tech talk: keeping applications compliant and secure using release automation
TRANSCRIPT
World®’16
TechTalk:KeepingApplicationsCompliantandSecureUsingReleaseAutomationKeithPuzey- SeniorPrincipalEngineeringServicesArchitect- CATechnologies
DO5T10T
DEVOPS
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
INTRODUCTION
VULNERABILITIES
RELEASEAUTOMATIONANDCOMPLIANCE
THESEVENHABITSOFRUGGEDDEVOPS
HOW DEVOPSANDAUTOMATIONFACILITATESSECURITY ANDCOMPLIANCE
SECURITYTESTING
1
2
3
4
5
6
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Introduction
SecurityistheresponsibilityofeveryoneandneedstostartwithDevelopment
Securitybreachescausedbyvulnerabilitiescostasignificantamountintime,effortandreputation
HOWCANDEVOPSHELP?
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
InfrastructureVulnerabilities- 2016
325
130 12398 87
46 40 38 34 31 27 23 22 21
0
50
100
150
200
250
300
350
#Vulnerabilities
VulnerabilitiesbyInfrastructureVendor
Oracle Microsoft IBM Cisco Debian Apache Novell Huawei HP Ubuntu Fedora Linux SAP RedHat
CiscoSecurityResearch– MidyearCyberSecurity Report2016
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CiscoSecurityResearch– MidyearCyberSecurity Report2016
InfrastructureVulnerabilitiesbyRegion
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OpenSourceVulnerabilities
Sonatype reportedthat1in16downloadsfromtheCentralRepositoryhadaknownsecuritydefect,and6.8percentofcomponentsinuseamongthe25,000applicationsanalyzed hadaknownsecuritydefectTheSonatype reportisbasedontheanalysisof 31billiondownloadrequestsofopensourcesoftwarecomponentsfromtheCentralRepository,whichSonatype managesandistheresultofananalysisofthepatternsandpracticesofmorethan25,000developersand3,000organizations.
Sonatype - 2016stateofthesoftwaresupplychain
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CommonExploits
AccordingtotheSonatype “2016StateoftheSoftwareSupplyChain”report,recordsrevealthat17.4millionBouncyCastlecomponentsacrossallversionsweredownloadedlastyear.Ofthese,5.8million(33percent)wereknownvulnerable versionsofBouncyCastle.
Thedefectivecomponentsdownloadsoccurredacross93,253uniqueIPaddressesfrom13,824organizationsin197countries.
Sonatype - 2016stateofthesoftwaresupplychain
ONEOFTHEMOREPOPULARCHOICESFORENCRYPTIONISTHE LEGIONOFBOUNCYCASTLEJAVACRYPTOGRAPHY LIBRARY.
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ShiftLeft…DiscoverSecurityDefectsEarlierinSDLC
FINDDEFECTSHERE
NOTHERE
UNIT SYSTEM PRODUCTIONUATINTEGRATION PERFORMANCE STAGING
INSTILLAcceleratedQuality
1
5
10
15
30
0
5
10
15
20
25
30
35
Requirements Coding Integration Acceptance Production
SecurityDefectCorrectionCostMultiplier
Source:NationalInstituteofStandards&Technology(NIST)
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheProblem
ThirdPartysoftwareisusedwithlatentvulnerabilities
Unsafedevelopmentmethods
Inabilitytoquicklyfixsecurityissues
Misconfigsofapplicationssupportingsystems
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
“TheSevenHabitsofRuggedDevops”Forrester
Forrester– TheSevenHabitsofRuggedDevOps
1 Increasetrustandtransparencybetweendevelopment,securityandoperations
2 Understandtheprobabilitiesandimpactofspecificrisks
3 Discarddetailedsecurityroadmapsinfavourofincrementalimprovements
4 UsetheCDpipelinetoincrementallyimprovesecuritypractices
5 Standardizethirdpartysoftwareandthenkeepcurrent- maintainthirdpartylibrarywithmostcurrentversions
6 Governwithautomatedaudittrails
7 Testpreparednesswithsecuritygames
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
How DevOpsandAutomationFacilitatesSecurityandCompliance
AUTOMATION EMPHASISONTESTING FASTFEEDBACKLOOPS
IMPROVEDVISIBILITY COLLABORATIONCONSISTENT
RELEASEPRACTICES
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
How DevOps FacilitatesSecurity andCompliance
Secureatthebeginning§ Securitymustbeintegratedatthestartofyour
DevOps process,itmustnotbeanafterthoughtorjustattheveryendofthesoftwaredeliverypipeline.
§ Becomesaqualityrequirement,similartoothertestsrunaspartofyoursoftwaredeliveryprocess.
