Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
AW22 DevOps Automation Wednesday, November 6th, 2019 3:00 PM
Shifting Security Left: The Innovation of DevSecOps
Presented by:
Tom Stiehm
Coveros, Inc.
Brought to you by:
888-‐-‐-‐268-‐-‐-‐8770 ·∙·∙ 904-‐-‐-‐278-‐-‐-‐0524 -‐ [email protected] https://agiledevopseast.techwell.com/
Tom Stiehm Tom Steihm has been developing applications and managing software development teams for over twenty years. As CTO of Coveros, he is responsible for the oversight of all technical projects and integrating new technologies and testing practices into software development projects. Recently he has been focusing on how to incorporate DevSecOps and agile best practices into projects and how to achieve a balance between team productivity and cost while mitigating project risks. One of the best risk mitigation techniques Tom has found is leveraging DevSecOps and agile testing practices into all aspects of projects. Previously, as a managing architect at Digital Focus, Tom was involved in agile development and found that agile is the only methodology that makes the business reality of constant change central to the process.
10/29/19
1
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1 @ThomasS@ehm #AgileDevOpsCon
Agility. Security. Delivered.
Shi$ing Security Le$ The Innova4on of DevSecOps
Tom S'ehm @ThomasS'ehm
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 2 @ThomasS@ehm #AgileDevOpsCon
About Coveros
2
• Coveros helps organizations accelerate software delivery using agile and DevOps methods
• Services • Agile Transformations & Coaching • Agile Software Development • Agile Testing & Automation • DevOps Implementations • DevSecOps Integrations
• Agile, DevOps, DevSecOps Security, Testing Training • Open Source Products • SecureCI – DevSecOps toolchain • Selenified – Agile test framework
10/29/19
2
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 3 @ThomasS@ehm #AgileDevOpsCon
Selected Clients
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 4 @ThomasS@ehm #AgileDevOpsCon
Shi$ing Security Le$
• ShiIing LeI is taking a prac@ce or process done late in development and doing it earlier. • ShiIing Security LeI is doing security tes@ng, analysis, and remedia@on during development, itera@vely. Usually automa@ng data collec@on to make it faster and cheaper. • The net result is making security prac'ces part of the daily workflow of the development team.
10/29/19
3
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 5 @ThomasS@ehm #AgileDevOpsCon
Why Shi$ Security Le$?
Applica@on Security is hard, error prone, and expensive. It is oIen made harder by trying to shoehorn it into the end of a release. ShiIing LeI allows the teams to deal with security issues early and oIen: • Reducing Risk • Reducing Cost • Leads to fewer errors • Results in fewer security compromises
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 6 @ThomasS@ehm #AgileDevOpsCon
State of Applica4on Security
“Good prac@ces might protect me from a theore@cal aYack at some @me in the future, but they're a lot of bother right now and I have more fun things to think about … Security is never salient” – Bruce Schneier
10/29/19
4
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 7 @ThomasS@ehm #AgileDevOpsCon
How DevSecOps builds on DevOps
DevSecOps is a prac@ce that rose from DevOps that includes informa@on technology security as a fundamental aspect in all the stages of soIware development. -‐-‐ Wikipedia DevSecOps builds on DevOps by leveraging collaboration and feedback to address security concerns throughout the software development life cycle.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 8 @ThomasS@ehm #AgileDevOpsCon
Why should you care about security?
To reduce the likelihood of becoming the next:
10/29/19
5
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 9 @ThomasS@ehm #AgileDevOpsCon
Security before the code is wriCen
Be proac@ve: • Architect and design security in from the start based on threat analysis.
• Include security in your pipeline from the start. • Take 'me to analyze and remediate AppSec findings.
Why? • Your soIware has security defects in it. • Tes@ng security into soIware at the end doesn’t work. • Relying on network and OS security to protect applica@ons doesn’t work.
• Ignoring security concerns doesn’t work.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 10 @ThomasS@ehm #AgileDevOpsCon
Legacy Security Prac4ces
The Focus is on tes@ng at the end.
10/29/19
6
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 11 @ThomasS@ehm #AgileDevOpsCon
ShiIing LeI includes reac@ng to the feedback on a regular basis.
