Module 1 - Evolution to Secure DevOps.pptx

Editor's Notes

• #7: Bezos’ iPhone hack - https://www.ibtimes.com/facebook-blames-apple-jeff-bezos-iphone-hack-whatsapp-2911805 Amazon CEO Jeff Bezos's iPhone was hacked after receiving a message via WhatsApp Facebook's vice president said the issue reveals potential security vulnerabilities in smartphones' operating systems The hack caused massive amounts of data to be extracted from Bezos's iPhone WordPress Vuln- https://www.bleepingcomputer.com/news/security/200k-wordpress-sites-exposed-to-takeover-attacks-by-plugin-bug/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8417 WaWA Breach - https://krebsonsecurity.com/2020/01/wawa-breach-may-have-compromised-more-than-30-million-payment-cards/ Data is currently being sold on Joker’s Stash on the Dark Web Airport Hacks - https://www.techrepublic.com/article/97-of-the-worlds-100-largest-airports-have-massive-cybersecurity-risks/
• #8: How do these vulns happen? The vulnerability has been assigned CVE-2017–9805 and is rated Critical. The vulnerability is a result of unsafe deserialization in Java Struts REST plugin with the XStream handler when handling XML payloads received with a “Content-Type” set to “application/xml”. This is covered in A8-Insecure Deserialization
• #9: Don’t speak to this entire slide – instead drive home the point that the security maturity of Microsoft’s product has to continuously evolve in the face of constantly-evolving attacks, from script kiddies to nation-states. You can also mention in the future section that Microsoft has security efforts underway in AI & Machine Learning
• #10: https://www.ibm.com/security/data-breach
• #11: World's Biggest Data Breaches & Hacks Select losses greater than 30,000 records Last updated: 18 Dec 2019 The companies listed here have security processes in place, yet they have also been penetrated. https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• #12: Ransomware still makes headlines, however, we encounter it at much lower volumes compared to other malware, and tactics such as cryptocurrency mining. Ransomware attacks happen when bad actors encrypt and threaten to delete a user’s or organization’s valuable information unless they pay a ransom. Ransomware has been on the decline in recent times since victims have not been paying the ransoms and companies have been able to retrieve locked up files from their backups. Still, it continues to be a threat in some regions, primarily due to a lack of security hygiene, with occasional spikes in encounter rates. The graph and map on the right show the monthly average percentage of machines that encountered ransomware for the timeframe and country/countries selected. Toggle between Worldwide and Country Comparison for a detailed view of the countries you’ve selected. Source: https://www.microsoft.com/securityinsights/Ransomware
• #13: Cybercriminals are often motivated by money. With the rise in values of cryptocurrency, such as Bitcoin, attackers have increasingly been turning their attention to cryptocurrency mining. We’ve noticed that as the value of cryptocurrency rises and falls, so does the mining encounter rate. Attackers inject mining software into an unsuspecting user’s or organization’s machine(s) and then use the machine’s compute power to mine for the cryptocurrency. This can cause decreases in system performance. More importantly, the key threat is that now an attacker has a foot in the door. And while they might be using a few extra CPU cycles for mining, they can easily turn that mining software into something with more malicious intentions if needed. Source: https://www.microsoft.com/securityinsights/Crypto
• #14: Test done by our internal security teams.
• #16: Discuss the following: Open Web Application Security Project worldwide not-for-profit charitable organization focused on improving the security of software.  SANS Institute CWE (Common Weakness Enumeration/SANS TOP 25 Most Dangerous Software Errors Common Vulnerabilities and Exposures - CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. National Vulnerability Database - The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). They now have a JSON feed! The CERT/CC Vulnerability Notes Database is run by the CERT Division, which is part of the Software Engineering Institute – Not as up to date but it is included in this slide to show how SEI sees software security as a priority.
• #17: Debating if we should include the link to this security tool. If you are nervous about discussing BloodHound, please omit the URL.
• #19: If the customer works in healthcare, discuss HIPAA, Credit card discuss PCI. ISRM - Information Security Risk Management (ISRM) is the ongoing process of discovering, correcting, and preventing security problems.
