overcoming the old ways of working with devsecops assets... · manifesto for modern cybersecurity...

Seattle | September 16-17, 2019

Overcoming the old ways of working with

DevSecOpsERKANG ZHENG


Security is an organizational challenge.What is DevSecOps? How does security keep up with DevOps?


DevOps | DevSecOps

Move fast and automate everything you can,

DevOps DevSecOps

Continuous Integration / Continuous Delivery (Deployment)

CI / CDContinuous Assurance / Continuous Compliance

CA / C

with confidence

Culture Culture

CI / CD CA / CC


Manifesto for Modern Cybersecurityhttps://securitymanifesto.net

Assume compromise, but expose no single point of compromise.

Track everything since you cannot protect what you can’t see.

Engage everyone for there is power in the crowd; two is stronger than one.

Automation is key because people don't scale and changes are constant.

Build products that are secure by design and secure by default.

Favor transparency over obscurity, practicality over process, and usability over complexity.

We must keep security simple, open, collaborative, enabling and rewarding.

ZERO TRUST

ASSET CMDB

DEV + BUG BOUNTY

SECURITY AS CODE

THREAT MODEL

OPEN & SIMPLE


What enables DevSecOps?


The two aspects of DevSecOps

Security as an enabler for DevOps

• Automate security checks, gates and approvals in the DevOps CI/CD pipeline

Check out “Fully automated production deployments with HIPAA / HITRUST compliance” by Matt Lavin tomorrow at 1:45pm

Development as an enabler for SecOps

• Aggregate data from source to gain visibility and insight

• Automate security operations and manage artifacts with code

• Achieve provable security with CA/CC

VISIBILITY

GOVERNANCE

ASSURANCE


Security Program Pick assessor

Perform gap assessment

Implement remediation

Collect evidences

Assess and certify

Documented data

flows

Conducted risk

analysis

Wrote policies and

procedures

Created infrastructure

and security

architecture diagrams

REPEATMonitor, Manage, Optimize

START

Implemented 100+

controls

Endpoint

malware

protection

Server

vulnerability

scanning

Production

change

management

SSO + MFA

Application

code

scanning +

pen testing

User training

Configuration

audit

Endpoint

compliance

agents

Vendor risk

management

Firewalls

and security

groups

Data

encryption

WAF + DDoS

protection

Asset

inventory and

tagging

Activity and

log

monitoring

YOU

YOU

AUDITOR


Security Program

DATA

+

GRAPH

+

QUERY

Pick assessor

Perform gap assessment

Implement remediation

Monitor, Manage, Optimize

Collect evidences

Assess and certify

Documented data

flows

Conducted risk

analysis

Wrote policies and

procedures

Created infrastructure

and security

architecture diagrams

REPEAT

START

Implemented 100+

controls

Endpoint

malware

protection

Server

vulnerability

scanning

Production

change

management

SSO + MFA

Application

code

scanning +

pen testing

User training

Configuration

audit

Endpoint

compliance

agents

Vendor risk

management

Firewalls

and security

groups

Data

encryption

WAF + DDoS

protection

Asset

inventory and

tagging

Activity and

log

monitoring

YOU

AUDITOR

CA / CC

VISIBILITY

GOVERNANCE

ASSURANCE


Security is a data challenge.Overcome SecOps complexity with DATA, GRAPH, and QUERY

Attackers think in graphs; Defenders operate with lists.

That’s why attackers win.


Derive meaningful context from relationships, not lists

Stop thinking in lists and tables.Start thinking in entities and relationships.


AWS CloudSecurity

Which EC2 instances are exposed to the Internet?

Find aws_subnet with public=true

that HAS aws_instance

that PROTECTS aws_security_group

that ALLOWS Internet

return tree


AWS CloudSecurity

Are there Internet-facing EC2 instances that are allowed access to non-public S3 buckets?

find Internet

that ALLOWS aws_security_group

that PROTECTS aws_instance

with active=true

that USES aws_iam_role

that ASSIGNED AccessPolicy

that ALLOWS (aws_s3|aws_s3_bucket)

with classification!='public’

return tree


Cross-AccountTrust

What are the cross-account IAM trust relationships in my AWS environment?

Find aws_iam_role as a

that TRUSTS (Account|AccessRole) as b

where

a.tag.AccountName != b.tag.AccountName

return tree


S3 BucketAccess

Are there non-public S3 bucket access granted to anybody outside of its account?

Find aws_s3_bucket with

classification!='public' as bucket

that ALLOWS * as grantee

where

bucket.tag.AccountName !=

grantee.tag.AccountName

return tree


SSO Access

Which Okta user is assigned what AWS IAM role?

find okta_user

that ASSIGNED aws_iam_role

return tree


App Componentsand Data Flow

Show the connections and flow diagram from:

• CloudFront to API Gateway

• CloudFront to S3

• API GW to Lambda Functions

• Lambda to other resources


VulnerabilityManagement

Which systems or apps are vulnerable to what CVEs?

Find CVE that RELATES TO(Host|HostAgent|Application)

return tree


DevelopmentInsight

Which PRs did Adam open this past week?

'Adam' that OPENED PRwith createdOn > date.now-7days

return tree


Vulnerabilityin Code

Which PRs / developer introduced new vulnerability findings this past week?

Find User that OPENED PRwith createdOn > date.now-7days

that RELATES TO CodeRepothat HAS (Vulernability|Finding)

with _createdOn > date.now-7days return tree


Use query to create alerts and trigger remediation

Alert rules from query with actions:

• Send Email

• Send Slack message

• Create Jira issue

• Capture Trend

Future remediation automation:

• Trigger Webhook

• Invoke Lambda Function

• etc.


