Rajiv Kadayam
© 2016 eGlobalTech. All rights reserved.
Succeeding in the Marriage of Cybersecurity and DevOps
2
About Rajiv & eGT
Executive Technologist
Product Owner
Agile Manager/Coach
Solutions Architect
Sr. Director, Technology Strategy
Dad / Hubby
• Established in 2004• Agile Development & DevOps• Cloud Migration &
Enablement• Cybersecurity & Information
Assurance• eGT Labs – skunk works !• 30+ federal agencies
3
Best of times…and Worst of times..
Businesses need to deliver faster and be more responsive
Align organizational units to rally behind one common goalContinuously assess, monitor, prevent, and counter security risks and
issues
Leverage technology, automation and agile practices to achieve all of the
above
• E-Commerce Transactions to pass $1.5 Trillion/year• Era of Digital & Connected Lives – mobile, cloud, wearables, social• B2B ecommerce predicted to hit $6.7T/year by 2020• 47% of American adults had their personal information stolen by
hackers• Cyber crime costs businesses $400+ Billion/year - McAfee, 2014
4
Stone Age IT
Development OperationsCybersecurity QA and TestingEnterprise Architecture
Messages lost in translation Slow & unwieldy Too much finger pointing Ultimately business suffers and people too…
Initiation & Planning Requirements Definition Design Development Testing Implementatio
nOperations & Maintenance
5
Enter Agile Development Methodology
Automated Deployment
ContinuousIntegration
Automated Code Review
Product / Release Backlog
Sprint Backlog
System Releases
Continuous feedback loop
Production
Development
Testing/DemoTest
DrivenDevelopment
Iterative Development
& Testing
Scrum Kanban Lean SAFe
Initiation & Planning Requirements Definition Design Development Testing Implementatio
nOperations & Maintenance
Agile as a means to develop solutions faster, release frequently and incorporate feedback continuously
6
Gradual Agile Transformation
Development
Operations
Cybersecurity
QA and Testing
Enterprise Architecture
Other Stakeholders
More and more federal agencies are adopting agile
Some agencies have adopted
DevOps
Very few agencies are truly
performing blue-green deployments
Need to break walls and build a tighter trust circle
Agile Software
Development &
DevOpsAgencies are plagued with
security concerns – preventing
DevOps transformatio
n
7
DevOps + Cybersecurity DevOpsSec
Yes, but what about Testing, Users, Requirements, EA ?
ReqEADevTestingSecOps ?
DevOps => More than just “Development” and “Operations”
Philosophy , Culture, Process, Automation, Tools & Continuous Learning
By Practitioners - For Practitioners
8
DevOps & Cybersecurity – Flipping Resistance Results
Challenges
• Organizational hierarchies
• Lack of domain understanding• RMF, NIST Controls• Emerging / Open Source Tech
• Different tools and processes
• Different objectives – • DevOps: Deliver Faster vs
Security: Protect Information
Opportunities
Secure Designs, Robust Solutions, Reduced $Costs$
Integrate and automate delivery pipeline – Accelerate time to Market
Respond faster to business
Enhanced Transparency, Visibility and Accountability
9
Keys to a Successful Marriage of DevOps & Cybersecurity
10
#1 – Come together - Establish Common Process Framework
• Integrate and Align SDLC and RMF• Concurrently execute lifecycle phases• Peer review and validate work products
• Reinforce security mindset in every step of the process.• Universal visibility, transparency, and accountability
NIST Risk Management Framework
Software Development
Lifecycle+
Categorize Information System
Select Security Controls
Implement
SecurityControls
Assess Security Controls
Authorize Information
System
Monitor Security Controls
Initiation &
Planning
Requirements
Design
Development
Testing
Implementation
Operations &
Maintenance
11
DevOps Factory
Machine enforced governanceand compliance established by fully automated CI/CD process expressed in code
12
#2 – Be kind to your partner - Commit to Collaborate
DevOpsCybersecurity
Target solution must properly address all required NIST security controls !
