Shifting security all day dev ops
Download as PPTX, PDF0 likes122 views
The document discusses the integration of security within the software development process through DevSecOps, which emphasizes addressing security concerns early in the development cycle. By shifting security left, teams can reduce risks and costs while improving overall application security by incorporating testing and analysis during development. The document also highlights the cultural shift necessary for successful implementation, advocating for a mindset where everyone is responsible for security.
Shifting security all day dev ops
- 1. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1@ThomasStiehm #AllDayDevOps Agility. Security. Delivered. Shifting Security Left The Innovation of DevSecOps Tom Stiehm @ThomasStiehm
- 2. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 2@ThomasStiehm #AllDayDevOps About Coveros • Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps Implementations • DevSecOps Integrations • Agile, DevOps, DevSecOps Security, Testing Training • Open Source Products • SecureCI – DevSecOps toolchain • Selenified – Agile test framework Coveros helps organizations accelerate software delivery using agile and DevOps methods 2
- 3. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 3@ThomasStiehm #AllDayDevOps How DevSecOps builds on DevOps DevSecOps is a practice that rose from DevOps that includes information technology security as a fundamental aspect in all the stages of software development. -- Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.
- 4. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 4@ThomasStiehm #AllDayDevOps Shifting Security Left •Shifting Left is taking a practice or process done late in development and doing it earlier. •Shifting Security Left is doing security testing, analysis, and remediation during development, iteratively. Usually automating data collection to make it faster and cheaper. •The net result is making security practices part of the daily workflow of the development team.
- 5. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 5@ThomasStiehm #AllDayDevOps Why Shift Security Left? Application Security is hard, error prone, and expensive. It is often made harder by trying to shoehorn it into the end of a release. Shifting Left allows the teams to deal with security issues early and often: •Reducing Risk •Reducing Cost •Leads to fewer errors •Results in fewer security compromises
- 6. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 6@ThomasStiehm #AllDayDevOps Security before the code is written Be proactive: •Architect and design security in from the start based on threat analysis. •Include security in your pipeline from the start. •Take time to analyze and remediate AppSec findings. Why? •Your software has security defects in it. •Testing security into software at the end doesn’t work. •Relying on network and OS security to protect applications doesn’t work. •Ignoring security concerns doesn’t work.
- 7. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 7@ThomasStiehm #AllDayDevOps Legacy Security Practices The Focus is on testing at the end.
- 8. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 8@ThomasStiehm #AllDayDevOps Shifting Left includes reacting to the feedback on a regular basis. Security Practices in DevSecOps
- 9. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 9@ThomasStiehm #AllDayDevOps Where to Start •SCA - Install Software Composition Analysis •Expand existing CI/CD processes to scan your application dependencies •SAST - Start with Static Application Security Testing •Quick to integration into a build pipeline •Leverages existing CI/CD assets •DAST - Next integrate Dynamic Application Security Testing •Could be as simple as adding a DAST proxy to your existing automated or manual testing environment •Expand into using the automated aspects of DAST tools
- 10. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 10@ThomasStiehm #AllDayDevOps Secure practices in a pipeline
- 11. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 11@ThomasStiehm #AllDayDevOps Culture Shift Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1. Build a Knowledge base 2. Promote Openness 3. Create Cybersecurity Champions Need to experiment to find what works for your specific organization.
- 12. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 12@ThomasStiehm #AllDayDevOps Wrap UP #Coveros5 •Starting to Shift Left is more important then what practices you start with •Greenfield start with Threat Analysis and build security in •Legacy or brownfield start with SAST (or SCA or DAST) •Iteratively add more security practices into your process •Iteratively add more security to your build pipeline
- 13. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 13@ThomasStiehm #AllDayDevOps Questions? @thomasstiehm • Join me on Slack • https://alldaydevops.slack.com/ • #2019addo-devsecops
Editor's Notes
- #3: Coveros is a consulting company that helps organizations build better software. We provide software development, application security, QA/testing, and software process improvement services. Coveros focuses on organizations that must build and deploy software within the constraints of significant regulatory or compliance requirements. The primary markets we serve include: DoD, Homeland Security & associated critical infrastructure companies, Healthcare providers, and Financial services institutions
- #4: Making Application Security a first class citizen in a software development process. Vs. and after thought that gets interpreted as a hurdle.
- #5: Make security a first class citizen in your software development process. Part of the daily workflow instead of something done late in the process. By late I mean too late to change much. Shifting Left is the practice of taking something you did later in a process and doing it earlier in a process. Shifting Security Left is the practice of doing security testing and analysis during development. Usually automating data collection to make it faster and cheaper. DevSecOps leverages the collaboration and automation of DevOps to Shift Security Left.
- #6: Fewer security compromoses in production. Making is less likely that something will happen to exploit the software. By shifting security left teams are usually given the opportunity to deal with security issues as they happen so there are fewer last minute mistakes, compromises, and untested code going into production.
- #8: This is where compromised come into play. We don’t have time to triage (analyze) all of the findings We don’t have time to fix all of the issues We don’t want to fix issues that already exist in the code base We don’t have time to find alternatives The functionality can’t wait What is the likelihood of something happening anyway?
- #9: Threat Analysis - Figuring out who wants to attack you, why, and how they would do it. Secure Code Review - Human beings reviewing code for security flaws (Check In) Static Analysis - Using fast running static analysis to find a number of issues including vulnerabilities and insecure code SAST - Static Application Security Testing - Using static analysis to specifically find security issues SCA - Software Composition Analysis - Checking your software and dependencies for security issues and license compliance Security Testing - Using test automation tools to verify the security features of an application (functional and nonfunctional) DAST - Dynamic Application Security Testing - Using tools to interact with your software like a user and in different ways to find issues (crawl your site, fuzz testing, injection JavaScript, etc.) IAST - Interactive Application Security Testing - Using software agents that monitor the internal state of your running application to find issues Pen Testing - Penetration Testing - A human being trying to find vulnerabilities in your software, usually aided by tools like proxies, could be informed by the results of other tools Infrastructure Analysis Testing - using tools to check the host and software configuration to determine if known vulnerabilities are present Encrypted Data Channels - all network traffic encrypted including traffic within a data center Data Encrypted at rest - all Personally Identifiable Information (PII), if not all data, needs to be encrypted in the database or files in a system, including backups RASP - Runtime Application Self-Protection - Using software tools or agents to monitor the internal state of an application and determine if an exploit is currently happening SIEM - Security Information and Event Management - Software that monitors a running system, including logs, and determines if security events are happening, have happened, and manage the process of recovering from the event.
- #10: Your implementation order may vary because: You already have something in place Your risk may drive a different order Your tech stack may make something easier to put in place quickly
- #11: A build pipeline is the automation embodiment of a DevSecOps value stream, as your build moves down your pipeline to become a release candidate you want to have more and more confidence that the software and platform are secure and resilient to attack and exploit.
- #12: DevSecOps is as much about how security is perceived as it is about the technical practices and their implementation. You want to move the perception that security is a hurdle to security being an enabler of higher quality software and supports the business or mission better.