![Page 1: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/1.jpg)
SANS DevOps Survey:
Sneak Peek
![Page 2: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/2.jpg)
• ThinkSec
– Founder
• SANS Institute
– Former CISO
– Curriculum Lead
▪ Management and Application Security
– Author & Instructor
▪ DEV540, DEV541
▪ MGT512, MGT514
Frank Kim
2
Introduction
![Page 3: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/3.jpg)
3
• Secure DevOps: Fact or Fiction?
– Sixth in a series of annual surveys on security in software development
– First to explicitly focus on DevOps
– Written by Jim Bird and Barb Filkens
• Survey topics
– Previous survey covered how organizations balance speed of delivery against risk
– Current survey covers how security fits into DevOps
▪ Where risks are found
▪ How risks are managed
▪ Success factors implementing SecDevOps
SANS Secure DevOps Survey
![Page 4: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/4.jpg)
#1 DevOps Adoption
![Page 5: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/5.jpg)
5
Technology Adoption
85%
72%
54%
What percentage of your applications are cloud, container, or serverless?
![Page 6: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/6.jpg)
Monolith Architecture Security Controls
• Common security controls are applied to each trust boundary in the monolith architecture:
Client Browser MySQL DatabaseServerWeb Server
Spring Boot / Tomcat
Public Subnet Private Subnet
ELB
2 3
1. Security Controls
Web Application Firewall
HTTPS, Rate Limiting
1
2. Security Controls
Authentication, Authorization
Access control, Validation
3. Security Controls
System Authentication, TLS
Encryption at rest
![Page 7: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/7.jpg)
Microservice Architecture
• How does this change in a microservice architecture?
Account Management
Human Resources
DiscountCoupons
Employee
Customer Service
Private Subnet
MySQL DatabaseServer
Coupon Bucket
Public Subnet
Single Page App
EBSVolume
Mobile App
IoT Factory Device
![Page 8: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/8.jpg)
Microservice Architecture Attack Surface
• Consider the attack surface in a modern microservice architecture:
Account Management
DiscountCoupons
Customer Service
Private Subnet
MySQL DatabaseServer
Public Subnet
Single Page App
Mobile App
IoT Factory Device
Employee
Human Resources
Coupon Bucket
EBSVolume
![Page 9: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/9.jpg)
9
• Delivery speed– 66% deploy changes
more than once per month (vs. 60%)
– 10% deploy changes on a continuous basis (vs. 5%)
Frequency of Deploying Changes to Production
![Page 10: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/10.jpg)
10
DevOps Pipeline
• DevOps cycles through five key phases
PRODUCTIONCOMMIT OPERATIONSACCEPTANCE
Automated build
and Continuous
Integration (CI)
steps
Continuous
monitoring,
testing, audit, and
compliance checks
Automated
acceptance and
functional testing
with Continuous
Delivery (CD)
Steps before,
during, and after
code is deployed
to production
PRE-COMMIT
Activities before
code is checked in
to version control
![Page 11: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/11.jpg)
11
DevOps Security Tools and Processes
PRODUCTIONCOMMIT OPERATIONSACCEPTANCE
STATIC CODE
ANALYSIS
BLAMELESS
POSTMORTEMS
DYNAMIC
SECURITY TESTS
SECURITY
SMOKE TESTS
PRE-COMMIT
THREAT
MODELING
CONTINUOUS
MONITORING
PENETRATION
TESTING
THREAT
INTELLIGENCE
SECURITY
CONFIGURATION
SECRETS
MANAGEMENT
SERVER
HARDENING
ACCEPTANCE
TESTS
INFRASTRUCTURE
AS CODE
CONFIG
MANAGEMENT
SECURITY
UNIT TESTS
DEPENDENCY
MANAGEMENT
CONTAINER
SECURITY
IDE SECURITY
PLUGINS
PRE-COMMIT
HOOKS
PEER CODE
REVIEW
![Page 12: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/12.jpg)
12bit.ly/secdevops-toolchain
![Page 13: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/13.jpg)
13
Frequency of Assessing or Testing Business-Critical Applications
• Testing speed– 24% test critical
applications more than once per month (vs. 13%)
– 25% test on a continuous basis (more than double the 12% from last year)
![Page 14: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/14.jpg)
#2 Shifting Left
![Page 15: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/15.jpg)
15
When Do You Involve Security in Major Projects?
