devsecops a faster, secure way for software development · most important catalyst to your...

OFFICE OF INFORMATION SECURITY

DevSecOps – A faster, secure way for Software Development

URAL FORUM: Information Security of Financial Sphere

February 2020

Official Use Only

Application Security Risks

Attackers can potentially use many different paths through your application to impart

harm to your business or organization. Each of these paths represent a risk.

OWASP Top Ten 2017

Slide 2

Official Use Only

Waterfall vs Agile

Slide 3

Official Use Only

Cost of Fixing Application Vulnerability

Slide 4

Official Use Only

From Waterfall to Agile to DevOps…

• DevOps is the union of people, process, and technologies to enable continuous delivery of value to end users

• DevOps refers to replacing siloed Development and Operations to create multidisciplinary teams that now work together with shared and efficient practices and tools

• Essential DevOps practices include agile planning, continuous integration, continuous delivery, and monitoring of applications

Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops

Slide 5Official Use Only

https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops

The DevSecOps Mindset

• Open collaboration on shared objectives

• Security at the source

• Reinforce and elevate through automation

• Risk-oriented operations and actionable insights

• Holistic approach to security objectives

• Proactive monitoring and recursive feedback

• Automated operations security

• Operations engineering


Official Use Only

Sec

Sec

Dev Ops

Security Config

SAST

Security as Code

Threat Model

Security Monitor

Security Scan

Secure Coding

3rd Party Libraries

Secure Transfer

Digital Sign

Security Analysis

Security Audit

Security Patch

DAST

Pen Test

DoD DevSecOps Software Lifecycle

Target State of DevSecOpsKey Capabilities

• Threat modelling

• OWASP dependency checks

• Base container image scans

• Routine infrastructure scans

• Embedded Security-as-Code in design patterns

• Leverage automated "template checker”

• Vulnerability scans on app container images and on running containers

• Vulnerability scans on serverless functions

• Unified Risk Framework for (Infra & Apps) vulnerability assessment and remediation

• Routine credential scans on selected Prod/QA apps

• Expand config checks for Azure and AWS

• Secure Azure DevOps InfrastructureNominal Foundational Intermediate Advanced Leading

Capability Rating

Official Use Only

Expected Value of DevSecOps

Official Use Only

Increased AutomationAutomated & Repeatable

process to ensure consistent

delivery with no manual handoff

.

VisibilityGet insights into application code,

coverage, security vulnerabilities

and testing results

AgilityQuick and frequent delivery of

features to end users using the

automated DevSecOps pipelines

Embedded SecurityProvide security feedback early in the

development lifecycle and help mitigate

security challenges

ReusabilityMaximize WBG investments and promote

the use of standard components and

service catalogs

StabilityLeverage service catalog to

ensure infrastructure meets

Enterprise requirements

Official Use Only

Q & A


DevOps - Understand Cycle Time

• Start with observation of business, market, needs, current user behavior, and available telemetry data

• Then orient with the enumeration of options for what you can deliver, perhaps with experiments

• Next decide what to pursue

• Then act by delivering working software to real users

• All of this occurs in some cycle time




DevOps - Strive for Validated Learning

• The cycle time determines how quickly feedback is gathered to determine what happens in the next loop

• The feedback gathered with each cycle should be real, actionable data

• This is called validated learning




DevOps - Shorten Your Cycle Time

• When DevOps practices are adopted, the cycle time is shorten by:

• working in smaller batches

• using more automation

• hardening the release pipeline

• improving telemetry

• deploying more frequently




DevOps - Optimize Validated Learning

• The more frequent the deployments, the more opportunity to change or continue, and to gain validated learning each cycle

• This acceleration in validated learning is the value of improvement

• It is the sum of the achieved improvements and the avoided failures




DevOps Enablers

• Continuous Integration drives the ongoing merging and testing of code, which leads to finding defects early

• Other benefits include less time wasted on fighting merge issues and rapid feedback for development teams




DevOps Enablers(cont.)

• Continuous Delivery of software solutions to production and testing environments helps organizations quickly fix bugs and respond to ever-changing business requirements




DevOps Enablers (cont.)