• #20: Anonymous Data: Anonymous Data is non-personal data which, by itself, has no intrinsic link to an individual customer. For example, hair color or height (in the absence of other correlating information) does not identify a customer. Similarly, system information such as hardware configuration (e.g., CPU and memory size) is anonymous when it is not tied to an individual. If a unique identifier is introduced that ties the data to an individual, the data is no longer anonymous. Data can also lose its anonymity as the volume of data collected increases. The more information that is known, the greater the chance a link to an individual can be made, especially in situations where there is a small population of possible candidates. For example, a report that listed average salary by group could expose an individual’s salary if they were the only person in that group. Pseudonymous Data: Pseudonymous Data is unique information that by itself does not identify a specific person (e.g., unique identifiers, biometric information, and usage profiles that are not tied to an individual), but could be associated with an individual. Once this data is associated with an individual it must be treated as personal information. Until that time, it may be treated as anonymous. Personally Identifiable Information: means any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains, or from which identification or contact information of an individual person can be derived. Personally Identifiable Information includes, but is not limited to: name, address, phone number, fax number, e-mail address, financial profiles, medical profile, social security number, and credit card information. Sensitive Personally Identifiable Information (Sensitive PII): is a subset of PII considered to be so important to the individual that it must be specially protected. For example, credit card numbers and bank account information are categorized as Sensitive PII because they could be misused, resulting in significant financial harm. The same can be true of government-issued identifiers such as Social Security Numbers and drivers’ license numbers.
• #21: When developing privacy-aware applications, three primary objectives must be satisfied: Fulfilling legal obligations; Increasing customer trust; and Preventing blocked deployments   Fulfilling Legal Obligations Depending on how an application behaves, certain controls and documentation must be established in order to fulfill legal obligations. For instance, if an application involves users that are children, then it must be compliant with the Children’s Online Privacy Protection Act (COPPA). Or if an application transfers any personally identifiable information (PII), regardless if sensitive or non-sensitive, then certain legal obligations arise. Several prevalent regulations involving PII include:   COPPA - Children's Online Privacy Protection Act – Protects the privacy of children under 13 years of age, including PII and images with identifiable locations, etc. GLBA - Gramm-Leach-Bliley Act – Mandatory compliance for financial institutions to provide Privacy Notices to consumers regardless of whether the PII will be disclosed to external parties HIPPA - Health Insurance Portability and Accountability Act – Privacy Rule regulates use and disclosure of Protected Health Information that can be linked to an individual CFAA – Computer Fraud and Abuse Act – Outlines criminal offenses for accessing and modifying computer systems without authorization FTC – Federal Trade Commission – Bureau of Consumer Protection investigates and enforces laws with respect to fraud, privacy, and identity protection, among others. EU – European Union – Includes international law that supersedes member state law when privacy conflicts involving PII arise. Increasing Customer Trust Building great software is not enough; you need to earn and increase your customers’ trust in your software. By focusing on privacy considerations, you can earn required trust by designing more trusted applications that increase transparency in the user experience and will empower the user to control their personal data through guidance that is easy to understand and actionable  Preventing Blocked Deployments The final privacy objective is to prevent blocked deployments. Blocked deployments are any instances where applications cannot be deployed into production environments due to some adverse behavior of the application or lack of documentation regarding an undesirable behavior. To prevent blocked deployments, designers and developers need to focus on features that have considerable privacy implications, such as continuous monitoring or discrete anonymous transfer, and ensure that appropriate and sufficient controls and disclosures have been applied accordingly.  
• #22: Discuss a little about each. We will cover this area in depth in Module 7 (Policies and Standards) GDPR The General Data Protection Regulation (GDPR) is a Regulation in the making by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. HIPPA The Health Insurance Portability and Accountability Act of 1996. It was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. HITRUST The Health Information Trust Alliance, or HITRUST, is a privately held company located in the United States that, in collaboration with healthcare, technology and information security leaders, has established a Common Security Framework that can be used by all organizations that create, access, store or exchange sensitive and/or regulated data. FedRAMP The Federal Risk and Authorization Management Program is an assessment and authorization process which U.S. federal agencies have been directed by the Office of Management and Budget to ensure security is in place when accessing cloud computing products and services. PCI DSS 12 Install and maintain a firewall configuration to protect cardholder data . Do not use vendor-supplied defaults for system passwords and other security parameters. Protect stored cardholder data . Encrypt transmission of cardholder data across open, public networks. ISO 27001 ISO/IEC 27001:2005 is an information security standard that focuses on information classification. FIPS Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors. User-Based collaboration and information sharing covers privileged information
• #23: The organizational risk management strategy is a key factor in the development of access control policies Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events[1] or to maximize the realization of opportunities. Source: https://en.wikipedia.org/wiki/Risk_management
• #25: Definition of Microsoft Trustworthy Computing. More details can be found in the following link: https://www.microsoft.com/en-us/twc/security.aspx The statement is pretty explanatory. This will be the guiding principle and philosophy when designing and developing products, services, platforms mobile and cloud for our customers as well as for Microsoft.