Security Prac4ces in DevSecOps
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 12 @ThomasS@ehm #AgileDevOpsCon
DevSecOps Build Pipeline
10/29/19
7
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 13 @ThomasS@ehm #AgileDevOpsCon
Where to Start • SAST -‐ Start with Sta@c Applica@on Security Tes@ng
• Quick to integra@on into a build pipeline • Leverages exis@ng CI/CD assets
• SCA -‐ Install SoIware Composi@on Analysis • Expand exis@ng CI/CD processes to scan your applica@on dependencies
• DAST -‐ Next integrate Dynamic Applica@on Security Tes@ng • Could be as simple as adding a DAST proxy to your exis@ng automated or manual tes@ng environment
• Expand into using the automated aspects of DAST tools
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 14 @ThomasS@ehm #AgileDevOpsCon
What to do next
• Security Tes@ng – Tes@ng the security features of your soIware
• Security Test Automa@on -‐ Using test automa@on tools like Selenium or Cucumber
• Penetra@on Tes@ng – Human beings evalua@ng the security of your soIware with the aid of tools
• Threat Analysis – Understand who will aYack you, why, and how
• Infrastructure Analysis Scanning & Tes@ng – Securing your OS and Server SoIware
10/29/19
8
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 15 @ThomasS@ehm #AgileDevOpsCon
Advanced DevSecOps Techniques
• IAST -‐ Interac@ve Applica@on Security Tes@ng is technique for detec@ng security vulnerabili@es in a running applica@on
• RASP -‐ Run@me Applica@on Self-‐Protec@on building on the same technology base as IAST by providing a facility to react to a detected vulnerability as it is exploited, e.g. termina@ng the session
• HAST -‐ Hybrid Applica@on Security Tes@ng uses DAST with IAST to find vulnerabili@es
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 16 @ThomasS@ehm #AgileDevOpsCon
Secure prac4ces in a pipeline
10/29/19
9
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 17 @ThomasS@ehm #AgileDevOpsCon
Opera4onal Security
• Security Informa@on and Event Management (SIEM) • Infrastructure Analysis Scanning & Tes@ng • Encryp@ng Data at Rest • Encryp@ng Data in all Network Channels
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 18 @ThomasS@ehm #AgileDevOpsCon
SIEM Example – ELK Stack
10/29/19
10
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 19 @ThomasS@ehm #AgileDevOpsCon
DevSecOps Tools Examples In DevSecOps, feedback cycles are expended to the whole life cycle.
The goal is that soIware is always secure and releasable.
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 20 @ThomasS@ehm #AgileDevOpsCon
Culture Shi$
Goal Mindset: “Everyone is responsible for security.” Three things to try when changing culture: 1. Build a Knowledge base 2. Promote Openness 3. Create Cybersecurity Champions
Need to experiment to find what works for your specific organiza@on.
10/29/19
11
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 21 @ThomasS@ehm #AgileDevOpsCon
DevSecOps Benefits
• Faster vulnerability detec@on and mi@ga@on • Always-‐known security posture • Less security-‐based risk • Smaller chance of gerng exploited • Reduced cost of fixing AppSec bugs • Avoidance of publicity for gerng pwned • Able to recover from security incidents faster
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 22 @ThomasS@ehm #AgileDevOpsCon
