Upload File

matt rose global director of strategy - files.devnetwork.cloud · tightly associated with devsecops...

  • Home
  • Documents
  • Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary
17
Security Policy: Is yours fit for DevOps? Matt Rose Global Director of Strategy

Upload: others

Post on 02-Aug-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Security Policy: Is yours fit for DevOps? Matt Rose

Global Director of Strategy

Page 2: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 2

What Is DevOps About?

DevOps is about:

Processes

Connections

Automation

… and Tools

Test Develop

Deliver

DevOps

Page 3: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 3

What is Security about?

Protecting the organizations reputation

Finding and fixing every security bug

Standards and regulatory compliance

Protecting your customer’s PII

Protecting your employee’s PII

Protecting your company’s trade secrets

Page 4: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 4

Security Policies

Types of Policies:

General: Organizational or Master Policy

More Detailed: System-specific Policy

Very Detailed: Issue-specific Policy

Types of Issue Specific Policies:

Change Management Policy

Physical Security Policy

Email Policy

Encryption Policy

Vulnerability Management Policy

Media Disposal Policy

Data Retention Policy

Acceptable Use Policy

Access Control Policy

Page 5: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 5

Defining Security Policies for AppSec

What are the acceptable and non-acceptable risks you’re willing to take

Applications will always have vulnerabilities

Serves as a pseudo contract between AppSec teams and developers

Both fully understand what’s expected of them in terms of security

Serves as guidance as to what vulnerabilities should be remediated first

Zero-day vulnerabilities vs. longer term

Tightly associated with DevSecOps

Vital to measuring the overall success of your DevSecOps initiatives

Page 6: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 6

Areas Affected By AppSec Policy

The Security Policy May Dictate How You:

Automate and Integrate AST

Identify Vulnerabilities

Correlate Results

Remediate Vulnerabilities

Manage and Monitor KPIs

Page 7: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 7

Manage and Monitor KPIs

Where organizations track their application security program’s Key Performance Indicators (KPIs)

Allows organizations to see if, over time:

the amount of the vulnerabilities is decreasing

the rate of introducing new vulnerabilities is decreasing

the rate of severe vulnerabilities is decreasing

Allows organizations to see if their security program is effective

Knowing what areas need improvement and what areas don’t

Allows teams to determine if the security policy is being met, of if developers:

Need more tools

Need more incentives

Need more training

Page 8: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 8

KPIs Can Indicate: Developers Need More Training

What Method of Training are Not Working?

Lengthy video tutorials

Periodic and often extensive classroom training

Tiresome online courses

Problems With This Training Approach

Out-of-context to the everyday activities developers perform

Mundane training is nearly always viewed with a level of dislike

70 percent of today’s developers indicate they lack the

necessary training to adequately secure software

Page 9: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 9

What Works Better?

Solutions That Allow Developers:

To Learn While Coding

Find and Fix in One Go

Recommendation - Find Solutions That:

Integrate with Your AST Solutions

Raise the AppSec Bar at Scale

Complies with Regulatory Standards

Covers OWASP Top 10 Vulnerabilities

Supports Large Number of Languages

Trains on Most Common Vulnerabilities

Page 10: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 10

Where Does Security Policy Clash with the DevOps Key Requirements?

Speed

Full code scans too long

Special requirements to initiate scans are time consuming

Security Policy that looks for too much

Stability

Security cannot be a roadblock to the DevOps process

Page 11: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 11

There are limited resources available and time in the day for security

Too broad a security policy is confusing

Remediation is the goal not identification

Only so many hours in a day

Fix the most dangerous security bugs first

Page 12: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 12

Security Policy needs to be everywhere!!!!

The further right the project is on the

DevOps scale the further left it should start

implementing a security policy.

Unit Tests Integration Acceptance Test Code done Deployment

Page 13: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Security in a SDLC & DevSecOps Environment

Proprietary & Confidential | All Rights Reserved | 13

IDEs

Source Code

Management Solutions

Build/CI Solutions

Defect Tracking

Dashboarding

Dev Ops CLI, Web Services API

Data Export API

Page 14: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Where do I start???

