Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
0 likes431 views
The document discusses the importance of 'shifting security left' in software development, integrating security practices early in the development process to reduce risks and costs. It outlines the principles of DevSecOps, emphasizing the collaborative approach to addressing security, and provides strategies and tools for implementing security measures throughout the software development lifecycle. The conclusion highlights the need for organizations to adopt a culture of security responsibility among all team members for effective risk management.
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
- 1. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1@ThomasStiehm #valleytechcon Agility. Security. Delivered. Shifting Security Left The Innovation of DevSecOps Tom Stiehm @ThomasStiehm
- 2. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 2@ThomasStiehm #valleytechcon About Coveros • Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps Implementations • DevSecOps Integrations • Agile, DevOps, DevSecOps Security, Testing Training • Open Source Products • SecureCI – DevSecOps toolchain • Selenified – Agile test framework Coveros helps organizations accelerate software delivery using agile and DevOps methods 2
- 3. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 3@ThomasStiehm #valleytechcon Shifting Security Left •Shifting Left is taking a practice or process done late in development and doing it earlier. •Shifting Security Left is doing security testing, analysis, and remediation during development, iteratively. Usually automating data collection to make it faster and cheaper. •The net result is making security practices part of the daily workflow of the development team.
- 4. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 4@ThomasStiehm #valleytechcon Why Shift Security Left? Application Security is hard, error prone, and expensive. It is often made harder by trying to shoehorn it into the end of a release. Shifting Left allows the teams to deal with security issues early and often: •Reducing Risk •Reducing Cost •Leads to fewer errors •Results in fewer security compromises
- 5. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 5@ThomasStiehm #valleytechcon How DevSecOps builds on DevOps DevSecOps is a practice that rose from DevOps that includes information technology security as a fundamental aspect in all the stages of software development. -- Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.
- 6. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 6@ThomasStiehm #valleytechcon Why should you care about security? To reduce the likelihood of becoming the next:
- 7. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 7@ThomasStiehm #valleytechcon Security before the code is written Be proactive: •Architect and design security in from the start based on threat analysis. •Include security in your pipeline from the start. •Take time to analyze and remediate AppSec findings. Why? •Your software has security defects in it. •Testing security into software at the end doesn’t work. •Relying on network and OS security to protect applications doesn’t work. •Ignoring security concerns doesn’t work.
- 8. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 8@ThomasStiehm #valleytechcon Legacy Security Practices The Focus is on testing at the end.
- 9. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 9@ThomasStiehm #valleytechcon Shifting Left includes reacting to the feedback on a regular basis. Security Practices in DevSecOps
- 10. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 10@ThomasStiehm #valleytechcon Where to Start •SAST - Start with Static Application Security Testing •Quick to integration into a build pipeline •Leverages existing CI/CD assets •SCA - Install Software Composition Analysis •Expand existing CI/CD processes to scan your application dependencies •DAST - Next integrate Dynamic Application Security Testing •Could be as simple as adding a DAST proxy to your existing automated or manual testing environment •Expand into using the automated aspects of DAST tools
- 11. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 11@ThomasStiehm #valleytechcon What to do next •Security Testing – Testing the security features of your software •Security Test Automation - Using test automation tools like Selenium or Cucumber •Penetration Testing – Human beings evaluating the security of your software with the aid of tools •Threat Analysis – Understand who will attack you, why, and how •Infrastructure Analysis Scanning & Testing – Securing your OS and Server Software
- 12. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 12@ThomasStiehm #valleytechcon Advanced DevSecOps Techniques •IAST - Interactive Application Security Testing is technique for detecting security vulnerabilities in a running application •RASP - Runtime Application Self-Protection building on the same technology base as IAST by providing a facility to react to a detected vulnerability as it is exploited, e.g. terminating the session •HAST - Hybrid Application Security Testing uses DAST with IAST to find vulnerabilities
- 13. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 13@ThomasStiehm #valleytechcon Operational Security •Security Information and Event Management (SIEM) •Infrastructure Analysis Scanning & Testing •Encrypting Data at Rest •Encrypting Data in all Network Channels
- 14. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 14@ThomasStiehm #valleytechcon Secure practices in a pipeline
- 15. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 15@ThomasStiehm #valleytechcon Culture Shift Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1. Build a Knowledge base 2. Promote Openness 3. Create Cybersecurity Champions Need to experiment to find what works for your specific organization.
