AW22 - Stiehm

AW22 DevOps Automation Wednesday, November 6th, 2019 3:00 PM

Shifting Security Left: The Innovation of DevSecOps

Presented by:

Tom Stiehm

Coveros, Inc.

Brought to you by:

888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] https://agiledevopseast.techwell.com/

Tom Stiehm Tom Steihm has been developing applications and managing software development teams for over twenty years. As CTO of Coveros, he is responsible for the oversight of all technical projects and integrating new technologies and testing practices into software development projects. Recently he has been focusing on how to incorporate DevSecOps and agile best practices into projects and how to achieve a balance between team productivity and cost while mitigating project risks. One of the best risk mitigation techniques Tom has found is leveraging DevSecOps and agile testing practices into all aspects of projects. Previously, as a managing architect at Digital Focus, Tom was involved in agile development and found that agile is the only methodology that makes the business reality of constant change central to the process.

10/29/19

1

© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1 @ThomasS@ehm #AgileDevOpsCon

Agility. Security. Delivered.

Shi$ing Security Le$ The Innova4on of DevSecOps

Tom S'ehm @ThomasS'ehm


About Coveros

2

•  Coveros helps organizations accelerate software delivery using agile and DevOps methods

•  Services •  Agile Transformations & Coaching •  Agile Software Development •  Agile Testing & Automation •  DevOps Implementations •  DevSecOps Integrations

•  Agile, DevOps, DevSecOps Security, Testing Training •  Open Source Products •  SecureCI – DevSecOps toolchain •  Selenified – Agile test framework

10/29/19

2


Selected Clients


Shi$ing Security Le$

• ShiIing LeI is taking a prac@ce or process done late in development and doing it earlier. • ShiIing Security LeI is doing security tes@ng, analysis, and remedia@on during development, itera@vely. Usually automa@ng data collec@on to make it faster and cheaper. • The net result is making security prac'ces part of the daily workflow of the development team.

10/29/19

3


Why Shi$ Security Le$?

Applica@on Security is hard, error prone, and expensive. It is oIen made harder by trying to shoehorn it into the end of a release. ShiIing LeI allows the teams to deal with security issues early and oIen: • Reducing Risk • Reducing Cost • Leads to fewer errors • Results in fewer security compromises


State of Applica4on Security

“Good prac@ces might protect me from a theore@cal aYack at some @me in the future, but they're a lot of bother right now and I have more fun things to think about … Security is never salient” – Bruce Schneier

10/29/19

4


How DevSecOps builds on DevOps

DevSecOps is a prac@ce that rose from DevOps that includes informa@on technology security as a fundamental aspect in all the stages of soIware development. -‐-‐ Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.


Why should you care about security?

To reduce the likelihood of becoming the next:

10/29/19

5


Security before the code is wriCen

Be proac@ve: • Architect and design security in from the start based on threat analysis.

• Include security in your pipeline from the start. • Take 'me to analyze and remediate AppSec findings.

Why? • Your soIware has security defects in it. • Tes@ng security into soIware at the end doesn’t work. • Relying on network and OS security to protect applica@ons doesn’t work.

• Ignoring security concerns doesn’t work.


Legacy Security Prac4ces

The Focus is on tes@ng at the end.

10/29/19

6


ShiIing LeI includes reac@ng to the feedback on a regular basis.

Security Prac4ces in DevSecOps


DevSecOps Build Pipeline

10/29/19

7


Where to Start • SAST -‐ Start with Sta@c Applica@on Security Tes@ng

• Quick to integra@on into a build pipeline • Leverages exis@ng CI/CD assets

• SCA -‐ Install SoIware Composi@on Analysis • Expand exis@ng CI/CD processes to scan your applica@on dependencies

• DAST -‐ Next integrate Dynamic Applica@on Security Tes@ng • Could be as simple as adding a DAST proxy to your exis@ng automated or manual tes@ng environment

• Expand into using the automated aspects of DAST tools


What to do next

• Security Tes@ng – Tes@ng the security features of your soIware

• Security Test Automa@on -‐ Using test automa@on tools like Selenium or Cucumber

• Penetra@on Tes@ng – Human beings evalua@ng the security of your soIware with the aid of tools

• Threat Analysis – Understand who will aYack you, why, and how

• Infrastructure Analysis Scanning & Tes@ng – Securing your OS and Server SoIware

10/29/19

8


Advanced DevSecOps Techniques

• IAST -‐ Interac@ve Applica@on Security Tes@ng is technique for detec@ng security vulnerabili@es in a running applica@on

• RASP -‐ Run@me Applica@on Self-‐Protec@on building on the same technology base as IAST by providing a facility to react to a detected vulnerability as it is exploited, e.g. termina@ng the session

• HAST -‐ Hybrid Applica@on Security Tes@ng uses DAST with IAST to find vulnerabili@es


Secure prac4ces in a pipeline

10/29/19

9


Opera4onal Security

• Security Informa@on and Event Management (SIEM) • Infrastructure Analysis Scanning & Tes@ng • Encryp@ng Data at Rest • Encryp@ng Data in all Network Channels


SIEM Example – ELK Stack

10/29/19

10


DevSecOps Tools Examples In DevSecOps, feedback cycles are expended to the whole life cycle.

The goal is that soIware is always secure and releasable.


Culture Shi$

Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1.  Build a Knowledge base 2.  Promote Openness 3.  Create Cybersecurity Champions

Need to experiment to find what works for your specific organiza@on.