Application threat inventory

to identify most risk adverse

applications in your

organization

Create an application

security policy that maps

directly to your organizations

risks

Once you feel you have a

good baseline on application

security risk you adjust your

policy

Page 15: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Proprietary & Confidential | All Rights Reserved | 15

Ok so what should my security policy look like?

Security Policies should start small and evolve

Start with 5 to 10 issues max in your security policy

Security Policies should differ

Different policies for tier 1, tier 2, tier 3, and Open Source

Security Policies should be reviewed at a minimum quarterly

Use real data to adjust your policies

Page 16: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Summary

Develop security policy that fits the DevOps

flow

Shift Your Security Policy Left AND Right

Ensure you have an open source policy

Proprietary & Confidential | All Rights Reserved | 16

Page 17: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary

Thank you


DevSecOps – Agility with Security · 4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through

The Human Side of DevSecOps

DevSecOps Singapore introduction

DevSecOps of Containerization

DoD Enterprise DevSecOps Community of Practice · 2021. 6. 29. · ECMA and Army Software Factory's DevSecOps ... Project Ridgway are users of the DevSecOps ecosystem. 7. ... Continuous

DoD Enterprise DevSecOps Fundamentals - AF

Dev Breakfast: Level up to DevSecOps

Implementing a DevSecOps Approach in Cloud

addressing IoT challenges through DevSecOps

DevSecOps Overview - NYS Forum Home · 11/14/2018  · DevSecOps Overview November 14, 2018 ... 3 Benefits of DevSecOps 4 How to Implement DevSecOps 5 Summary / Questions. Security

DevSecOps—The Tao of Security Science

DevSecOps: Why security is essential · DevSecOps doesn’t happen all at once for most organizations; it is a journey. Although the DevSecOps journey is enabled by technology, the

DevSecOps and the DevOps Superpattern

DevSecOps - The big picture

DevSecOps Insights - Snyk

Modernizing your database processes with DevSecOps...DBmaestro Moderniing your database processes with DevSecOps 1 2 6 7 9 10 11 Introduction The Shift to DevSecOps Database Flow Comprehensive

Overcoming DevSecOps Challenges

Does DevSecOps really exist?

CSA - DevSecOps v1 compressed//aws.amazon.com/blogs/devops/implementing-devsecops-using-aws-codepipeline/ CodePipeline security group ... CSA - DevSecOps v1 compressed Created Date:

DevOps, DevSecOps, and vArmour - Whitepaper DevSecOps, and... · DevOps and DevSecOps DevOps has become a well established practice within many organizations. It aims to improve the

DoD Enterprise DevSecOps Fundamentals · 2021. 6. 11. · DevSecOps, including normalized definitions of DevSecOps concepts. Other pertinent information is captured in corresponding

  CP-DevSecOps...Automate Security tests in DevOps CP-DevSecOps is the surest way for you to practically experience contiuous security testing or DevSecOps using the most in demand

Humanising DevSecOps

Enterprise Cloud Security via DevSecOps

DEVSECOPS: Coding DevSecOps journey

DevSecOps and the Public Sector

Putting the Sec in DevSecOps

THE DEVSECOPS PRODUCT LINE MANAGEMENT PLAYBOOK

DEVSECOPS FOR HYBRID CLOUD

DISA DevSecOps Enterprise Strategy · Web view2021/07/30  · A DevSecOps New World This document focuses on the DISA Enterprise DevSecOps Strategy to secure the Department of Defense

DevSecOps in 10 minutes

The Code That Dreams Are Made Of - files.devnetwork.cloud

What is DevSecOps? Pipelines...What is DevSecOps? DevSecOps is a methodology in which security is integrated into the entire life cycle of application development. Rather than being

A Cybersecurity Engineering Strategy for DevSecOps

DevSecOps Best Practices and Considerations