DevSecOps – Shift Left Security
Prioritizing Incident Response using Security Posture
Assessment and Attack Surface Analysis
Themes
Vulnerabilities are Low Hanging Fruit
Why so many breaches that Anti-Virus missed…?
2015 largest disclosed breaches
Known Critical Vulnerabilities are Increasing
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
2011 2012 2013 2014 2015 2016
Vulnerabilities
Total High (CVSS 7-10)
WannaCry
Retrospective
WannaCry Timeline and Remediation
0
100
200
300
400
500
600
700
THO
USA
ND
S
EternalBlue Exploit WannaCry MS17-010 Patch Release
Authenticated / Agent Detection
Continued + Unauthenticated Detection
Endpoint Breach Prevention by Reducing
Attack Surfaces
Discover
and
Know your
Assets
1
Detect
and
Measure
Vulnerabilities
2
Prioritize
Remediation
3
Identify
and
Deploy
Patches
4
Exercise: “I already know all my assets…”
Auto-Deploy Qualys Cloud Agent (Vuln)
Vulnerability Results
Exploitability Posture
Get Proactive – Reduce the Attack Surface!
Get Visibility
into your Public
Clouds
Common AWS Misconfigurations
Continuous
Security
Monitoring
Actionable Responses – Reduce Attack Surface
Can Security Teams do
better?
Digital Transformation – Priorities
Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-study/microsoft-digital-transformation-infographic-asia
Digital Transformation – Barriers
Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-study/microsoft-digital-transformation-infographic-asia
DevSecOps = / DevOps + Security
False Approach ~ False Start ~ Failure
Plan Code Test Package Release Deploy Monitor Operate
Dev Ops
Secu
rity
Secu
rity
Secu
rity
Secu
rity
Secu
rity
Secu
rity
Secu
rity
wait! wait! wait! wait! wait! wait!
Security + DevOps = a Revolt or Left Out?
Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-flaming-torches/
Food Safety is a Security Problem
Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-
DevSecOps – Shift in Thinking
Shift Time
Case Study: Financial Services Mobile Wallet
Before: Lack of Security Automation Delays Release
At least two weeks until the AMI is certified for production
Vulnerability Management Teams
Machine Builders VM Scan/Report
48 Hours
VM Scan/Report 48 Hours
Security
Born in the Cloud: New builds in AWS every 60 days
Automated Regression & Test-Driven Development
Docker containers abstracts applications from OS
DevOps
Commercial/Open Source vulnerabilities are detected & fixed on same release cadence
Automated regression finds patch issues faster
OS vulnerabilities are patched separate from Applications
1
2
3
After: Security at the Source in DevOps Pipeline
APPROVE and
PUBLISH
QUALYS ASSESS
ON DEV
INSTANCES
OS
Qualys
Scanner
AUTOMATICALY
ADD QUALYS
CLOUD AGENT
OS
Qualys
Agent
AMAZON MACHINE
IMAGE (AMI)
Qualys
Agent
Vulnerability Metric Benefits
Shift Techniques
Case Study: One of Largest Ecommerce Companies
Prevent Software Check-Ins that use Vulnerable Libraries
Apply Technique
Tag Vulnerable Libraries in Source Control
1
Shift Technique
Automatically open tickets for Developers on security issues
Apply Technique
Vulnerabilities in Production are Treated as Defects
Shift Technique
2
Excessive Remediation Times are escalated to CEO
Apply Technique
Open Vulnerabilities Reported to Business Unit VPs
Shift Technique
3
Shift Tools
Find/Implement the right tools for the DevOps Processes…
... But: You may not need to procure new tools
APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans
Case Study: Financial Investment Services
Solution Challenge
400+ Web Apps in production
Web Security Assessment found they had a lot of “easily” mitigated app vulnerabilities
Integrated the production Web Security Assessment tool into DevOps processes via API
Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues
Continuously assess Web Apps in the dev process so issues are not re-introduced
Hard for developers to fix security issues in production
1
2
3
Integrate Production Security Tools into DevOps
Selenium
Qualys WAS
Jira Issues
Selenium
Qualys WAS
Jira Issues
DevSecOps: Practical Steps to Get Started
•
•
•
•
•
•
•
•
•
•
•
•
•
Open Q &A