Nsc42 the security phoenix

Editor's Notes

• #2: Intro Thank you for being here and a thanks to Whitehall media for organizing this event What are we going to talk about? <pause?> … oh yes phenix and the death of infosec <pause?> …oh sorry you thought you would have a future as security people? Well yes and no… <smile & pause> Who has read harry potter here? Who knows here what is a phenix? And how does a phenix relate to infosec?? Today we are going to talk about how the infosec program is reborn under a rain of fire inside the dev-ops world
• #3: Agenda for today Agenda for today - Author - Quick background - Evolution of DEVOPS in Security Phoenix - Security Phoenix – Visualization & Security Phoenix Tech - Security Phoenix – Security Ops - Security Phoenix – Governance & Education - Trust & Verify / License to operate Conclusions Q&A
• #4: Quick background about Francesco…me…as you might have noticed my favorite colors are black and red. I’m a Cybersecurity Cloud Expert and CISO/Advisor. I’m an active Public Speaker, as you can see, researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2.   I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks I help international organization of different industries and sizes financial services, banking, Telco and thig gives me different prospective on the security problem   One important theme that I put in all the presentation is that that Security is everybody job and we will see why Also The key to success in security is to make it frictionless
• #5: So what is DEV-OPS? Opening: So, what are we talking about? DEVOPS and Security. What the hek is devops? DEVOPS is a mythological beast… where you merge the development community with the operational community to have a single animal that is responsible of the lifecycle of their own application  Is continuous integration between DEVelopment and OPerationS (continuous integration) Why is so actual today? Because of the speed of delivery So how do we add another element in this picture (Sec) … Security Phoenix is where DEV-OPS reborn as a mythological animal with security at heart
• #6: So what are the different part of a phoenix? With at their head people and education (head) Design (wing) Build & Test (wing) Operate is at the heart (heart) Guided by governance and risk management (tail) Can a bird fly without wings or with just one wing? Maybe but really badly Can a bird fly without a head? Don’t think so Can a bird have direction without a tail But ultimately security is about our people as they are our herald! Security is everybody’s job Let’s see why
• #7: Why Is security Important Major breaches over the years…let’s think about the dark knights We can’t scale! We need more security people ! I’ll let this image sink in for a second. Those are just the major breaches over the years. Most of them were due to mistakes like unpatched systems, exposed databases, password guessing, brute force. What all those breaches have in common? Complex Nation state act – no Complex and intricated cyber attacks – Sometimes Missing the basics (e.g. patching ) and human error is the answer you are really searching for. By doing the basic right you will be better off than 80% of other organizations This explains why security is everyone's responsibility? Because we all get affected by it! https://blog.storagecraft.com/7-infamous-cloud-security-breaches/ https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ A lot of the breaches have similarities: Basic patching Server exposed without credentials
• #8: Setting the context Just to let you know what the malicious actors have been up to: Just to give some prospective: Size of the breaches (orange interesting stories) https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• #9: So how does security fit in DEV-OPS? Done badly the existing governance and controls get forced onto the new world Done correctly security becomes almost transparent So how do we do it correctly? With Security Phoenix! Security Function is reborn! Let’s analyze the phoenix
• #10: What would you get out of the pillar? Trust of the developers – Embedding security in the DEV-OPS pods. Key enabler for doing this at scale? Trust & Verify and License to operate How to fix vulnerability at scale? The concept of Triage and Visualization Upskill and fill the gap in security: Keep people accountable: Security Governance Shift Left & Design – not talking much here
• #11: So let’s see the people aspect: Trust & Verify and license to operate
• #12: Problem that we are trying to solve>How to fix the problem at scale and at pace DEV-SEC-OPS Ultimately is all about our people & Education People are the first line of defiance for your business What are the key concept of Security Phoenix? Trust the team but verify (dashboards, build vs fix) License to operate: if you deploy quality code you have the license Fixing vulnerabilities as everyday life (sprint) Set thresholds (reduction of vulnerabilities and build vs fix)
