appsec in a devops world - owasp · 20/04/2017 · static application security testing + 3rd party...
TRANSCRIPT
© 2016 VERACODE INC. 1© 2016 VERACODE INC.
AppSec in a
DevOps WorldPeter Chestna, Director of Developer Engagement
© 2016 VERACODE INC. 2
Who am I?
• 25 Years Software Development Experience
• 10+ Years Application Security Experience
• Certified Agile Product Owner and Scrum
Master
• At Veracode since 2006
• From Waterfall to Agile to DevOps
• From Monolith to MicroService
• Consultant on DevSecOps best practices
• Fun Fact: I love whiskey!@PeteChestna
© 2016 VERACODE INC. 3
Goals
• Why is AppSec important?
• How is DevOps changing application development?
• How is AppSec traditionally done?
• What needs to change?
– What to build
– What to measure
– How to help
© 2016 VERACODE INC. 4
Applications are as risky as ever
of all applications used some kind of hard-coded
password
of all applications use broken or risky
cryptographic algorithms
of all applications were vulnerable to open redirect
attacks
of all applications mix trusted and untrusted data
in the same data structure or message
© 2016 VERACODE INC. 5
Majority of internally developed
applications fail OWASP
© 2016 VERACODE INC. 6
Lack of App Security is
Damaging Companies
© 2016 VERACODE INC. 7
High Profile Breaches
All attacked through the app layer
© 2016 VERACODE INC. 8
Business Mandate
© 2016 VERACODE INC. 9
Compressed Timelines
Waterfall Agile DevOps
1-4 Releases
Per Year
12-24 Releases
Per Year
100+ Releases
Per Year
© 2016 VERACODE INC. 10
Definition of DevOps
© 2016 VERACODE INC. 11
Basic development cycle
© 2016 VERACODE INC. 12
Time
Waterfall
Agile
DevOps
At Scale
Not so different after all
Requirements
Analysis
Design
Coding
Testing
Acceptance
© 2016 VERACODE INC. 13© 2016 VERACODE INC.
DevOps
Plan Dev QA Ops
Business Intent
App Knowledge
Ops Knowledge
Business Intent
App Knowledge
Ops Knowledge
Continuity
Waterfall
! ! !! = Handoff
Agile
!
© 2016 VERACODE INC. 14
Agile - Process
Copyright 2005, Mountain Goat Software
© 2016 VERACODE INC. 15
Waterfall
Transformation - Technology
Agile
DevOps
© 2016 VERACODE INC. 16
Is this your current AppSec program?
© 2016 VERACODE INC. 17
They/We know it’s coming…
© 2016 VERACODE INC. 18
Which outcome do you see?
© 2016 VERACODE INC. 19
DevOps – Process: Where is security?
Security
© 2016 VERACODE INC. 20
Strategy
• Integration &
Automation
• 3-legged barstool:
– Training
– Remediation Coaching
– Scan early & often
© 2016 VERACODE INC. 21
CI
CD
1
Develop
4
Check in
StaticAnalysis
3
Build
& Test
2
Backlog
Strategy –
Integration & Automation
Pass?
7
SynchronizeNo Yes
7
Deploy to
QA/Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Stage
then
Prod
PerCheck-in
5
Build
CI/CDPipeline
© 2016 VERACODE INC. 22
Strategy - Training
• Security teams can help developers by providing training, either through eLearning or in-person Instructor Led Training
• Think about targeted training based on policy violations
© 2016 VERACODE INC. 23
Get smart on
DevOps
Train beyond your walls
© 2016 VERACODE INC. 24
Strategy - Remediation Coaching
For applications that used remediation coaching, development teams fixed more than 2.5x the
average # of flaws per megabyte
© 2016 VERACODE INC. 25
Strategy –
Measurement (Scan early, scan often)
Applications that
used sandbox had
an average fix rate
of 59%, or a 2x
improvement in fix
rate
© 2016 VERACODE INC. 26
Training(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation GuidanceSecure Code Reviews
Manual Penetration TestingRed Team Activities
Runtime Application Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat ModelingSecurity Grooming
Secure Design
DevOps – Pervasive Security
© 2016 VERACODE INC. 27
Thank You!
© 2016 VERACODE INC.