• #26: In January 2002 Bill Gates wrote a memo talking about Trustworthy Computing. Microsoft Trustworthy Computing framework was defined in four areas: Security, Privacy, Reliability and Business Integrity. https://www.microsoft.com/en-us/twc/default.aspx Security : The security of our customers' computers and networks is a top priority. We are committed to building software and services that help protect our customers and the industry. Our approach to security includes both technological and social aspects, and we strive to ensure that information and data are safe and confidential. Drawing on industry best practices, we make investments to increase the security of our technologies and to provide guidance and training to help minimize the impact of malicious software. Three core elements guide the work and focus of security: Fundamentals, Threat and Vulnerability Mitigation, and Identity and Access Control. Privacy: Microsoft has a longstanding commitment to privacy, which is an integral part of our product and service lifecycle. We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and responsibly manage the data we store. The Microsoft Privacy Principles, our specific privacy statements, and our internal privacy standards guide how we collect, use, and protect customer and partner data. Reliability: Reliability means more to Microsoft than simply making dependable software and services. It also means investments in processes and technology to improve reliability, a continuing focus on every customer’s experience, and active partnerships with a wide variety of software and hardware companies. Business Integrity: Microsoft is committed to deepening the trust of customers, partners, governments, and communities. We strive to meet or exceed legal, regulatory, and ethical responsibilities worldwide and to hire and reward employees who share our values, work with integrity, and adhere to our Standards of Business Conduct.
• #27: This is the email that Bill Gates sent to Microsoft full-time employees back in January 2002. Go over some highlights: - A letter from a CEO indicates how important the security its and their support. This is critical to any security initiative. “If we don’t do this, people simply won’t be willing – or able – to take advantage of all…” ask the audience if the applications they develop or use have security and privacy issues will they use it? Or do they expect their customers to use it? “Trustworthy Computing is the highest priority…” Ten years ago, Bill Gates sent a company-wide memo stating that Microsoft must make trustworthy computing the highest priority for the company and for the industry over the next decade. He predicted the computing would become an integral and indispensable part of almost everything that people do. Bill recognized that Microsoft and the technology industry needed to prioritize security, privacy, and availability to instill trust in computing.
• #29: Microsoft has been using the SDL or its precursors for over a decade to inject proven security practices into the development of our software. Although it might be tempting to consider the SDL and security development methodologies “completed,” the reality is that threats to software are not, and will never be, static. As a result, we will continue to monitor the threat environment, make the investments necessary in people and technology to refine and improve the Microsoft SDL, and aggressively share best practices with third-party software developers to help create a safer computing experience for everyone. SDL timeline. 2004 => SDL 2.0 SDL released a codified list of refinements to techniques and processes that had been used previously during the .NET and Windows security pushes. Threat Modeling, static analysis and Final Security Review mandated for all MS software. 2005 => SDL 2.1 & 2.2 SDL bug bar implemented Introduction of Fuzzing Cryptographic standards included Introduction of runtime verification testing using AppVerifier and other tools 2006 => SDL 3.0 & 3.1 Fuzz testing extended to ActiveX controls Introduction of Banned.h deprecating subset of C runtime library to remove functions that were known to present security threats with special focus on buffer overruns Privacy standards for development introduced Online services requirements introduced to unify efforts with existing client/server focused SDL 2007 => SDL 3.2 Cross site scripting defenses mandated i.e. the use of input validation, output encoding, blackbox vulnerability scanning. Requirement to use Anti-XSS library for output encoding which uses whitelists (principle of inclusion) 2008 => SDL 4.0 & 4.1 Introduction of ASLR (Address Space Layout Randomization) CAT.NET introduced for Managed Code / Online services CSRF defenses mandated using ViewStateUser key 2009 => SDL 5.0 Enhanced fuzzing requirements for all network interfaces and parsers. Increasd acceptability thresholds for fuzz tests (100,000 successful iterations) Operational Security reviews for all applications intended to run in Microsoft datacenters. While already present added to SDL to provide online service applications with a consistent view Third party licensing security requirements addred for all 3rd party code licensed for use in Microsoft products and services External Tool Releases ThreatModeling Tool Template for Visual Studio Team System SDL Binscope Binary Analyzer MiniFuzz File Fuzzer 2010 => SDL 5.1 Sample code compliance with SDL Release of Simplified Implementation of the Microsoft SDL External tool releases SDL MSF+Agile Template for Visual Studio Team System Regex Fuzzer SDL Today (as of 1/15/2018): Continues to evolve within Microsoft. Our internal development teams (non-customer facing, ex. CSE (formerly MSIT) undergo SDL review). This example aligns well with what some of our customers are doing. Some customers develop inhouse applications just like CSE. Internal applications should still utilize the SDL process.