• #13: This new mode of operation shall rely on the ability of the team to demonstrate they can operate securely and at pace Transformation – License to Operate -> Trust your DEV-OPS but verify As long as the DEV-OPS team operate under the license Apply governance (light and heavy weight) Make security everybody’s responsibility but provide resource to guide (during transformation)
• #14: The Whole concept relies on license to operate: if you promote good code, you good to go How to verify: Thresholds for reduction of vulnerabilities (Dashboards) Thresholds for Build VS fix Security Learning Code Scanners -> Output in Phoenix DB -> Thresholds Code Scanners -> Output in Jira ticket -> Threshold in Phoenix DB -> Build vs FIX tickets Learning platform -> Output in Phoenix DB -> team doing training? Teams triage and remediated locally to the pod People aspect: Risk management & BUZ – not yet automated If something can’t be updated/remediated than risk assessment (not covered here) Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
• #15: The Pod Structure Dev + Engineers – DEV + OPS Sec Champions to show what good looks like App Owner to guide the business for new feature Sec Arch – To oversee the Design Part of application and review changes Monitoring – Appsec (day in day out Vuln Fixes Dashboard and trending – what vulnerability to fix first Build vs FIX - ensure the thresholds are healthy
• #16: Trust your developers and apply a ‘license to operate’ -> this can be removed Apply governance (light and heavy weight) – faster for team that are compliant with security more scrutiny for team that are not Visualize and keep everyone accountable – give the product owner the ability to see if new vulnerabilities are getting introduced Make security resource available to the developers and document the fixes – produce internal reference for what security looks like for your org
• #17: The Whole concept relies on license to operate: if you promote good code, you good to go How to verify: Thresholds for reduction of vulnerabilities (Dashbaords) Thresholds for Build VS fix Scanners output in jira Teams triage and remediated locally to the pod If something can’t be updated/remediated than risk assessment (not covered here) Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
• #18: Let’s see the visualization aspect behind the element discussed
• #19: Thresholds example (DEV)
• #20: Theme: Visualization helps both the teams working on the code and the application owner providing governance The tools ultimately are not as intelligent as a developer but only provide suggestion on how to prioritize vulnerabilities Scanners architecture Different Scan at different stages Divide DEV/Prod Scanners individual dashboards for false positives Aggregate the vulnerabilities in aggregators (e.g. Kennar) Scanners dashboards to mark false positives or risk accept but make sure there is a process behind it Triage of the vulnerabilities inside the scanners or feed into auto generation of thickets
• #21: For operation – Scan/Monitor & Bugfix (nothing else than a change) Key thing here: Prioritize what to fix! Fixes will be in competition with feature! Is not all about security  OS & App – Scan and monitor – Rebuild frequently so you don’t have to worry Framework – Scan & Patch – Rebuild App with latest (release cadence) FOSS – open source components! Watch for Contributor account take over (refer to Netflix) Libraries & Open source components – Scan & rebuild with new libraries - Rebuild App with latest (release cadence) – RISK management if you can’t update or no update is available Code – From your DEV Pipeline – Those are your security code defect (internal or external bug bounty to detect which one is more dangerous
• #22: For open source vulnerabilities it takes a long time to fix Why is that? Because rebuilding is not always immediate You say 0 days? I say normally a patch is between 16 and 94 days to be fixed… That leaves a lot of exposure to yourself
• #23: So Let’s see the last aspect: Design and Education
• #24: Security governance in dev-sec-ops – Challenging Definition of change: Small Changes vs security impacting changes Change control & Security education – security review closer to the Application PODs Initial design assessment Improvements: Pre approved services Patterns Standards into automation
• #25: Educate the Users -> Report vulnerability Educate the Users -> Aware of social engineering Hands on and hands-off training (OWASP great resource)
• #26: Security is hard and roles of the architect is changing No 1 solution fits all, tailor this model to your organization! Key concepts: Trust And Verify Vulnerability Management every day life Automation vs people aspect – is a transformation Data Driven Education Governance at scale Closing: Ultimately there is no 1 solution that fits all and look at the security transformation as a people transformation. You can’t automate people but you can make people’s life easier using tool. Don’t let the tool use you but use the tool to prioritize the work
• #30: Q&A