• Need to “Shift Left”– Move security earlier
into the SDLC
– Less than half (46%) include security in early phases of Inception and Requirements
![Page 16: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/16.jpg)
16
• Apply security controls before code is written and checked in
SecDevOps Pre-Commit Phase
PRODUCTIONCOMMIT OPERATIONSACCEPTANCE
STATIC CODE
ANALYSIS
BLAMELESS
POSTMORTEMS
DYNAMIC
SECURITY TESTS
SECURITY
SMOKE TESTS
PRE-COMMIT
THREAT
MODELING
CONTINUOUS
MONITORING
PENETRATION
TESTING
THREAT
INTELLIGENCE
SECURITY
CONFIGURATION
SECRETS
MANAGEMENT
SERVER
HARDENING
ACCEPTANCE
TESTS
INFRASTRUCTURE
AS CODE
CONFIG
MANAGEMENT
SECURITY
UNIT TESTS
DEPENDENCY
MANAGEMENT
CONTAINER
SECURITY
IDE SECURITY
PLUGINS
PRE-COMMIT
HOOKS
PEER CODE
REVIEW
![Page 17: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/17.jpg)
Threat Modeling in DevOps
Iterative and lightweight threat modeling based on risk: early in design, or as major changes are made
Examine trust boundaries and assumptions in architecture
Ask these questions when you are making changes:
1. Are you changing the attack surface (new entry/exit points, new user role…)?
2. Are you changing the technology stack or application security controls?
3. Are you adding confidential/sensitive data?
4. Have threat agents changed – are we facing new risks?
17
![Page 18: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/18.jpg)
Threat Modeling / RRATools
Weaponizing the toolchain:
• OWASP User Security Stories
• https://github.com/OWASP/user-security-stories
• OWASP Application Security Verification Standards
• https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
• Mozilla's Rapid Risk Assessment (RRA)
• https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html
• OWASP Threat Dragon
• https://www.owasp.org/index.php/OWASP_Threat_Dragon
18
PRE-COMMIT
THREAT
MODELING
![Page 19: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/19.jpg)
Threat Modeling Example
Mozilla's rapid risk assessment guidance and Google Doc provide a blueprint for 30 minute RRAs:
19
![Page 20: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/20.jpg)
IDE Security Plugins
Immediate, incremental scanning in each developer’s IDE catches catch security mistakes as code is being changed/saved by the developer
• Security becomes part of the engineering workflow
• Shifting as far left as possible in the kill chain
• Must have low false positive rates (important)
• Run high value rules and disable noisy rules that distract engineers
20
![Page 21: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/21.jpg)
IDE Security Plugin Tools
Weaponizing the toolchain:
• FindSecurityBugs plugin for Eclipse and IntelliJ
• http://find-sec-bugs.github.io/
• Puma Scan plugin for Visual Studio
• https://github.com/pumasecurity/puma-scan
• Microsoft’s DevSkim for VSCode, Sublime, Visual Studio
• https://github.com/Microsoft/DevSkim
• SonarLint plugins for Visual Studio, IntelliJ, and Eclipse
• https://www.sonarlint.org/
Note: IDE plugins are also available for most commercial SAST products
21
PRE-COMMIT
IDE SECURITY
PLUGINS
![Page 22: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/22.jpg)
22
Secure Code Spell Checker
![Page 23: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/23.jpg)
Pre-Commit Hooks
• Git Hooks automatically run scripts at different points in workflows
• Local: pre-commit, prepare-commit, commit, post-commit, post-checkout, pre-rebase
• Server-side: pre-receive, update, post-receive
• Implement team-wide workflow policies, or check code for problems
• CAUTION: Repo owner can alter/uninstall hooks – so hooks cannot be enforced
23
![Page 24: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/24.jpg)
Pre-Commit Hook Frameworks / Tools
24
Weaponizing the toolchain:
• Open source frameworks to manage hooks for different languages + tools
• Yelp pre-commit framework
• Overcommit
• Pre-commit tools for scanning code:• AWS Labs git-secrets (https://github.com/awslabs/git-secrets)
• Talisman (https://github.com/thoughtworks/talisman)
• Auth0 repo-supervisor (https://github.com/auth0/repo-supervisor)
PRE-COMMIT
PRE-COMMIT
HOOKS