Wrap UP
#Coveros5 • Star@ng to ShiI LeI is more important then what prac@ces you start with
• Greenfield start with Threat Analysis and build security in • Legacy or brownfield start with SAST (or SCA or DAST) • Itera@vely add more security prac@ces into your process • Itera@vely add more security to your build pipeline
10/29/19
12
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 23 @ThomasS@ehm #AgileDevOpsCon
Periodic Table of DevOps Tools
En
Os
Fm
Os
Pd
Pd
Fm
En
En
En
Fm
Os
En
Os
Pd
Os
Fm
Fm
Fm
Fm
Pd
En
En
Os
Fr
Os
Fr
Os
Pd
Fr
Fr
Fr
Os
Fm
Fm
Fr
Os
Fm
Os
En
Fm
Fm
Pd
Pd
En
En
Fm
En
En
En
Os
Fm
En
Fr
Os
Os
Os
Os
En
En
En
Fm
En
Os
En
En
Os
En
En
Os
Pd
Os
Os
En
Os
Os
En
En
Pd
En
Fm
Fm
Pd
Pd
Pd
En
Os
En
Pd
Pd
Fm
Os
Fm
En
Fm
Pd
Pd
En
Pd
Os
Os
En
En
Os
Fm
Fm
Pd
Pd
Os
Os
En
Os
Os
Fm
En
En
Pd
Os
Os
En
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
3 4 5 6 7 8 9 10
1 2
11 12 13 14 15 16 17 18
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
Cw
Sv
Gh
Gl
At
Nx
Bb
Dp
Db
Dt
Rg
Fw
Pf
Jn
Ba
Tr
Cr
Cs
Vs
Tc
Cb
XLi
Sw
Fn
Se
Ga
Cu
Ki
Jr
Ju
Jm
Tn
Mc
Nr
Tl
Ka
Ja
Tt
Lo
Dt
Sk
Su
Sl
Pe
Mf
Dd
St
Ch
An
Pu
Sa
Ad
Cn
Tf
Ru
Pa
Ce
El
Ry
XLd
Oc
Cd
Eb
Ni
Ac
Ud
Go
Ec
Ca
Zb
Og
Ku
Dk
XLr
Ms
Ra
De
Zn
Pd
Cc
Ur
Aws
Gke
Aks
Ae
Cx
Sn
Pr
Af
Az
Om
Rk
Cf
Sg
Tw
Al
Ld
Gc
Cp
Sp
Hm
Bd
Ck
Os
Ic
Op
Cy
Ir
Aw
Sr
Vc
Ps
Fd
Sg
Sp
It
Mg
Ls
Hv
Ff
GitLab
GitHub
Subversion
ISPW
Artifactory
Nexus
BitBucket
Datical
DBMaestro
Delphix
Redgate
Flyway
Perforce
FitNesse
Selenium
Gatling
Cucumber
Kibana
Jira
JUnit
JMeter
TestNG
Mocha
Trello
New Relic
Karma
Jasmine
TricentisTosca
Locust.io
Slack
Dynatrace
SoapUI
Sauce Labs
Perfecto
Micro FocusUFT
Stride
Datadog
Chef
Ansible
Puppet
Salt
CollabNetVersionOne
AppDynamics
Terraform
Rudder
Packer
CFEngine
Remedy
ElasticSearch
XebiaLabsXL Deploy
OctopusDeploy
AWSCodeDeploy
ElasticBox
Nagios
Agile Central
UrbanCodeDeploy
GoCD
ElectricCloud
CA Automic
Zabbix
OpsGenie
Kubernetes
Mesos
Rancher
DockerEnterprise
Docker
XebiaLabsXL Release
Zenoss
Pagerduty
CA CDDirector
GKE
AKS
AWS ECS
UrbanCodeRelease
AWS
CheckmarxSAST
Snort
PlutoraRelease
OpenMake
Rkt
Codefresh
AzureFunctions
Azure
SignalSciences
Tripwire
Alibaba Cloud
AWSCodePipeline
Spinnaker
Helm
Lambda
Google Cloud
BlackDuck
CyberArk
OpenStack
CloudFoundry
Iron.io
ApacheOpenWhisk
IBM Cloud
OpenShift
SonarQube
Veracode
Fluentd
Prometheus
Sumo Logic
Splunk
ITRS
Moogsoft
Logstash
HashiCorpVault
Fortify SCA
Jenkins
Bamboo
Travis CI
Circle CI
Codeship
VSTS
TeamCity
AWSCodeBuild
XebiaLabsXL Impact
ServiceNow
Deployment
AIOps
Cloud
Release Orchestration
Containers
Configuration
Testing
Continuous Integration
Database Automation
Source Control Mgmt.
Collaboration
Security
Monitoring
AnalyticsOs Open Source
Fr Free
Fm Freemium
Pd Paid
En Enterprise
PERIODIC TABLE OF DEVOPS TOOLS (V3)
hYps://xebialabs.com/periodic-‐table-‐of-‐devops-‐tools/
© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 24 @ThomasS@ehm #AgileDevOpsCon
Resources
• The Open Web Applica@on Security Project (OWASP) -‐ hYps://www.owasp.org
• The Periodic Table of DevOps Tools -‐ hYps://xebialabs.com/periodic-‐table-‐of-‐devops-‐tools/
• The Ul@mate DevOps Tool Chest -‐ • hYps://xebialabs.com/the-‐ul@mate-‐devops-‐tool-‐chest/
• Rugged SoIware -‐ hYps://ruggedsoIware.org/ • The DevOps Handbook -‐ hYp://a.co/d/hIjl0BD