software security: in the world of cloud & ci-cd
TRANSCRIPT
26 Nov 2015 Venue: Akamai, Singapore OWASP Singapore. 28 Nov 2015 Venue: Airtel, Delhi-India. OWASP, Delhi-India. Remote WebEx From Singapore.
Software Security: “In The World Of, Cloud & CI-CD”
-Aniket Kulkarni
Software Security Architect (Bigdata\Cloud\Mobile\Web)
Agenda Cloud & It’s Snapshots
Definition Of Todays Client’s
Users Angle To cloud
Changing Landscape Of Customer Requirements
CI, CD
An Era Of Dashboards
Secure SDLC: CI-CD Way
Cloud Computing?
Cloud computing:
Also known as on-demand computing, is a kind of internet-based computing, where shared resources and information are provided to computers and other devices on-demand.
Cloud Snapshots
Client’s Today ?
CLOUD
Continuous Integration-CI.
Continuous Integration (CI)
is a development practice
that requires developers to
integrate code into a shared
repository several
times a day.
Each check-in is then verified
by an automated build,
allowing teams to detect
problems early.
Continuous Delivery-CD.
Continuous Delivery (CD): is a
software engineering approach in which teams keep producing valuable software in short cycles and ensure that
the software can be reliably released at
any time.
It aims at, building, testing, and
releasing software, faster and
more frequently.
Continuous Deployment-CD.
Continuous Deployment (CD): Is next phase to continuous delivery.
Every change that passes the automated tests get deployed on
production automatically.
Users Angle To Cloud.
Client Side
Subscribed USER1
Free USER3
Subscribed USER2
Application
Server
Storage Service I & AM
Notification Service
An Era Of Dashboards.
Changing Landscape Of Requirements
On Going Customer Demands
Associated Market Competitions
Product Research Outcomes
“Constant Rotating Eyeball On Product In Production, Hosted On Cloud, with
constant changes”
Challenges For Business Stakeholders
How to manage security posture of 150+ cloud products ?
Shall we invest for Security (Yes/NO) ? If yes, how much ? Confused for decision ? Invested $X million. How much secure we are ? We are 100% Compliance done! Are We Secure
now? Are we satisfying customer demands ?
S-SDLC (CI-CD): Component Repository
External Repositories
Internal Components Organization Repository
(Ex:Nexus\Artifactory)
S-SDLC (CI-CD): 3rd Party External Component Security
External Repositories
Internal Components
Organization Repository (Ex: Nexus\ Artifactory)
3rd Party Component Security Tools (Ex: Sonatype CLM)
Continuous Dashboard Update
S-SDLC (CI-CD): Development
External Repositories
Internal Components
Organization Repository (Ex: Nexus\ Artifactory)
Static Source Code Analysis Tool
(Ex: Fortify)
Continuous Dashboard Update
S-SDLC (CI-CD): QA
• Internal Automation Frameworks • Mostly Python Scripts
Actual Web Product Hosted On Staging
Dynamic Analysis Tool Run
Manual Dashboard Update
Internal\External Penetration Tests
Continuous Dashboard Update
Interactive Application Security Testing
(Ex: Contrast)
S-SDLC (CI-CD): SAST\DAST\IAST
SAST
DAST
IAST
• Uses source code to find vulnerabilities without running the application.
• Misses run time vulnerabilities.
• Many false positives
• Analyzes application in its running state by fuzzing with malicious payloads from outside
• Misses business logic vulnerabilities
• Many false positives
• Analyzes application in its running state by deploying sensors inside the app.
• Finds most of the things which SAST and DAST misses
• Almost No\Less false positives
S-SDLC (CI-CD): Typical IAST Deployment
Custom Code
Java Runtime
Application Server
Frameworks
Libraries
IAST
Engine
Security
Information To Dashboard
Web Application
Data
From
Passive
Sensors
S-SDLC (CI-CD): Compact View
DEVELOPMENT
BUILD AND DEPLOY STAGING
COMPONENT SELECTION
QA IAST\STAGING
All Set For Product Release ?
Rethinking challenges!
How we appear on challenges now ?
How to manage security posture of 150+ cloud products?
Shall we invest for Security (Yes/NO) ?
If yes, how much ? Confused for decision ?
Invested $X million. How much secure we are ?
We are 100% Compliance done! Are We Secure now?
Are we satisfying customer demands ?
Key Points Take Away
Cloud & CI,CD Software product Business challenges Pitching security in fast pace environment: -3rd party component security -Security at Development -Security at QA -Security at Staging\Production Solutions that we have for this fast pace environment Security an input for business decisions Deciding factor for security investment & ROI
Q & A
Thank you, Aniket Kulkarni - Software Security Architect (Bigdata\Cloud\Mobile\Web) Autodesk Singapore Research & Development Center Singapore.