• #30: TwC principles were established in 2002 and similar principles drive Azure today. Security We build our services from the ground up to help safeguard your data Privacy Our policies and processes help keep your data private and in your control Compliance We provide industry-verified conformity with global standards Transparency We make our policies and practices clear and accessible to everyone Microsoft is committed to providing the most trusted cloud on the planet. Our foundational principles of security, privacy & control, compliance, transparency and reliability are foundational to our differentiated approach to cloud. Microsoft leads the industry through compliance leadership, a holistic approach to security and privacy, and advocacy for our customers. Our enduring approach build trust and assurance in the cloud ecosystem and ultimately help our customers realize the promise of digital transformation.
• #31: SDL has been a journey for Microsoft and most of what we started early in the 21st century has now evolved to Secure DevOps. It is still important to discuss these terms as we will refer to them later in the class.
• #34: Pros: Clear and defined set of steps Committed to an end goal (instead of smaller sprints as with Scrum) Methodical and transfers information well between steps Once the project is complete, there is a good source of documentation Cons: Always moving forward so leaves almost no room for unexpected changes or revisions Excludes the end user or the customer during the development of the project Testing does not occur until after completion of the project More expensive to maintain due to large influx of changes between releases Difficult to customize The longer the project’s duration, the more requirements change and results vary, which drives inconsistent delivery.
• #35: This is a hybrid approach to Waterfall
• #36: Talking Points: A Product Owner compiles all the changes planned for the product and prioritises the possible functionalities.​ ​ The result of the Product Owner’s work is a Product Backlog – a to-do list that is constantly reprioritised. Before each Sprint, the highest prioritised goals are transferred to a Sprint Backlog.​ ​ Together with a user, the project members form a Scrum Team consisting of 5–9 people. During discussions with the Product Owner, the goal of the Sprint is determined and the prioritised functionality is broken down into detailed tasks. The team is self-organized and the members have a joint responsibility for the results.​ ​ The Scrum Master coaches the development team, removes any possible impediments and constantly works to ensure that the team has the best possible circumstances for realising the goals fixed for the Sprint.​ ​ Each Sprint enhances the product’s market value and adds new functions and improvements that can be delivered to the customer. The outputs from each Sprint should be potentially shippable. The 3 daily scrum questions: What did you do yesterday? What will you do today? What is blocking progress/What are your impediments?
• #37: Achieved through the following practices: Continuous Development Continuous Integration Continuous Testing Continuous Deployment Continuous Monitoring Virtualization and Containerization DevOps Transformation must start at the leadership level. “Leaders must give teams autonomy in their work which leads to feelings of trust and voice.” – DORA State of DevOps Report This is only a subset of practices for DevOps. In order to fully adopt DevOps, there needs to be a shift in the culture of all teams involved. No longer can you take the approach of “throwing your software over the wall” and let the other teams handle the product during the deployment phase. When teams have a good dynamic, their work benefits at the technology and organizational level. Research by DORA has confirmed this for several years and they caution organizations not to ignore the importance of their people and their culture in technology transformations.
• #38: Discuss the grid. DORA has published research on DevOps and how it helps with software quality for almost 5 years (first public report was in 2014 Computers perform repetitive tasks; people solve problems. In order to reduce costs of software deployments, take repetitive tasks such as regression testing and deployments and automate them. This frees up people for the higher-value problem-solving work. Next slide theres a resume of why CID/CD
• #39: More than just go faster, CI/CD helps to address other common requests from compliances and governmental rules. Example : NIST SP 800-53 R3 SA-11 - Information Lifecycle Management (https://nvd.nist.gov/800-53/Rev4/control/SA-11)
• #40: These are just some of the points. We will discuss much more in Module 2. For now, expand on what you feel DevOps lacks when it comes to Application Security.
• #41: Make a mental note of what they are doing for software development. This will help assess what practices can be adopted to aid the customer on their DevOps/Secure DevOps journey
• #43: In racing, fastest lap wins the race. In DevOps, Software Delivery Performance wins Time to Market: Reduced Lead Times Increased Deployment Frequencies Mean Time to Restore Change Fail Percentage Help support a well-oiled DevOps Machine. DevOps teams typically do not have security as part of standard operating procedure
• #45: Assisted through automation and tooling
• #46: Talking with analysts and industry peers, four common themes emerge around Secure DevOps failures Most of the tools customers use today fail one or more of these criteria We will talk more about tooling in Module 4
• #47: https://www.microsoft.com/en-us/securityengineering/sdl/practices https://www.microsoft.com/en-us/securityengineering/DevSecOps