DevOps and Security: It’s Happening. Right Now.

Helen Bravo

Director of Product Management at Checkmarx

Helen.bravo@checkmarx.com

• Intro to DevOps

• Integrating security within DevOps

– Problems with traditional controls

– Steps to DevOps security

Agenda

What is DevOps About?

An unstoppable deployment process

� in small chunks of time

DevOps is Happening

Companies that have adopted DevOps

Can TRADITIONAL

web application

security controls fit

in"

� a DevOps environment?!

Traditional Web Application Security Controls

• Penetration Testing

• WAF (Web Application Firewall)

• Code Analysis

Penetration Testing- Takes Time!

Penetration Testing

– 300 pages report

– 3 weeks assessment time

– 2 weeks to get it into development

Web Application Firewall (WAF)

Thinking Continuous

Deployment?

Think Continuous

Configuration!

Code Analysis

• Setup time

• Running time

• Analysis time

� just too slow!

� Do Nothing?

Required: A New Secure SDLC Approach

Step by Step

Step 1: Plan for Security

• Identify unsecured APIs and frameworks

• Map security sensitive code portions. E.g. password

changes mechanism, user authentication

mechanism.

• Anticipate regulatory problems, plan for it.

Step 1: Plan for Security

Step 2: Engage the Developers.

And Be Engaged

• Connect developers to security

– Going to OWASP? Bring a developer with you!

• Is your house on fire? Share the details with your

developers.

• Have an open door approach

• Set up an online collaboration platform E.g. Jive,

Confluence etc.

Step 2: Engage the Developers. And Be Engaged

Step 3: Arm the Developers

• Secure frameworks:

– Use a secure framework such as Spring Security, JAAS, Apache

Shiro, Symfony2

– ESAPI is a very useful OWASP security framework

• SCA tools that can provide security feedback on pre-commit stage.

– Rapid response

– Small chunks

Step 3: Arm the Developer

Step 3: Automate the Process

• Integrate within your build (Jenkins, Bamboo,

TeamCity, etc.)

– SAST

– DAST

• Fail the build if security does not pass the bar.

Step 3: Automate the Process

DevelopCode

CommitSource Control

Build Trigger

Unit Tests

Deploy

to

ProductionDeploy to

Test Env

Report

&

Notify

Publish to

release

repository

Continuous Deployment

DevelopCode

CommitSource Control

Build Trigger

Tests

Deploy

to

ProductionDeploy

to Test

Env

Report

&

Notify

Publish to

release

repository

Automatic

security

test

SCA

Test

Security within Continuous Deployment

Step 5: Use Old Tools Wisely

Step 5: Use Old Tools Wisely

• Periodic pen testing

• WAF on main functions

• Code review for security sensitive code portions.

Summary

• DevOps is happening. Right Now.

– During the time of this talk, Amazon has released

75 features and bug fixes.

• Security should not be compromised

• Don’t be overwhelmed. Start small

Summary

The 3 Takeaways

1. Plan from the ground

2. Engage with your developers

3. Integrate security into automatic build

process.

Questions?

Thank you

Helen.bravo@checkmarx.com