© 2017 Denim Group – All Rights Reserved

Building a world where technology is trusted. The DevOps Opportunity:How to Capitalize to Radically Improve Security

John B. Dickson, CISSP@johnbdicksonCornerstones of Trust 2017

© 2017 Denim Group – All Rights Reserved

Overview

• DevOps DefinedoWhat’s Driving DevOps?

• The State of Application security• How Security Remains Relevant in a

DevOps World

1

© 2017 Denim Group – All Rights Reserved

John’s Background

• Application Security Enthusiast• Helps CSO’s and CISO’s with

Application Security Programs• ISSA Distinguished Fellow• Security Author and Speaker• 20 years Experience Across Multinational

Corporations

2

© 2017 Denim Group – All Rights Reserved

The Delivery Platform

Central Resolution Hub Accelerate Remediation

THREADFIX

Denim Group Overview

3

Providing vastly improved application security for mission-critical enterprise applications

Overview

§ Denim Group provides an integrated solution into development environments, integrating bug fixes into the DevOps cycle

§ Application testing is an invaluable mechanism for the defense of critical software

§ ThreadFix is a direct feed into the development environment, enabling real, runtime security fixes

§ Managed services help cover any gaps in terms of security experts within the organization

ADVISORYSERVICES

MANAGEDSERVICES

Application TestingQuantifies Risk Across the

Application Portfolio

DevOps & AppSecTransformation Consulting

© 2017 Denim Group – All Rights Reserved

DevOps Defined

• DevOps is a practice that:• Emphasizes the tight collaboration and

communication of both software developers and IT operations staff

• Focuses on automating the process of software delivery and infrastructure changes

• Aims at establishing a culture and environment where building, testing, and releasing software, can happen rapidly, frequently, and more reliably

4

© 2017 Denim Group – All Rights Reserved

Aspects of DevOps

• Focuses on time to market over virtually every other requirement

• Focuses on continuous improvement• Software quality and auditability valued –

but as a by-product of speed

5

© 2017 Denim Group – All Rights Reserved

Potential Components of a Secure CI/CD

• Code repository (Git, Subversion)• CI/CD server (Jenkins, Bamboo)• Build server(s)• Unit test suite (JUnit)• Functional test suite (Selenium)• Defect tracker• Application Vulnerability Management

Platform

6

© 2017 Denim Group – All Rights Reserved

What is Driving DevOps?

• Time-to-Market advantages• Demand of higher quality software

products• Cost concerns • Key thought: Like cloud, DevOps will come

from business units responding to competitive pressures, not IT or outside pressure

7

© 2017 Denim Group – All Rights Reserved

How Did We Get to DevOps?

8

Waterfall Agile DevOps Secure DevOps

Business

Development

Operations

Security

© 2017 Denim Group – All Rights Reserved

The State of Application Security

• Organizations have become better at identify web application vulnerabilities via automated scanning

• Automation still only catches 30-50% of application vulnerabilities

• Organizations have become better at identifying application vulnerabilities than fixing them

• Much of the effort involves testing and SDLC improvement

• Chasm still exists between security and development teams

• AppSec is by no means “solved” but….

9

© 2017 Denim Group – All Rights Reserved

DevOps Is Coming!

10

© 2017 Denim Group – All Rights Reserved

Move Security to the Left and Get Buy-In

11

© 2017 Denim Group – All Rights Reserved

Better Security Insight, More Often

12

© 2017 Denim Group – All Rights Reserved

So What Does Application Security Want?

• Reduce Risk Exposure• Introduce Fewer Vulnerabilities• Find Vulnerabilities Early• Fix Vulnerabilities Quickly

13

© 2017 Denim Group – All Rights Reserved

And What Do DevOps Teams Want?

14

© 2017 Denim Group – All Rights Reserved

How Do We Make This a Reality?

15

© 2017 Denim Group – All Rights Reserved

Application Security Testing in CI/CD Pipelines

16

© 2017 Denim Group – All Rights Reserved

AppSec Testing Policies for DevOps

17

© 2017 Denim Group – All Rights Reserved

Developer Communications

Hint: Not With These…

18

© 2017 Denim Group – All Rights Reserved

How Application Security Remains Relevant in a DevOps World

• Pulling a Tiger by the Tail?

19

© 2017 Denim Group – All Rights Reserved

How Application Security Remains Relevant in a DevOps World

• Understand that you will miss things• Software will be deployed without your

knowledge and not security tested (always)

• You will have functionality in your production environment you don’t understand

• Understand your job just got harder• And you can’t say “no!”

20

© 2017 Denim Group – All Rights Reserved

Where do You Go from Here?

21

© 2017 Denim Group – All Rights Reserved

DevOps Concepts if You Take Adaptation Approach

• Automate every security process possible• Squeeze application testing cycles and automate

entire process• Fully automate application vulnerability resolution

process• Consider new technologies such as

IAST/RASP• Incrementally increase application monitoring

in production environments – standardize & automate

22

© 2017 Denim Group – All Rights Reserved

DevOps Concepts if are Forced to Improvise

• Focus on testing in production environments• Create processes and scanning systems to

tear down vulnerable functionality• Recognize that production is where you might

first learn of new features!• Recognize application attack patterns in

production environments via big data• Fix vulnerability!

23

© 2017 Denim Group – All Rights Reserved

Building a world where technology is trusted.

@denimgroupwww.denimgroup.com

24

john@denimgroup.com210-572-4400