![Page 25: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/25.jpg)
25
Pre-Commit Hook Example
AWS git-secrets blocking a commit that contains an access key and secret key id:
1
2
3
4
5
6
7
8
$ git commit -m "testing git-secrets"
Web/Licensing/appsettings.json:5:
"AccessKey": "AKIAJNQ7C2FCRR6B4VWA",
Web/Licensing/appsettings.json:6:
"SecretKey": "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"
[ERROR] Matched one or more prohibited patterns
![Page 26: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/26.jpg)
#3 Moving Forward
![Page 27: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/27.jpg)
Percentage of Critical Vulns Repaired Satisfactorily and in a Timely Manner
• Marginal increase in ability to remediate in a satisfactory and timely manner
– 51% vs. 50% repair more than 75% of vulnerabilities
– Consistent 70% repair more than 50% of vulnerabilities
![Page 28: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/28.jpg)
What are Your Top Three Challenges Implementing Secure DevOps?
• Major Secure DevOps Challenges
– Organizational not technical
![Page 29: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/29.jpg)
What Types of Apps Do You Protect Now and Expect to in Twelve Months?
• Legacy apps
– Take majority of security team’s time and attention
• Modern apps
– Attack surface of the future
![Page 30: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/30.jpg)
Legacy Systems and Blast Radius
Blue
www.example.com
Green
new.example.com
DNS
Database
Where is the blast radius in this example?
![Page 31: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/31.jpg)
31
What are the Top Three Factors That Have Contributed to Your Success?
• SecDevOps success relies on soft skills
– Developing “security champions”
– Management buy-in
– Cross-functional teams
– Improving communications
– Sharing goals
![Page 32: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/32.jpg)
32
Moving Forward with SecDevOps?
Activity
Provide the development team with a secure coding standard
Identify secure coding training that developers should attend
Provide budget for a dedicated resource to the development team to implement a secure SDLC
Supply working code that fixes the vulnerabilities
• What will happen when security does the following?
![Page 33: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/33.jpg)
33
“Implementing a SecDevOps program allows us to
deploy up to 25 times per day,
reduces lead time for security changes and
mean time to repair (MTTR) to one hour, and
reduces change failure rate to 12%”
Example Business Case Justification
![Page 34: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/34.jpg)
34
“By implementing a digital transformation,
we performed 165 experiments in the peak tax season
resulting in an increased conversion rate of 50%
and an increase in revenue of $120 million.”
• Example modified from DORA research paper
– Forecasting the Value of DevOps Transformations: Measuring ROI of DevOps
– https://devops-research.com/roi
Better Business Case Justification
![Page 35: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/35.jpg)
35
Business Case Options
Option A
✔
$
• Highlight trade-offs with business value, risk reduction, cost
Business value
Risk reduction
Cost
Option B
✔✔
$$
Option C
✔✔✔
$$$
![Page 36: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/36.jpg)
36
• Automate Everything
– Cloud, containers, and serverless are here
– Need to speed up security activities to keep up with delivery speed
• Shift Left
– Challenge injecting security into the SDLC
– Need to embed security activities earlier in the DevOps pipeline
• Focus on outcomes
– Difficult to balance technical and organizational activities
– Focus on the benefit to the business, not the technology itself
In Summary
![Page 38: SANS DevOps Survey: Sneak Peek · Web Server Server Spring Boot / Tomcat Public Subnet Private Subnet ELB 2 3 1. Security Controls Web Application Firewall HTTPS, Rate Limiting 1](https://reader033.vdocuments.us/reader033/viewer/2022042223/5ec99284db40ba3c186660db/html5/thumbnails/38.jpg)
Eric Johnson & Frank Kim
Thank you for attending!