Continuous (Application) Security at DevOps Velocity

Transcript

1. © 2019 Synopsys, Inc. 1 Justin Collins @presidentbeef ISSA LA

   Summit 2019 Continuous Security for DevOps Velocity

2. © 2019 Synopsys, Inc. 2 Justin Collins @presidentbeef ISSA LA

   Summit 2019 Continuous Application Security for DevOps Velocity

3. © 2019 Synopsys, Inc. 3 Justin Collins - Background AT&T

   Interactive (YP.com) Twitter SurveyMonkey Brakeman Brakeman Pro Synopsys Web Application Security Static Analysis (Security)

4. © 2019 Synopsys, Inc. 4 DevOps?

5. © 2019 Synopsys, Inc. 5 DevOps Principles Flow Ease development

   to deployment Feedback Fast, meaningful tests Visibility and monitoring Continual Experimentation and Learning Resilient infrastructure Gene Kim

6. © 2019 Synopsys, Inc. 6 DevOps Practices Automated Testing Continuous

   Integration Continuous Deployment Infrastructure as Code Proactive Monitoring

7. © 2019 Synopsys, Inc. 7 DevOps? Sec ^

8. © 2019 Synopsys, Inc. 8 Rugged DevOps?

9. © 2019 Synopsys, Inc. 9 Speed is Good for Security

   “High performers, because they are integrating information security objectives into everyone’s daily work, are spending half as much time remediating security issues.” - Gene Kim at LocoMocoSec 2018 “…organizations that successfully embed security into DevOps experience a 50% drop in their production vulnerabilities and their time to fix improves by 25%.” - WhiteHat Security 2018 Application Security Statistics Report

10. © 2019 Synopsys, Inc. 10 Speed is Good for Security

    – Why? How quickly can a system be patched/upgraded, safely?

11. © 2019 Synopsys, Inc. 11 Speed is Good for Security

    – Why? How quickly can an application vulnerability be fixed, safely?

12. © 2019 Synopsys, Inc. 12 Is the security team responsible

    for shipping secure code?

13. © 2019 Synopsys, Inc. 13

14. © 2019 Synopsys, Inc. 14 Common Team Size Ratio 100

    : 10 : 1 Developers Operations Security Credit: Shannon Lietz

15. © 2019 Synopsys, Inc. 15 Common Team Size Ratio 100

    developers – experts on their slice of the code 1 security person – responsible for ALL code + systems

16. © 2019 Synopsys, Inc. 16 DevOps Developers are as responsible

    for stable code as the ops team is

17. © 2019 Synopsys, Inc. 17 DevOps Developers are as responsible

    for stable code as the ops team is DevSecOps Developers are as responsible for secure code as the security team is

18. © 2019 Synopsys, Inc. 18 Security Team’s Role Expertise Guidance

    Training Tools

19. © 2019 Synopsys, Inc. 19 Continuous Security Principles

20. © 2019 Synopsys, Inc. 20 The Secure Path is the

    Easy Path

21. © 2019 Synopsys, Inc. 21 Secure Path is Easy Path

    Secure-by-default APIs Never require “secure” flag or extra arguments Security should be simple (e.g. bcrypt) Remove insecure APIs if possible Out-of-the-Box Functionality Self-service server deployment CDN Secrets management User sessions Logs / monitoring Also, security!

22. © 2019 Synopsys, Inc. 22 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code Actionable Feedback

23. © 2019 Synopsys, Inc. 23 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code

24. © 2019 Synopsys, Inc. 24 Fast, Empathetic Feedback Loops Photo

    credit: wocintechchat.com Automated Tools Code

25. © 2019 Synopsys, Inc. 25 Security as an Ally

26. © 2019 Synopsys, Inc. 26 Implementation Strategy

27. © 2019 Synopsys, Inc. 27 Guidance Friendly, accessible security team

    Encourage discussion Default to “yes” Document preferred solutions Relevant training

28. © 2019 Synopsys, Inc. 28 Guardrails Single path to production

    Hardened default configurations/environment Secure-by-default libraries/frameworks Standardized secret management Centralized, self-service deployment

29. © 2019 Synopsys, Inc. 29 Tools (Security Automation) 1. Identify

    a real security issue 2. Determine solution 3. Automate detection 4. Automate enforcement https://flic.kr/p/dGYq6v

30. © 2019 Synopsys, Inc. 30 Lessons Learned

31. © 2019 Synopsys, Inc. 31 Listen First

32. © 2019 Synopsys, Inc. 32 Tailor Your Strategy https://flic.kr/p/f2JEum

33. © 2019 Synopsys, Inc. 33 Detect and Prevent https://flic.kr/p/21WAMJ4

34. © 2019 Synopsys, Inc. 34 Small Steps

35. © 2019 Synopsys, Inc. 35 Principles Summary Continuous Security Principles

    Ø The Secure Path is the Easy Path Ø Fast, Empathetic Feedback Loops Ø Security as an Ally Security Approach Ø Listen First Ø Tailor Your Strategy Ø Detect and Prevent Ø Small Steps

36. © 2019 Synopsys, Inc. 36 Now for the Bad News

37. © 2019 Synopsys, Inc. 37 AppSecUSA 2012

38. © 2019 Synopsys, Inc. 38 Security Team Evolution Zero Maybe

    one “security- minded” developer First security hire! Hire specialists Split into teams Responsible for everything Network Application Cloud Corporate … Network Application Cloud Corporate …

39. © 2019 Synopsys, Inc. 39

40. © 2019 Synopsys, Inc. 40 The End of the AppSec

    Team

41. © 2019 Synopsys, Inc. 41 End of the AppSec Team

    Secure coding? Code review? Threat modeling? Bug bounty reports? Training? Developer tooling? Secure libraries? Incident management? …?

42. © 2019 Synopsys, Inc. 42 Summary DevOps’ fast pace can

    be beneficial to security Security’s role must shift away from gates, towards guardrails The future is diffusion of security responsibility across the organization

43. © 2019 Synopsys, Inc. 43 Further Resources Top Infosec Lessons

    Learned Researching And Co-Authoring The DevOps Handbook We Come Bearing Gifts: Enabling Product Security with Culture and Cloud Rise of the Machines: Security Automation at Twitter

44. Thank You

45. None