• Truly bring disparate teams together to work towards common goals and objectives• Learn, understand and appreciate each other’s concern• Instead of “No, not possible” – explore and provide alternate approaches• Leverage effective collaboration tools
Here is how and what needs to be done to certify new technologies for secure acceptable use
Common Goals Invested in
Shared Success Continuous
Communication
I want to adopt the latest and greatest open source technologyIs this
implementation approach secure and compliant ?
13
#3 – Build Trust Early - Design for Security From Inception
• Detect basic security issues early and prevent downstream friction
• Include security issues (POAMS, etc) as part of the product backlog and prioritize collectively
• Keep pace with new technology insertion and refreshes
• Address security controls early in the architecture and design phase Develop System &
Software Architecture and Design
Test for compliance with required NIST controls
14
#4 – Simplify Life - Strive to Automate
Security Docs
Security Testing,
Monitoring & Compliance
Automation & Orchestration
• Aggressively exploit opportunities to automate security processes
• Automate - • FISMA / FedRAMP documentation• Security Penetration/Vulnerability Testing• Security Compliance and Monitoring• Intrusion Detection & Data Breaches• Threat Management
SaaS / PaaS / IaaS
SDLC Activities
15
Security Policy and Compliance “as code”
• Replace opinionated human compliance checkers with machines – Compliant or Non-Compliant
describe port(80) doit { should_not be_listening }enddescribe port(443) doit { should be_listening }its('protocol') {should eq 'tcp'} end
• BDD-Security , Gauntlt – security test code expressed in plain English
• Treat like any other code – source control, versions, peer review• Provides a time-machine view into security evolution• Produces valuable raw data for historical and trend analyticsShort detour for a specific use case /demo…
16
Web Application Security Vulnerabilities Survey Results
86% of websites and web-apps contain at least one serious vulnerability
Make vulnerability remediation process faster and easier
Visibility, Accountability and Empowerment
More secure software, NOT more security software
17
What is OWASP ?
Make software security visible, so that individuals and organizations are able to make informed decisions
100s of Projects..
OWASP Top 10 security flaws
Agile Development & OWASP Testing is Disconnected
18
Source Control
Release Candidate
BuildTesting
• Unit• Functional• Static Code Scan• Performance, etc
Staging / Production
Iterative / Agile Development
Security Penetration
Testing
Backlog
Multiple daily/weekly iterations
Push security testing left of the process
Web App Penetration testing conducted very late in the process Developers have limited visibility and less time to remediate issues Security vulnerabilities leak through into production
Espial – Automate & Integrate Penetration Testing
19
Jenkins
Source Control
AutomatedBuild
Automated Testing• Unit• Functional, etc.• Espial Plugin
Automated Deployment
deploy
execute tests & collect results
Build Quality Report- Code Quality- Test Execution Results- Espial - Security
Vulnerabilities- Metrics
output
orchestrate
Vagrant
Docker image
Dev/Test EnvApps
Prod Env
AppsApps
A mechanism that automates and integrates security vulnerability tests as part of your existing Jenkins-based CI/CD process
Continuous Detection Faster Remediation
21
Espial – Key Benefits
• Platform and programming language agnostic. • Any web-app• Out of the box integration with Jenkins
• Developers have clear visibility of security vulnerabilities• Comprehensive – crawls all end-points
automatically• Eliminates risk of vulnerabilities creeping in
22
#5 – Keep the spark alive - Continuously Learn & Innovate
• Evaluate emerging tools & technologies for adoption
• Identify opportunities to innovate and evolve• Threat Management• Security Data Analytics• Interactive Application Security Testing
• Promote industry and community relationships
• Cultivate Labs – Ideas to Reality• Promote innovation• Experiment and Prototype• Productize• Rinse and Repeat
23
Questions ?
Rajiv KadayamSenior Director, Technology [email protected]://www.linkedin.com/in/rajivkadayamhttp://www.eglobaltech.comhttp://www.cloudamatic.com
Thank You !
Keep Innovating…