Security Artifacts as Code


Security Policy and Procedure Documents

github.com/jupiterone/security-policy-templates

• Written in Markdown

• Small, individual files –

“micro-docs” like micro-services

• Linked together via config.json

• Document reviews and approvals via PRs

• Templatized and published in HTML


Security Policy and Procedure Documents (published)

https://security.lifeomic.com/psp


Manual Assessments and Findings

• Covers a variety of testing

• Manual penetration testing

• Risk assessment

• Privacy impact assessment

• Threat modeling

• Assessment objects and findings written inJSON or YAML

• Publish to graph for report and analysis

Follows the same code deploy process when PR is merged to `master` branch

github.com/jupiterone/secops-automation-examples

- entityKey: assessment:prodsec:2019q1entityType: prodsec_assessmententityClass: Assessmentproperties:

name: internal-pen-test-2019q1displayName: LifeOmic Internal Penetration Test 2019Q1summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29thdescription:

Performed a thorough security assessment of the LifeOmic product line.Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android.

category: penetration-testingstatus: completeassessors:

- [email protected]: falseclassification: confidentialcompletedOn: 2019-04-05reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src......

- entityKey: finding:prodsec:2019q1:app-api-1entityType: pentest_findingentityClass: Findingproperties:

name: Some made up issuedisplayName: ’[Medium] What it says’summary: Summary of the made up issuetargets:

- Service APIdescription: >

Within the application API, ....stepsToReproduce:

- '1 - Add ...’- '2 - Use ...’- '3 - Verify ...’

impact: ...severity: medium...


Vendors and External Organizations

• Maintain list of vendors as code

• Leverage product management and dev

leads to help maintain

• Trigger third party security review and

approval via PR

• Publish to graph for report and analysis

Follows the same code deploy process

when PR is merged to `master` branch

github.com/jupiterone/secops-automation-examples

- entityKey: vendor:appleentityType: appleentityClass: Vendorproperties:

name: AppledisplayName: Applecategory:

- software- mobile- development

description: >Provides Developer account and App Store Connect account for mobile apps...

validated: trueapproved: trueapprovalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2approvalPRName: security-artifacts/2website: https://www.apple.comowners:

- [email protected] [email protected]

mainContactName:mainContactEmail:mainContactPhone:mainContactAddress:breachResponseDays:linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple-

Developer-Agreement-English.pdflinkToMSA: https://developer.apple.com/programs/whats-included/linkToSLA:criticality: 10risk: 5tag.PHI: falsetag.PII: truetag.PCI: falsestatusPage:notes:...


Security and Privacy Considerations in Product Design RFC

• Engineering team writes product design RFC

documents and check into code

• RFC templates includes mandatory sections

for

• Security Considerations

• Privacy Considerations

• Bot to detect new RFC PR and alert security

team via Slack message

bitbucket-pr-detector

github.com/jupiterone/bitbucket-pr-detector

...

## Security considerations

### Data Flow

Does this feature collect or process additional data? Does it impact the currentdata flow of the system/application?

If so, create new or update the existing data flow diagram and document thedata flow.

### Secrets

Does this feature involve usage of additional secrets (API keys, tokens, etc.),either external (i.e. storing and using secrets from a provider) or internal(i.e. generating and using secrets as an internal component)?

If so, document the secret management process.

### Attack Scenarios

How could an attacker abuse this design? What risks does this approach presentand what mitigations can be pursued? What security requirements need to beincluded in the implementation?

An example of how to document this:

- **Abuse case name**- _Risk_ -- a description of the abuse case and the risks identified- _Mitigation_ -- what is being put in place as mitigation controls

This is a practice to ensure that some level of security considerations isalways included in the design of a new feature, component or process.

## Privacy Considerations

...


Compliance Evidence Collection

• Compliance framework and control

requirements defined in JSON

• Map policy procedures to each control

requirement

• Map query questions to each control

requirement

• Write positive case queries and negative

case queries for automated gap analysis

• Include evidence associated with manual

processes

{"standard": "SOC 2","version": "2019","sections": [

{"title": "Access Controls","requirements": [

{"ref": "SOC2-01","title": "Single Sign On","summary": "SSO for all users ..."

},...

]}

]”domains": [

{"title": ”Control Domain A",”controls": [

{"ref": ”A-01","title": ”A technical control","summary": ”control description ..."

},...

]}

]}

{"title": "Which user accounts do not have multi-

factor authentication enabled?","description": ”...","queries": [

{"name": "bad","query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m

fa_device"},{

"name": "good","query": "Find User with mfaEnabled = true"

},{

"name": "goodToo","query": "Find User that (ASSIGNED|USES|HAS) mfa_device"

}],"compliance": [

{"standard": "CIS Controls","requirements": [

"4.5","12.11","16.3"

]},{

"standard": "HITRUST CSF","controls": [

"01.b","01.j","01.q"

]},{

"standard": "PCI DSS","requirements": [

"8.2","8.3"

]}

]}

github.com/jupiterone/security-policy-templates/tree/master/templates/standards


In Summary, our approach to DevSecOps...

• Keep a simple, open, collaborative, enabling and rewarding security culture

• Use data, code and graph (not lists) to build a digital knowledgebase of your environment

• Use query to gain insights, provide assurance and collect compliance evidence continuously

• Automate security gates and approvals in code deployment pipeline(check out tomorrow’s session)

Continuous Assurance Provable Security Continuous Compliance


Questions?Demo?

J U P I T E R O N E . C O M