- 16. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 16@ThomasStiehm #valleytechcon DevSecOps Benefits •Faster vulnerability detection and mitigation •Always-known security posture •Less security-based risk •Smaller chance of getting exploited •Reduced cost of fixing AppSec bugs •Avoidance of publicity for getting pwned •Able to recover from security incidents faster
- 17. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 17@ThomasStiehm #valleytechcon Wrap UP #Coveros5 •Starting to Shift Left is more important then what practices you start with •Greenfield start with Threat Analysis and build security in •Legacy or brownfield start with SAST (or SCA or DAST) •Iteratively add more security practices into your process •Iteratively add more security to your build pipeline
- 18. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 18@ThomasStiehm #valleytechcon Periodic Table of DevOps Tools En Os Fm Os Pd Pd Fm En En En Fm Os En Os Pd Os Fm Fm Fm Fm Pd En En Os Fr Os Fr Os Pd Fr Fr Fr Os Fm Fm Fr Os Fm Os En Fm Fm Pd Pd En En Fm En En En Os Fm En Fr Os Os Os Os En En En Fm En Os En En Os En En Os Pd Os Os En Os Os En En Pd En Fm Fm Pd Pd Pd En Os En Pd Pd Fm Os Fm En Fm Pd Pd En Pd Os Os En En Os Fm Fm Pd Pd Os Os En Os Os Fm En En Pd Os Os En 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 3 4 5 6 7 8 9 10 1 2 11 12 13 14 15 16 17 18 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 Cw Sv Gh Gl At Nx Bb Dp Db Dt Rg Fw Pf Jn Ba Tr Cr Cs Vs Tc Cb XLi Sw Fn Se Ga Cu Ki Jr Ju Jm Tn Mc Nr Tl Ka Ja Tt Lo Dt Sk Su Sl Pe Mf Dd St Ch An Pu Sa Ad Cn Tf Ru Pa Ce El Ry XLd Oc Cd Eb Ni Ac Ud Go Ec Ca Zb Og Ku Dk XLr Ms Ra De Zn Pd Cc Ur Aws Gke Aks Ae Cx Sn Pr Af Az Om Rk Cf Sg Tw Al Ld Gc Cp Sp Hm Bd Ck Os Ic Op Cy Ir Aw Sr Vc Ps Fd Sg Sp It Mg Ls Hv Ff GitLab GitHub Subversion ISPW Artifactory Nexus BitBucket Datical DBMaestro Delphix Redgate Flyway Perforce FitNesse Selenium Gatling Cucumber Kibana Jira JUnit JMeter TestNG Mocha Trello New Relic Karma Jasmine Tricentis Tosca Locust.io Slack Dynatrace SoapUI Sauce Labs Perfecto Micro Focus UFT Stride Datadog Chef Ansible Puppet Salt CollabNet VersionOne AppDynamics Terraform Rudder Packer CFEngine Remedy ElasticSearch XebiaLabs XL Deploy Octopus Deploy AWS CodeDeploy ElasticBox Nagios Agile Central UrbanCode Deploy GoCD ElectricCloud CA Automic Zabbix OpsGenie Kubernetes Mesos Rancher Docker Enterprise Docker XebiaLabs XL Release Zenoss Pagerduty CA CD Director GKE AKS AWS ECS UrbanCode Release AWS Checkmarx SAST Snort Plutora Release OpenMake Rkt Codefresh Azure Functions Azure Signal Sciences Tripwire Alibaba Cloud AWS CodePipeline Spinnaker Helm Lambda Google Cloud BlackDuck CyberArk OpenStack Cloud Foundry Iron.io Apache OpenWhisk IBM Cloud OpenShift SonarQube Veracode Fluentd Prometheus Sumo Logic Splunk ITRS Moogsoft Logstash HashiCorp Vault Fortify SCA Jenkins Bamboo Travis CI Circle CI Codeship VSTS TeamCity AWS CodeBuild XebiaLabs XL Impact ServiceNow Deployment AIOps Cloud Release Orchestration Containers Configuration Testing Continuous Integration Database Automation Source Control Mgmt. Collaboration Security Monitoring AnalyticsOs Open Source Fr Free Fm Freemium Pd Paid En Enterprise PERIODIC TABLE OF DEVOPS TOOLS (V3) https://xebialabs.com/periodic-table-of-devops-tools/
- 19. © COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 19@ThomasStiehm #valleytechcon Questions? @thomasstiehm • Join me on the TechWell Hub • https://hub.techwell.com/ • #devops