continuous security nl.linkedin.com/kimvanwilgen · devops microservices and serverless...
TRANSCRIPT
Continuous securityKim van Wilgen | Schuberg Philis
nl.linkedin.com/kimvanwilgen
www.kimvanwilgen.com
@kimvanwilgen
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Customer director Schuberg Philis20
18
Head of software development ANVA
2017
Head of IT KlaverbladVerzekeringen
2014
Hello world1980
Schuberg Philis
3
Mission criticaldigital transformations
Financiallyindependent
Started in2001
300team members (Dec 2018)
EUR 60mrevenue
Market Quality leaderin Business Critical IT Outsourcing
Single KPI100% customer satisfaction
Our customers
4
6
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Why focus on security?
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Agile
Continuous
delivery
Containers
Immutable
infrastructuresPipelines
Test automationT shaped
peopleYou build it
You run it
DevOps
Microservices and
serverless architectures
Self-
organization
War for talent
Exploration and rapid
protoyping
Emerging architectures
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Focus shifted to speed…and nothing else
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Shifting panels
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Autonomy, self organization and key shaped people
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Source: State of the cybersecurity report 2017
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security roleplay
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security all-in
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security should support delivery of value
@kimvanwilgen | www.kimvanwilgen.comContinuous security
“I never once spoke with the security team at Google. Not because they weren’t doingtheir job, but exactly because they weredoing their job. They encoded theirexpertise into self-service tools andlibraries, and we just used them ourselves”
Randy Shoup, WeWork
@kimvanwilgen | www.kimvanwilgen.comContinuous security
XContinuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
Wikipedia, 2017
@kimvanwilgen | www.kimvanwilgen.comContinuous security
XContinuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and confidentiality to applications in production. Continuous security is essential for delivering Continuous Delivery.
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Let’s play!
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Context adaption
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Security tests are source code
Train for the basics
Gartner DevSecOps Top 10
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#1: Have security champions
@kimvanwilgen | www.kimvanwilgen.comContinuous security
SecLeads and SecBuddies
Source: Rooske Eerden (de Tekenaar)
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security Satellite team
5 dev(1 architect2 devs2 testers)
3 ops
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#2: Don’t eliminate all risk
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Risk and cost based securitySecurity is Confidentiality, Integrity and Availability
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Alignment of security and business value
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Integration in the pipeline
#3:DevOps driven
@kimvanwilgen | www.kimvanwilgen.comContinuous security
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Shift left on security
VS
@kimvanwilgen | www.kimvanwilgen.comContinuous security
DevSecOps, SecDevOps, DevOpS
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Automate first
• SAST
• DAST
• Proxy tools
• Dependency checks
• Custom scripts
Integration in the pipelines
@kimvanwilgen | www.kimvanwilgen.comContinuous security
SAST: sourcecode testing for security vulnerabilities
Leaders: Checkmarx, Veracode, Appscan, fortify, PT application inspector, covarity
We use SonarQube and Jfrog XRAY
+ Find problems early in lifecycle, detailed feedback, scalable
- Limited scope, configuration out of scope, false positives & negatives
SASTStatic Analyses Security Testing
@kimvanwilgen | www.kimvanwilgen.comContinuous security
DAST: running state security testing, simulates attacks against an application or system (typically web-enabled applications and services), analyzes results and, thus, determines whether it is vulnerable.
Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7
We use ZAP
+ Tests the application at runtime, realistic view
- More complex, harder to track, needs a running instance (late feedback, limitedly scalable, slow)
DASTDynamic Application Security Testing
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security by design
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#4: Identify and remove: start small
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I’ve added over a 100 security rules in SonarQube and sent the top X screwups to theteam. They are more aware and will solve theirown issues.
Dominik, member of the ANVA security satellite team
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I enabled the dependency check. We had hundreds of vulnerabilities. We solved them within a day with critical upgrades and the removal of obsolete dependencies.
Dominik, member of the ANVA security satellite team
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I ran Docker Bench. We found privileges were too high and corrected them.
Dominik, member of the ANVA security satellite team
@kimvanwilgen | www.kimvanwilgen.comContinuous security
I’ve set up our internal learning platform with webgoat. We can now practice attacks and grow awareness and knowledge of defences.
Michiel, member of the ANVA security satellite team
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#5: Context adaption
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Learn and adapt first before you break the build
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Application Security Verification Standard
Unrelevant / Sast / Dast / RAST / other
Train for risks we can’tautomate
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Evil user stories
As a Malicious Hacker, I want to gain
access to this web application’s Cloud
Hosting account so that I can lock out
the legitimate owners and delete the
servers and their backups, to destroy
their entire business.
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#6: Fix your vulnerabilities
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Owasp dependency checkEliminate known vulnerabilities
62
550 vulnerabilities
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#7: Immutable infrastructure
@kimvanwilgen | www.kimvanwilgen.comContinuous security
XOne of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability—or never-changing—and applying least-privilege principles that limit what a container can do.
Tsvi Korren - Chief Solutions Architect at Aqua Security
@kimvanwilgen | www.kimvanwilgen.comContinuous security
• Patches are code changes and follow the pipeline
• Use systematic workload re-provisioning – difficult to persist across
rebuilds
• Scan infrastructure security scripts against the security policy
• Apply pervasive visibility
Immutable infrastructure mindset
Source: Gartner report on cloud security
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#8: Detection of changes
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#9: Treat security tests as source code
@kimvanwilgen | www.kimvanwilgen.comContinuous security
#10: Train for the basics
Automate security
features and scan against
bugs and vulnerabilities
Check for logical flaws
manually, educate and
raise context awareness
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Infrastructure alone won’t keep you safe
10.6% of passwords
is a top 20 password
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Security bootcamps
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Context awareness
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Hack yourself first too
Chaos Engineering: make rare
events regular
@kimvanwilgen | www.kimvanwilgen.comContinuous security
“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”
Troy Hunt, MVP for developer
security and creator of ‘Have I
been PWNED”
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Red teaming
“Did you check the cake for hard and sharp
objects before bringing this inside?”
@kimvanwilgen | www.kimvanwilgen.comContinuous security
Have security champions
Don’t eliminate all risk
Driven by DevOps teams
Identify and remove first
Context adaption
Eliminate known vulnerabilities
Immutable infrastructure
Detection of changes
Security tests are source code
Train for the basics
Gartner DevSecOps Top 10
@kimvanwilgen | www.kimvanwilgen.comContinuous security
@kimvanwilgen | www.kimvanwilgen.com
References and questions
www.kimvanwilgen.com
@kimvanwilgen
@kimvanwilgen | www.kimvanwilgen.comContinuous security
https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
https://cybersecurity.isaca.org/static-assets/documents/State-of-Cybersecurity-part-
2-infographic_res_eng_0517.pdf
https://www.sans.org/reading-room/whitepapers/critical/continuous-security-
implementing-critical-controls-devops-environment-36552
10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371
https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb
https://www.thoughtworks.com/radar/techniques
https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/MMC-
Cyber-Handbook_2016-web-final.pdf
Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World,
Gartner, 2018
Sources