sdl unicorns or thoroughbreds: application security in devops · • security activities embedded...
TRANSCRIPT
![Page 1: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/1.jpg)
SDL Unicorns or Thoroughbreds: Application Security in DevOps
Hemanth SrinivasanAutodesk
![Page 2: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/2.jpg)
Agenda
• Unicorns, Horses & Thoroughbreds
• SDL
• What is it?
• How has it evolved?
• Adapting to DevOps
• Customizing SDL activities
• SDL Flow
• Benefits & Challenges
• Takeaways
• Q&A
![Page 3: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/3.jpg)
Unicorns, Horses, Thoroughbreds
• Unicorns
• Innovators
• Mythical creatures
• Horses
• Slow movers
• Saddled with legacy
• Thoroughbreds
• Agile and bold
• Run away from the pack
![Page 4: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/4.jpg)
SDL - Beginnings
• Microsoft SDL
• Security is “built-in”
• Security activities embedded into every SDLC phase
![Page 5: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/5.jpg)
SDL - Agile
• Incremental & iterative
• Align security activities
• Prioritize & break-up
• Every sprint requirements
• Bucket requirements
• One-time requirements
Security Requirements
Threat
Modeling
Static
Analysis
Penetration
Testing
Dynamic
Analysis
3rd Party
Analysis
![Page 6: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/6.jpg)
And then
SDL
![Page 7: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/7.jpg)
The “Three-Ways”
DEV OPS
• Flow
• Automate & Code
• Pipeline
• Feedback
• Reviews & Testing
• Telemetry
• Learning
• Experiment & Refine
• Share
![Page 8: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/8.jpg)
SDL - Adaptations
• Training
• Just in time
• Security requirements
• Unified
• Integrated
• Move to left
• Threat modeling
• Rapid
• As Code?
• Static & Dynamic analysis
• Automate
• Customize
• Pentests
• Targeted & Time-bound
• Bug-bounty
• Infrastructure
• Automate & Code
• Blue-Green deployments
![Page 9: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/9.jpg)
Threat modeling as Code
![Page 10: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/10.jpg)
ALM
ALM
Au
tom
ation
Metrics
Training Requirements Threat Modeling
Scanning Testing Secure Configs
SDL Flow
SDL
![Page 11: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/11.jpg)
Benefits & Challenges
• Benefits
• No disruption in Flow
• End-to-End security
• Symbiosis
• Challenges
• Technology
• Adoption
• Culture change
• Security champions
Interaction between two different organisms living in close physical association, typically to the advantage of both.
-Wikipedia
![Page 12: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/12.jpg)
Takeaways• Security, Privacy and Compliance
Requirements• Availability Requirements• Operational Support
Requirements• Scalability Requirements• Monitoring Requirements
NFR
DEVELOP BUILD DEPLOY TEST STAGE PRODUCTION
Agile - CI/CD Pipeline
• SDL Training• Non-functional
Requirements• Threat Modeling• 3rd Party Reviews
• Static Code Analysis
• Dependency Checks
• Hardening • Dynamic Analysis • Vulnerability scanning
• Pentests• Bug Bounties• Hardening
• Pentests• Bug Bounties• Vulnerability
scanning• Monitoring• Incident Response
End-to-end SDL Activities
– Move to left
![Page 13: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/13.jpg)
Takeaways
• Trim & Streamline
• Automate
• Integrate
• Measure & Refine
– Adapt to the Flow
![Page 14: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/14.jpg)
How seemingly opposite or contrary forces may actually be complementary, interconnected, and interdependent in the natural world, and how they may give rise to each other as they interrelate
to one another.-Wikipedia
Takeaways – Culture Change
OPSDEV
SECOPS
DEV
![Page 15: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/15.jpg)
Takeaways – Lastly
• Don’t pretend to be a Unicorn
• Try to be a Thoroughbred instead
• Focus on Culture & Adoption
• Right Tools & Technologies
• Start small then scale
![Page 16: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/16.jpg)
Questions
![Page 17: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/17.jpg)
![Page 18: SDL Unicorns or Thoroughbreds: Application Security in DevOps · • Security activities embedded into every SDLC phase. SDL - Agile • Incremental & iterative ... • Non-functional](https://reader034.vdocument.in/reader034/viewer/2022042210/5eaf2b13633c05547132ec69/html5/thumbnails/18.jpg)
Reference
• https://www.microsoft.com/en-us/SDL/• The DevOps Handbook• http://plantuml.com/• https://www.wikipedia.org/• www for some images