Securitythroughautomatedtesting§ Automatedtestshavelessriskofintroducingsecurityflaws
duetohumanerror
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
How DevOps FacilitatesSecurity andCompliance
EnabledevelopersbutmaintaingovernanceCreatemanageablesystemsthatare consistent, traceable,andrepeatable
Securityandcompliancecontrols mustbeanintegralpartof yourDevOps processes
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
How DevOps FacilitatesSecurity andCompliance
Geteveryoneonthesamepageandpipeline§ Integratesecuritytoolsandtestsaspartofthepipelineused
byDevelopmentandOperationstodeploytheirupdates,§ InfoSecbecomesakeycomponentofthedeliverypipelineand
anenableroftheentireprocess
Resolveissuesquickly§ DevOpsaccelerates yourleadtime,sothatyoucan develop,
test,and deployyourpatch/updatemorequickly.
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SecurityTesting
Automatedtesting§ Automatingtestsensurequalitytestingandweneedthesame
approachautomatesecuritytests.§ Alargeproportionofsecuritytestsareessentiallychecksthat
knownweaknesseshavenotbeenintroducedandtheselendthemselvessuperblytoautomation
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SecurityTesting—What’sAutomated
FunctionalSecurityTests§ Theseareessentiallythe
sameasautomatedacceptancetests,buttargetedatverifyingthatsecurityfeaturessuchasauthenticationandlogout,workasexpected.
§ TestscanmostlybeautomatedusingexistingacceptancetestingbrowserautomationtoolslikeSelenium/WebDriver.
Specificnon-functionaltestsagainstknownweaknesses§ Includestestingknown
weaknessesandmis-configurationssuchaslackoftheHttpOnly flagonsessioncookies,oruseofknownweakSSLsuitesandciphers.
§ Theseareparticularlywellsuitedforautomationbecausetheweaknessesareknownupfront
Securityscanningoftheapplicationandinfrastructure§ Manuallydrivenpenetration
testsusuallykickoffwithanautomatedscanusingvulnerabilityscanningtoolslikeNessus,BurpandOWASPZAPthiscanbeautomatedaspartofyourDevOpsprocess.
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
“Puttingaguardrailuponthehighwayallowsyoutogofaster,notslower.Withproperchecks,youcatchproblemsbeforetheybecomeshowstoppersandsecurityrisksinproduction.Andwhenit’spartoftheautomatedworkflow,theoverheadisessentiallynil.”
AlanSharp-Paul,co-founderofDevOpstoolvendorUpguard
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CA’sThreePillarsofContinuousDeliveryIntegrated,IterativeSolution
AgileTeams
DevelopersandTesters
ReleaseManagement
ProductOwner
ScrumMaster
ProductManager
DailyReviews
Roadmap
Vision
Backlog
SprintBacklogs
CustomerValue
PLAN
ShippableProducts
DevelopSwiftly
TestAgilely
ReleaseReliably
OPERATE
FeedbackLoops
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
QA/TEST PRE-PROD PRODUCTIONDEV
ZERO-TOUCHDEPLOYMENT
ContinuousDeliveryDynamicDuoZero-touchDeployment+AdvancedReleaseManagement
ContinuousDeliveryDashboardOPTIMIZEPIPELINE
CAReleaseAutomation
CAReleaseAutomationCDEdition PLANANDMANAGE
RELEASES
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SixWaysCAReleaseAutomationHelpsCompliancy
Authenticityofbuildmaterialiswhat’sbeingdeployedOnlyauthorizedstaffgettopromotepackages
AutomatedsecurityacrossallenvironmentsConsistentsecurityandtestingacrossallenvironments
SecurityfeedbackloopbacktodevelopmentIdentifyvulnerabilitiesandsecurityissuesearlyinthedevelopmentcycle
Segregationofrolesforreleases,phasesandtasksacrossenvironments
AuditabilityandtraceabilityAuditeverystageofyourCDpipeline
Usespeedtoyouradvantage,smallincrementalimprovements
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuditabilityandTraceability
AuditeverystageofyourCDpipeline
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAContinuousDeliverySolutionsCAReleaseAutomationandotherCDsolutionspavethewaytoaudit-readyreleaseswithtracking,governanceandsecuritychecks.
DevOpsHelpsCompliancyStayingcompliantandsecurearetoughernowthanever.DevOps,continuousdeliveryandautomationarekeypracticesthatcanhelpcompliancyinafast-movingappculture.
AutomateSecurityTestingSecuritytestsareessentiallychecksthatknownweaknesseshavenotbeenintroduced—aprimecandidateforautomation.
SummaryAFewWordstoReview
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
DO5T03PLeadershipPanel:ContinuousDeliveryintheFinancialServicesIndustry 11/16/2016at04:30pm
DO5T14SAnalystKeynote:ContinuousDelivery:MakingDevOpsAwesome 11/17/2016at10:30am
DO5T14SINGDeliversUnprecedentedGlobalContinuousDeliveryasaService 11/17/2016at03:00pm
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Release AutomationTheater5- DOV513P
OrchestrateYourRelease
ServiceVirtualizationTheater5- DOV507P
DeliverBetterApps
TestDataManagerTheater5- DOV511P
DeliverTestDataFaster
IntegratedCDTheater5- DOV501P
ModernizeAppDelivery