![Page 1: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/1.jpg)
© 2017 VERACODE INC.
YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING
APPSEC INTO DEVOPSChris Wysopal
CTO & Co-founder Veracode
![Page 2: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/2.jpg)
Retailer
How: Sophisticated kill chain including exploitation of vulnerable web application
Result: Hackers stole PII for more than 70 million shoppers
Financial Institution
How: Vulnerability on website built and maintained by third-party vendor in support of a charity.
Result: Usernames and passwords for 76 million households and 7 million business were stolen
Healthcare Provider
How: Targeted a flaw in OpenSSL, CVE-2014-0160, better known as Heartbleed
Result: The theft of Social Security Numbers and other PII of 4.5 million patients
Financial Institution
How: Hackers exploited a known vulnerability in an open source component
Result: Social Security Numbers and PII for more than 143 million Americans stolen. Three executives lose their jobs.
High Profile Breaches through the app layer
![Page 3: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/3.jpg)
Is this your current AppSec program?
![Page 4: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/4.jpg)
Which outcome do you see?
![Page 5: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/5.jpg)
Waterfall Agile DevOps
1-4 ReleasesPer Year
12-24 ReleasesPer Year
100+ ReleasesPer Year
50+ people 6-12 people 6-12 people
Release Timelines & Team Sizes
![Page 6: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/6.jpg)
Plan Dev QA Ops
Business Intent
App Knowledge
Ops Knowledge
Continuity
! = Handoff
Sec
Waterfall ! ! !!
Agile!!
Business Intent
App Knowledge
Ops Knowledge
DevOps
![Page 7: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/7.jpg)
Waterfall
AgileDevOps
Technology
![Page 8: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/8.jpg)
Agile - Process
![Page 9: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/9.jpg)
What is DevOps?
DevOps is a cultural and professional movement, focused on how we build and operate high velocity organizations, born from the experiences of its practitioners.
- NATHEN HARVEY (CHEF)”“
![Page 10: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/10.jpg)
DevOps Team
What’s a DevOps team?
![Page 11: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/11.jpg)
Security
What is DevSecOps?
![Page 12: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/12.jpg)
How can you Implement DevSecOps?
Relationship &Accountability
SecurityChampions
Training &Remediation
Coaching
Right-SizedTesting
![Page 13: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/13.jpg)
• Who is your peer in development?
• Do you understand how they are goaled?
• What are their struggles?
• How often do you meet with them?
• Are they sympathetic to your goals and struggles?
Strategy - Relationships
![Page 14: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/14.jpg)
• Shared between development and security
• Part of annual goals for both teams
• Measured and reported regularly
Strategy - Accountability
![Page 15: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/15.jpg)
• Eyes and ears of security
• Specialized training
• Basic security concepts
• Threat modeling
• Grooming guidelines
• Secure code review training
• Security controls
• CTF Exercises
• Escalate when necessary
Strategy – Security Champions
![Page 16: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/16.jpg)
• Security teams can help developers by providing training, either through eLearning or in-person instructor-led training
• Think about targeted training based on policy violations
CA Veracode State of Software Security 2017
Strategy - Training
![Page 17: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/17.jpg)
Strategy - Training
![Page 18: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/18.jpg)
@PeteChestna
CA Veracode State of Software Security 2017
Strategy - Remediation Coaching
![Page 19: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/19.jpg)
Training(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation GuidanceSecure Code Reviews
Manual Penetration TestingRed Team Activities
Runtime Application Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat ModelingSecurity GroomingSecure Design
Strategy – Right-sized Security
![Page 20: YOUR CHANCE TO GET IT RIGHT: KEYS TO BUILDING APPSEC … · 2019. 2. 11. · Security Numbers and other PII of 4.5 million patients Financial Institution How: Hackers exploited a](https://reader034.vdocument.in/reader034/viewer/2022052018/6032145d76240d27ae72f0de/html5/thumbnails/20.jpg)
DevOps is inevitable – learn it
Relationships and shared accountability is key to securing applications
Train developers and help them fix what they find
Adjust to the speed of DevOps and right-size your security requirements
Conclusions