26 Nov 2015 Venue: Akamai, Singapore OWASP Singapore. 28 Nov 2015 Venue: Airtel, Delhi-India. OWASP, Delhi-India. Remote WebEx From Singapore.

Software Security: “In The World Of, Cloud & CI-CD”

-Aniket Kulkarni

Software Security Architect (Bigdata\Cloud\Mobile\Web)

Agenda Cloud & It’s Snapshots

Definition Of Todays Client’s

Users Angle To cloud

Changing Landscape Of Customer Requirements

CI, CD

An Era Of Dashboards

Secure SDLC: CI-CD Way

Cloud Computing?

Cloud computing:

Also known as on-demand computing, is a kind of internet-based computing, where shared resources and information are provided to computers and other devices on-demand.

Cloud Snapshots

Client’s Today ?

CLOUD

Continuous Integration-CI.

Continuous Integration (CI)

is a development practice

that requires developers to

integrate code into a shared

repository several

times a day.

Each check-in is then verified

by an automated build,

allowing teams to detect

problems early.

Continuous Delivery-CD.

Continuous Delivery (CD): is a

software engineering approach in which teams keep producing valuable software in short cycles and ensure that

the software can be reliably released at

any time.

It aims at, building, testing, and

releasing software, faster and

more frequently.

Continuous Deployment-CD.

Continuous Deployment (CD): Is next phase to continuous delivery.

Every change that passes the automated tests get deployed on

production automatically.

Users Angle To Cloud.

Client Side

Subscribed USER1

Free USER3

Subscribed USER2

Application

Server

Storage Service I & AM

Notification Service

An Era Of Dashboards.

Changing Landscape Of Requirements

On Going Customer Demands

Associated Market Competitions

Product Research Outcomes

“Constant Rotating Eyeball On Product In Production, Hosted On Cloud, with

constant changes”

Challenges For Business Stakeholders

How to manage security posture of 150+ cloud products ?

Shall we invest for Security (Yes/NO) ? If yes, how much ? Confused for decision ? Invested $X million. How much secure we are ? We are 100% Compliance done! Are We Secure

now? Are we satisfying customer demands ?

S-SDLC (CI-CD): Component Repository

External Repositories

Internal Components Organization Repository

(Ex:Nexus\Artifactory)

S-SDLC (CI-CD): 3rd Party External Component Security

External Repositories

Internal Components

Organization Repository (Ex: Nexus\ Artifactory)

3rd Party Component Security Tools (Ex: Sonatype CLM)

Continuous Dashboard Update

S-SDLC (CI-CD): Development

External Repositories

Internal Components

Organization Repository (Ex: Nexus\ Artifactory)

Static Source Code Analysis Tool

(Ex: Fortify)

Continuous Dashboard Update

S-SDLC (CI-CD): QA

• Internal Automation Frameworks • Mostly Python Scripts

Actual Web Product Hosted On Staging

Dynamic Analysis Tool Run

Manual Dashboard Update

Internal\External Penetration Tests

Continuous Dashboard Update

Interactive Application Security Testing

(Ex: Contrast)

S-SDLC (CI-CD): SAST\DAST\IAST

SAST

DAST

IAST

• Uses source code to find vulnerabilities without running the application.

• Misses run time vulnerabilities.

• Many false positives

• Analyzes application in its running state by fuzzing with malicious payloads from outside

• Misses business logic vulnerabilities

• Many false positives

• Analyzes application in its running state by deploying sensors inside the app.

• Finds most of the things which SAST and DAST misses

• Almost No\Less false positives

S-SDLC (CI-CD): Typical IAST Deployment

Custom Code

Java Runtime

Application Server

Frameworks

Libraries

IAST

Engine

Security

Information To Dashboard

Web Application

Data

From

Passive

Sensors

S-SDLC (CI-CD): Compact View

DEVELOPMENT

BUILD AND DEPLOY STAGING

COMPONENT SELECTION

QA IAST\STAGING

All Set For Product Release ?

Rethinking challenges!

How we appear on challenges now ?

How to manage security posture of 150+ cloud products?

Shall we invest for Security (Yes/NO) ?

If yes, how much ? Confused for decision ?

Invested $X million. How much secure we are ?

We are 100% Compliance done! Are We Secure now?

Are we satisfying customer demands ?

Key Points Take Away

Cloud & CI,CD Software product Business challenges Pitching security in fast pace environment: -3rd party component security -Security at Development -Security at QA -Security at Staging\Production Solutions that we have for this fast pace environment Security an input for business decisions Deciding factor for security investment & ROI

Q & A

Thank you, Aniket Kulkarni - Software Security Architect (Bigdata\Cloud\Mobile\Web) Autodesk Singapore Research & Development Center Singapore.