The left is not wrong, just not right; It's time to shift right!
0 likes305 views
The document discusses the need to shift security practices from a 'left' approach, which integrates security early in the software development life cycle, to a 'right' approach that focuses on visibility and insights from production environments. It emphasizes that this shift is necessary due to faster app deployments and the evolving nature of threats, advocating for real-time security monitoring and feedback to developers. The author suggests that starting with a right focus can enhance existing application security programs and drive better prioritization of resources.
The left is not wrong, just not right; It's time to shift right!
- 1. The left is not wrong, just not right; It’s time to shift RIGHT!
- 2. Phillip Maddux Principle AppSec Researcher & Advisor 12 yrs AppSec in Financials IT & IT Audit prior @foospidy github.com/foospidy linkedin.pxmx.io pxmx.io
- 3. Just in case, this is an AppSec talk, not a political talk...
- 5. The Call To Shift Left
- 6. The DevSecOps paradigm that we are all preaching is "Shift Security Left" e.g. design and develop your application with security in mind as early as possible and integrate security into CI/CD pipeline. - Anonymous (Anonymous as in an AppSec person in an AppSec Slack channel, not _ )
- 7. What is this shifting left? An approach to software testing and system testing in which testing is performed earlier in the life cycle (i.e. moved left on the project timeline). It is the first half of the maxim "Test early and often." - Wikipedia In the parlance of DevOps and security, a shift left simply means that security is built into the process and designed into the application at an earlier stage of the development cycle. - SecurityRoundtable
- 8. Shiftin’ Left Requirements, Design, Development, Build, Testing & Deployment TestingintheSDLC
- 9. Shiftin’ Lefter Developer Training Security Champions Relationships w/Devs Achievement coins Gamification Security engineering
- 10. Requirements, Design, Development, Build TestingintheSDLC Shiftin’ Lefter Developer Training Security Champions Relationships w/Devs Achievement coins Gamification Security engineering
- 11. That is all good Photo by Jonathan Daniels on Unsplash
- 12. So what is the issue?
- 13. We’ve been doing this for years!
- 14. SDLC Evolution to the Left Requirements, Design, Development, Build, Testing & Deployment TestingintheSDLC Pen Testing Arch Review Code Scanning Manual Code Review Dependency Checks Arch ReviewsControl Standards Security Unit Tests IAST Developer Training Security Champions
- 15. We need to shift right It’s time to consider a different perspective
- 16. It’s time to shift right
- 19. Instrumentation & Visibility To really understand what is going on in production
- 20. TestingintheSDLC Instrumentation and visibility production Requirements, Design, Development, Build, Testing, Deployment & Production Instrumentation provides visibility and defense capabilities, which provides the ability to make smart blocking decisions.
- 21. Why is this important? ● Moving to the cloud. ● Business drivers moving faster resulting in app deployments moving faster. ● Abstraction of infrastructure and operations, e.g. PaaS & serverless, is enabling faster app deployments. Security needs to move fast too, it can only move faster by shifting right.
- 22. Benefits Visibility to understand the threats you’re apps are actually facing, this becomes a critical feedback loop to drive prioritization of resources on the left. Gives you an edge even with little resources - delegate security monitoring and defend in real time. Visibility sharing helps build relationships with developers. Threat hunting.
- 23. One of the best approaches is to provide rapid feedback to developers. In the land of application performance, we found that running APM tools in production was a way to help developers find places to optimize their code. This created a feedback loop from production (the right) to development (the left). James Wickett ( @wickett) https://labs.signalsciences.com/devsecops-security-shift-right
- 24. Attacks & Attack Locations Incredible feedback for developer awareness and prioritization.
- 25. Anomalous Traffic
- 26. Sensitive or High Risk Transactions
- 27. Correlations ● Attacks + anomalous responses ● Attacks + sensitive transactions ● Logins + anomalous sources ● Sensitive transactions + anomalous sources ● Automation (Bots) + user actions ● Automation (Bots) + high risk transactions ● Distinct changes in traffic patterns By Tony Hisgett from Birmingham, UK - Dalek 1, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=18985947
- 28. Principle of Known Good ● HTTP structure / attributes ● App specific parameters ○ Headers ○ GET & POST ● Device specific parameters ○ Device IDs ○ User-Agent strings ○ Client software versions Periodically change known good
- 29. Honeypots & Deception app honeypot Feeds blocking decisions
- 30. Final Thoughts You don’t have to shift left before shifting right. In fact, if you have limited resources or are building a new AppSec program, I recommend starting on the right first. Let the right inform the left as you build out your AppSec program. Absolutely necessary for existing AppSec programs to move faster.
- 31. Thank you - Questions?