• Version Control enables teams located anywhere in the world to communicateeffectively during daily development activities as well as to integrate with software development tools for monitoring activities such as deployments





• Agile planning and lean project management techniques are used to plan work into sprints, manage team capacity, and help teams quickly adapt to changing business needs





• Monitoring and Logging of running applications including production environments for application health as well as customer usage, helps organizations form a hypothesis and quickly validate or disprove strategies





• Public and Hybrid Clouds have removed traditional bottlenecks and helped commoditize infrastructure

• Whether Infrastructure as a Service (IaaS) is used to lift and shift existing apps, or Platform as a Service (PaaS) to gain unprecedented productivity, the cloud gives a datacenter without limits





• Infrastructure as Code (IaC) is a practice which enables the automationand validation of creation and teardown of environments to help with delivering secure and stable application hosting platforms





• Microservices architecture is leveraged to isolate business use cases into small reusable services that communicate via interface contracts

• This architecture enables scalabilityand efficiency





• Containers are the next evolution in virtualization

• They are much more lightweight than virtual machines, and can be easily configured from files




Security in DevOps Principles and Goals

• Make security a first-class problem and the security team a first-class participant in DevOps

• Increase trust and transparency between development, operations, and security

• Integrate security practices and ideas into DevOps culture, and DevOps into security culture

• Wire security into DevOps toolchains and workflows to incrementally improve security

SANS https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download


https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download

DevSecOps Pillars - Governance


• DevSecOps, by design, requires a highly

consistent process that uses a uniform set of

tools and automated controls

• This helps simplify the monitoring and testing of

required controls

DevSecOps Pillars - People


• Remember that people are still the greatest efficiency

(or inefficiency) asset

• Breaking down traditional barriers can be the first and

most important catalyst to your DevSecOps journey

• Start small. Small teams gradually come together

cohesively

• Security specialists understand development pressures

and drive more automation of security testing

• Development teams understand security approaches

and adopt secure coding practices

DevSecOps Pillars - Process


• As speed and quality are key to DevSecOps, try to simplify manual processes as

much as possible without sacrificing security needs

• Since development and deployment are now accelerated much faster than before,

security software development processes should become more factory-like

• Move security requirements as early into the design stage as possible, aiming to

eliminate manual security “gatekeeper” delays later on

DevSecOps Pillars - Technology


• Variety of pipeline tools—testing-as-code, security-as-code,

infrastructure-as-code, compliance-as-code, and others—

can eliminate the need for some manual security activities,

thus boosting velocity

• Development and security teams can become more unified,

defect costs can plummet, and quality can become

consistent throughout the pipeline

• Consider testing these new security tools with specific

product teams before releasing to the enterprise

Security in DevOps Best Practices

• Adapt security testing tools/processes to the developers, not the other way around

• Don’t try to eliminate ALL vulnerabilities during development

• Focus first on identifying and removing the known critical vulnerabilities

• Don’t expect to use traditional DAST/SAST without changes

• Train developers on secure coding

• Adopt a security champion model, implement simple security requirements gathering

• Eliminate the use of known vulnerable components at the source

• Secure and apply operational discipline to automation scripts

• Implement strong version control on all code and components

• Adopt an immutable infrastructure mindset, preventing manual changes to productionGartner https://www.gartner.com/en/documents/3811369


https://www.gartner.com/en/documents/3811369

Security Controls in DevSecOps

SANS:https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt446dece13e198075/5e31f71e031402023faff74f/continuous-opportunity-devops-security.pdf


https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt446dece13e198075/5e31f71e031402023faff74f/continuous-opportunity-devops-security.pdf

Application Security Key Takeaways

• Integrate application security into the software development process

• Focus on risks that matter to the organization

• Address the root cause

• Security is a shared responsibility

• Adopt a cross-functional approach

• Identify security champions

• Use industry standards as a benchmark

• Establish a program to ensure consistency


Q & A


devsecops a faster, secure way for software development · most important catalyst to your...

Documents