building a world where technology istrusted. the devops ... · how application security remains...
TRANSCRIPT
© 2017 Denim Group – All Rights Reserved
Building a world where technology is trusted. The DevOps Opportunity:How to Capitalize to Radically Improve Security
John B. Dickson, CISSP@johnbdicksonCornerstones of Trust 2017
© 2017 Denim Group – All Rights Reserved
Overview
• DevOps DefinedoWhat’s Driving DevOps?
• The State of Application security• How Security Remains Relevant in a
DevOps World
1
© 2017 Denim Group – All Rights Reserved
John’s Background
• Application Security Enthusiast• Helps CSO’s and CISO’s with
Application Security Programs• ISSA Distinguished Fellow• Security Author and Speaker• 20 years Experience Across Multinational
Corporations
2
© 2017 Denim Group – All Rights Reserved
The Delivery Platform
Central Resolution Hub Accelerate Remediation
THREADFIX
Denim Group Overview
3
Providing vastly improved application security for mission-critical enterprise applications
Overview
§ Denim Group provides an integrated solution into development environments, integrating bug fixes into the DevOps cycle
§ Application testing is an invaluable mechanism for the defense of critical software
§ ThreadFix is a direct feed into the development environment, enabling real, runtime security fixes
§ Managed services help cover any gaps in terms of security experts within the organization
ADVISORYSERVICES
MANAGEDSERVICES
Application TestingQuantifies Risk Across the
Application Portfolio
DevOps & AppSecTransformation Consulting
© 2017 Denim Group – All Rights Reserved
DevOps Defined
• DevOps is a practice that:• Emphasizes the tight collaboration and
communication of both software developers and IT operations staff
• Focuses on automating the process of software delivery and infrastructure changes
• Aims at establishing a culture and environment where building, testing, and releasing software, can happen rapidly, frequently, and more reliably
4
© 2017 Denim Group – All Rights Reserved
Aspects of DevOps
• Focuses on time to market over virtually every other requirement
• Focuses on continuous improvement• Software quality and auditability valued –
but as a by-product of speed
5
© 2017 Denim Group – All Rights Reserved
Potential Components of a Secure CI/CD
• Code repository (Git, Subversion)• CI/CD server (Jenkins, Bamboo)• Build server(s)• Unit test suite (JUnit)• Functional test suite (Selenium)• Defect tracker• Application Vulnerability Management
Platform
6
© 2017 Denim Group – All Rights Reserved
What is Driving DevOps?
• Time-to-Market advantages• Demand of higher quality software
products• Cost concerns • Key thought: Like cloud, DevOps will come
from business units responding to competitive pressures, not IT or outside pressure
7
© 2017 Denim Group – All Rights Reserved
How Did We Get to DevOps?
8
Waterfall Agile DevOps Secure DevOps
Business
Development
Operations
Security
© 2017 Denim Group – All Rights Reserved
The State of Application Security
• Organizations have become better at identify web application vulnerabilities via automated scanning
• Automation still only catches 30-50% of application vulnerabilities
• Organizations have become better at identifying application vulnerabilities than fixing them
• Much of the effort involves testing and SDLC improvement
• Chasm still exists between security and development teams
• AppSec is by no means “solved” but….
9
© 2017 Denim Group – All Rights Reserved
DevOps Is Coming!
10
© 2017 Denim Group – All Rights Reserved
Move Security to the Left and Get Buy-In
11
© 2017 Denim Group – All Rights Reserved
Better Security Insight, More Often
12
© 2017 Denim Group – All Rights Reserved
So What Does Application Security Want?
• Reduce Risk Exposure• Introduce Fewer Vulnerabilities• Find Vulnerabilities Early• Fix Vulnerabilities Quickly
13
© 2017 Denim Group – All Rights Reserved
And What Do DevOps Teams Want?
14
© 2017 Denim Group – All Rights Reserved
How Do We Make This a Reality?
15
© 2017 Denim Group – All Rights Reserved
Application Security Testing in CI/CD Pipelines
16
© 2017 Denim Group – All Rights Reserved
AppSec Testing Policies for DevOps
17
© 2017 Denim Group – All Rights Reserved
Developer Communications
Hint: Not With These…
18
© 2017 Denim Group – All Rights Reserved
How Application Security Remains Relevant in a DevOps World
• Pulling a Tiger by the Tail?
19
© 2017 Denim Group – All Rights Reserved
How Application Security Remains Relevant in a DevOps World
• Understand that you will miss things• Software will be deployed without your
knowledge and not security tested (always)
• You will have functionality in your production environment you don’t understand
• Understand your job just got harder• And you can’t say “no!”
20
© 2017 Denim Group – All Rights Reserved
Where do You Go from Here?
21
© 2017 Denim Group – All Rights Reserved
DevOps Concepts if You Take Adaptation Approach
• Automate every security process possible• Squeeze application testing cycles and automate
entire process• Fully automate application vulnerability resolution
process• Consider new technologies such as
IAST/RASP• Incrementally increase application monitoring
in production environments – standardize & automate
22
© 2017 Denim Group – All Rights Reserved
DevOps Concepts if are Forced to Improvise
• Focus on testing in production environments• Create processes and scanning systems to
tear down vulnerable functionality• Recognize that production is where you might
first learn of new features!• Recognize application attack patterns in
production environments via big data• Fix vulnerability!
23
© 2017 Denim Group – All Rights Reserved
Building a world where technology is trusted.
@denimgroupwww.denimgroup.com
24