer Mobile DAST Build Automation SAST Cloud Ready DAST Quality Assurance Deployment Post-Deployment Mgmt. Penetration Test Deployment Repo Mgmt. Repo Mgmt. Build Automation Build Automation Quality Assurance Quality Assurance SAST SAST Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. Quality Assurance Quality Assurance DAST Binary Analyzer Mobile DAST Deployment Deployment Penetration Test Penetration Test Post-Deployment Mgmt. Post-Deployment Mgmt. APIs Repo Mgmt. Build Automation Quality Assurance SAST Deployment Cloud Ready DAST Penetration Test Post-Deployment Mgmt. 12
- 13. APP Profiling & DPAAS Choice App Stack Provisioning & App Profiling Cloud API Web App Built Cloud App Mobile App Built Web App Packaged Mobile App Packaged Incidents & Security Breaches App Profile (comp- osite) 13
- 15. Continuous Security at Cisco People & Skillset Technology & Automation Governance & Audits 1. Continuous Education on Process & Technology 2. In-Context Training as opposed to On-Demand 3. Federated Security Personnel in the functions 1. Watch the Market & Developer world 2. Our eyes are on PaaS changes and Developer Tools & Technology Changes 1. Bringing The Policy to the user 2. Moving Governance into the Life Cycle – Start Right, rather than shift left 3. Multi-Check Points 15
- 16. Journey to COGNITIVE •Good Domain Knowledge • Developer Skill-Set will range from beginner to seasoned Simplify • Process is simple and mature for automation •Intermediate Skill-Set of the Developer Automate • Go from multiple sub- systems to digital components in streams • Expert Developer Digitize • Developer is knowledgeable enough on when to apply machine learning to enable speed • Adding Specific Bots to address bottlenecks is a great way to ease the experience problem for security tools & their complexity Machine Learning • Developer is a Highly Seasoned with domain expertise and data architectures which then leverage cognitive APIs for Proactive Security Guidance Cognitive Process Complexity Developer Skillset 16
- 17. Managing Risk Holistically Comprehensive attack surface minimization through insights Bottoms up & Top down Vulnerability management Technology ecosystem – with Vendors Always remember the application is the front door - Trained Ninjas 17
- 18. Key Resources to Learn More 18 • Forrester Report “Secure Applications at the Speed of DevOps” • Gartner 2017 Magic Quadrant for Application Security Testing • Forrester Total Economic Impact (TEI) Study • E-Guide: 5 Steps to Achieve Risk-Based Application Security Management
- 19. Q & A 19
- 20. © 2017 IBM Corporation Thank You!