10/29/19

11


DevSecOps Benefits

• Faster vulnerability detec@on and mi@ga@on • Always-‐known security posture • Less security-‐based risk • Smaller chance of gerng exploited • Reduced cost of fixing AppSec bugs • Avoidance of publicity for gerng pwned • Able to recover from security incidents faster


Wrap UP

#Coveros5 • Star@ng to ShiI LeI is more important then what prac@ces you start with

• Greenfield start with Threat Analysis and build security in • Legacy or brownfield start with SAST (or SCA or DAST) • Itera@vely add more security prac@ces into your process • Itera@vely add more security to your build pipeline

10/29/19

12


Periodic Table of DevOps Tools

En

Os

Fm

Os

Pd

Pd

Fm

En

En

En

Fm

Os

En

Os

Pd

Os

Fm

Fm

Fm

Fm

Pd

En

En

Os

Fr

Os

Fr

Os

Pd

Fr

Fr

Fr

Os

Fm

Fm

Fr

Os

Fm

Os

En

Fm

Fm

Pd

Pd

En

En

Fm

En

En

En

Os

Fm

En

Fr

Os

Os

Os

Os

En

En

En

Fm

En

Os

En

En

Os

En

En

Os

Pd

Os

Os

En

Os

Os

En

En

Pd

En

Fm

Fm

Pd

Pd

Pd

En

Os

En

Pd

Pd

Fm

Os

Fm

En

Fm

Pd

Pd

En

Pd

Os

Os

En

En

Os

Fm

Fm

Pd

Pd

Os

Os

En

Os

Os

Fm

En

En

Pd

Os

Os

En

19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

3 4 5 6 7 8 9 10

1 2

11 12 13 14 15 16 17 18

55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90

91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

106 107 108 109 110 111 112 113 114 115 116 117 118 119 120

Cw

Sv

Gh

Gl

At

Nx

Bb

Dp

Db

Dt

Rg

Fw

Pf

Jn

Ba

Tr

Cr

Cs

Vs

Tc

Cb

XLi

Sw

Fn

Se

Ga

Cu

Ki

Jr

Ju

Jm

Tn

Mc

Nr

Tl

Ka

Ja

Tt

Lo

Dt

Sk

Su

Sl

Pe

Mf

Dd

St

Ch

An

Pu

Sa

Ad

Cn

Tf

Ru

Pa

Ce

El

Ry

XLd

Oc

Cd

Eb

Ni

Ac

Ud

Go

Ec

Ca

Zb

Og

Ku

Dk

XLr

Ms

Ra

De

Zn

Pd

Cc

Ur

Aws

Gke

Aks

Ae

Cx

Sn

Pr

Af

Az

Om

Rk

Cf

Sg

Tw

Al

Ld

Gc

Cp

Sp

Hm

Bd

Ck

Os

Ic

Op

Cy

Ir

Aw

Sr

Vc

Ps

Fd

Sg

Sp

It

Mg

Ls

Hv

Ff

GitLab

GitHub

Subversion

ISPW

Artifactory

Nexus

BitBucket

Datical

DBMaestro

Delphix

Redgate

Flyway

Perforce

FitNesse

Selenium

Gatling

Cucumber

Kibana

Jira

JUnit

JMeter

TestNG

Mocha

Trello

New Relic

Karma

Jasmine

TricentisTosca

Locust.io

Slack

Dynatrace

SoapUI

Sauce Labs

Perfecto

Micro FocusUFT

Stride

Datadog

Chef

Ansible

Puppet

Salt

CollabNetVersionOne

AppDynamics

Terraform

Rudder

Packer

CFEngine

Remedy

ElasticSearch

XebiaLabsXL Deploy

OctopusDeploy

AWSCodeDeploy

ElasticBox

Nagios

Agile Central

UrbanCodeDeploy

GoCD

ElectricCloud

CA Automic

Zabbix

OpsGenie

Kubernetes

Mesos

Rancher

DockerEnterprise

Docker

XebiaLabsXL Release

Zenoss

Pagerduty

CA CDDirector

GKE

AKS

AWS ECS

UrbanCodeRelease

AWS

CheckmarxSAST

Snort

PlutoraRelease

OpenMake

Rkt

Codefresh

AzureFunctions

Azure

SignalSciences

Tripwire

Alibaba Cloud

AWSCodePipeline

Spinnaker

Helm

Lambda

Google Cloud

BlackDuck

CyberArk

OpenStack

CloudFoundry

Iron.io

ApacheOpenWhisk

IBM Cloud

OpenShift

SonarQube

Veracode

Fluentd

Prometheus

Sumo Logic

Splunk

ITRS

Moogsoft

Logstash

HashiCorpVault

Fortify SCA

Jenkins

Bamboo

Travis CI

Circle CI

Codeship

VSTS

TeamCity

AWSCodeBuild

XebiaLabsXL Impact

ServiceNow

Deployment

AIOps

Cloud

Release Orchestration

Containers

Configuration

Testing

Continuous Integration

Database Automation

Source Control Mgmt.

Collaboration

Security

Monitoring

AnalyticsOs Open Source

Fr Free

Fm Freemium

Pd Paid

En Enterprise

PERIODIC TABLE OF DEVOPS TOOLS (V3)

hYps://xebialabs.com/periodic-‐table-‐of-‐devops-‐tools/


Resources

• The Open Web Applica@on Security Project (OWASP) -‐ hYps://www.owasp.org

• The Periodic Table of DevOps Tools -‐ hYps://xebialabs.com/periodic-‐table-‐of-‐devops-‐tools/

• The Ul@mate DevOps Tool Chest -‐ • hYps://xebialabs.com/the-‐ul@mate-‐devops-‐tool-‐chest/

• Rugged SoIware -‐ hYps://ruggedsoIware.org/ • The DevOps Handbook -‐ hYp://a.co/d/hIjl0BD

10/29/19

13


Ques@ons? @thomass@ehm

• Join me on the TechWell Hub • hNps://hub.techwell.com/ • #devops

Documents

AW22 - Stiehm