matt rose global director of strategy - files.devnetwork.cloud · tightly associated with devsecops...
TRANSCRIPT
![Page 1: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/1.jpg)
Security Policy: Is yours fit for DevOps? Matt Rose
Global Director of Strategy
![Page 2: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/2.jpg)
Proprietary & Confidential | All Rights Reserved | 2
What Is DevOps About?
DevOps is about:
Processes
Connections
Automation
… and Tools
Test Develop
Deliver
DevOps
![Page 3: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/3.jpg)
Proprietary & Confidential | All Rights Reserved | 3
What is Security about?
Protecting the organizations reputation
Finding and fixing every security bug
Standards and regulatory compliance
Protecting your customer’s PII
Protecting your employee’s PII
Protecting your company’s trade secrets
![Page 4: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/4.jpg)
Proprietary & Confidential | All Rights Reserved | 4
Security Policies
Types of Policies:
General: Organizational or Master Policy
More Detailed: System-specific Policy
Very Detailed: Issue-specific Policy
Types of Issue Specific Policies:
Change Management Policy
Physical Security Policy
Email Policy
Encryption Policy
Vulnerability Management Policy
Media Disposal Policy
Data Retention Policy
Acceptable Use Policy
Access Control Policy
![Page 5: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/5.jpg)
Proprietary & Confidential | All Rights Reserved | 5
Defining Security Policies for AppSec
What are the acceptable and non-acceptable risks you’re willing to take
Applications will always have vulnerabilities
Serves as a pseudo contract between AppSec teams and developers
Both fully understand what’s expected of them in terms of security
Serves as guidance as to what vulnerabilities should be remediated first
Zero-day vulnerabilities vs. longer term
Tightly associated with DevSecOps
Vital to measuring the overall success of your DevSecOps initiatives
![Page 6: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/6.jpg)
Proprietary & Confidential | All Rights Reserved | 6
Areas Affected By AppSec Policy
The Security Policy May Dictate How You:
Automate and Integrate AST
Identify Vulnerabilities
Correlate Results
Remediate Vulnerabilities
Manage and Monitor KPIs
![Page 7: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/7.jpg)
Proprietary & Confidential | All Rights Reserved | 7
Manage and Monitor KPIs
Where organizations track their application security program’s Key Performance Indicators (KPIs)
Allows organizations to see if, over time:
the amount of the vulnerabilities is decreasing
the rate of introducing new vulnerabilities is decreasing
the rate of severe vulnerabilities is decreasing
Allows organizations to see if their security program is effective
Knowing what areas need improvement and what areas don’t
Allows teams to determine if the security policy is being met, of if developers:
Need more tools
Need more incentives
Need more training
![Page 8: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/8.jpg)
Proprietary & Confidential | All Rights Reserved | 8
KPIs Can Indicate: Developers Need More Training
What Method of Training are Not Working?
Lengthy video tutorials
Periodic and often extensive classroom training
Tiresome online courses
Problems With This Training Approach
Out-of-context to the everyday activities developers perform
Mundane training is nearly always viewed with a level of dislike
70 percent of today’s developers indicate they lack the
necessary training to adequately secure software
![Page 9: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/9.jpg)
Proprietary & Confidential | All Rights Reserved | 9
What Works Better?
Solutions That Allow Developers:
To Learn While Coding
Find and Fix in One Go
Recommendation - Find Solutions That:
Integrate with Your AST Solutions
Raise the AppSec Bar at Scale
Complies with Regulatory Standards
Covers OWASP Top 10 Vulnerabilities
Supports Large Number of Languages
Trains on Most Common Vulnerabilities
![Page 10: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/10.jpg)
Proprietary & Confidential | All Rights Reserved | 10
Where Does Security Policy Clash with the DevOps Key Requirements?
Speed
Full code scans too long
Special requirements to initiate scans are time consuming
Security Policy that looks for too much
Stability
Security cannot be a roadblock to the DevOps process
![Page 11: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/11.jpg)
Proprietary & Confidential | All Rights Reserved | 11
There are limited resources available and time in the day for security
Too broad a security policy is confusing
Remediation is the goal not identification
Only so many hours in a day
Fix the most dangerous security bugs first
![Page 12: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/12.jpg)
Proprietary & Confidential | All Rights Reserved | 12
Security Policy needs to be everywhere!!!!
The further right the project is on the
DevOps scale the further left it should start
implementing a security policy.
Unit Tests Integration Acceptance Test Code done Deployment
![Page 13: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/13.jpg)
Security in a SDLC & DevSecOps Environment
Proprietary & Confidential | All Rights Reserved | 13
IDEs
Source Code
Management Solutions
Build/CI Solutions
Defect Tracking
Dashboarding
Dev Ops CLI, Web Services API
Data Export API
![Page 14: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/14.jpg)
Where do I start???
Application threat inventory
to identify most risk adverse
applications in your
organization
Create an application
security policy that maps
directly to your organizations
risks
Once you feel you have a
good baseline on application
security risk you adjust your
policy
![Page 15: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/15.jpg)
Proprietary & Confidential | All Rights Reserved | 15
Ok so what should my security policy look like?
Security Policies should start small and evolve
Start with 5 to 10 issues max in your security policy
Security Policies should differ
Different policies for tier 1, tier 2, tier 3, and Open Source
Security Policies should be reviewed at a minimum quarterly
Use real data to adjust your policies
![Page 16: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/16.jpg)
Summary
Develop security policy that fits the DevOps
flow
Shift Your Security Policy Left AND Right
Ensure you have an open source policy
Proprietary & Confidential | All Rights Reserved | 16
![Page 17: Matt Rose Global Director of Strategy - files.devnetwork.cloud · Tightly associated with DevSecOps Vital to measuring the overall success of your DevSecOps initiatives . Proprietary](https://reader035.vdocuments.us/reader035/viewer/2022070908/5f880e9754ab6162e068da36/html5/thumbnails/17.jpg)
Thank you