the need for speed: appsec in a devops world › portal › internal › resources ›...
TRANSCRIPT
![Page 1: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
John B. Dickson, CISSP
The Need for Speed: AppSec in a DevOps World
SDS1-F03
PrincipalDenim Group, Ltd.@johnbdickson
![Page 2: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/2.jpg)
#RSAC
Overview
2
DevOps Defined
What’s Driving DevOps?
The evolution of application development and application security
Case Studies: Etsy and Netflix
How Application Security Remains Relevant in a DevOps World
![Page 3: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/3.jpg)
#RSAC
3
Next week you should:
Be immediately comfortable having a discussion about DevOps and application security with your colleagues and management
In the first three months following this presentation you should:
Understand your organization’s DevOps strategy
Apply initial application security strategies to your organizations DevOps practices
Within six months you should:
Be a partner with your business units to rapidly develop software while addressing security risks throughout the process
Applying What You Will Learn Today
![Page 4: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/4.jpg)
#RSAC
John’s Background
Application Security Enthusiast
Helps CSO’s and CISO’s with
Application Security Programs
ISSA Distinguished Fellow
Security Author and Speaker
20 years Experience Across Multinational Corporations
![Page 5: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/5.jpg)
#RSAC
Denim Group | Company Background
Professional services firm that works closely with companies on matters of software risk
Web, mobile, and cloud application assessments
Application vulnerability mitigation
Classroom secure developer training
Network & information security services
Outsourced managed security services
Developed ThreadFix – application vulnerability platform
![Page 6: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/6.jpg)
#RSAC
DevOps Defined
6
DevOps is a practice that:
Emphasizes the tight collaboration and communication of both software developers and IT operations staff
Focuses on automating the process of software delivery and infrastructure changes
Aims at establishing a culture and environment where building, testing, and releasing software, can happen rapidly, frequently, and more reliably
![Page 7: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/7.jpg)
#RSAC
Aspects of DevOps
7
Focuses on time to market over virtually every other requirement
Focuses on continuous improvement
Software quality and auditability valued – but as a by-product of speed
![Page 8: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/8.jpg)
#RSAC
CI/CD as a Component of DevOps
8
Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early.
Continuous Delivery is the natural extension of Continuous Integration: an approach in which teams ensure that every change to the system is releasable, and that we can release any version at the push of a button. Continuous Delivery aims to make releases boring, so we can deliver frequently and get fast feedback on what users care about
Source: “Continuous Integration: Improving Software Quality and Reducing Risk,” Paul Duvall
![Page 9: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/9.jpg)
#RSAC
Potential Components of a Secure CI/CD
Code repository (Git, Subversion)
CI/CD server (Jenkins, Bamboo)
Build server(s)
Unit test suite (JUnit)
Functional test suite (Selenium)
Defect tracker
Application Vulnerability Management Platform
9
![Page 10: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/10.jpg)
#RSAC
What is Driving DevOps?
10
Time-to-Market advantages
Demand of higher quality software products
Cost concerns
Key thought: Like cloud, DevOps will come from business units responding to competitive pressures, not IT or outside pressure
![Page 11: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/11.jpg)
#RSAC
Perception
11
Do you believe your information security policies/teams are slowing IT down?
Source: Gartner: Integrating Security in Devops: DevSecOps, Neil McDonald, 2016
0 10 20 30 40 50
Yes - InformationSecurity
No - InformationSecurity
Yes - IT Operations
No - IT Operations
![Page 12: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/12.jpg)
#RSAC
The Evolution of Application Development
12
Where are we in the evolution of software development?
![Page 13: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/13.jpg)
#RSAC
Software Development Methodologies
13
Waterfall
Agile Software Development Methodology
Scrum
Extreme Programming (XP)
Just to Name a few…
![Page 14: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/14.jpg)
#RSAC
Software Development Methodologies
14
• Waterfall • Linear with distinct goals in each phase of development• Requirements laid out up front by business units• Clear separation between business units and software development
team• Deployments typically infrequent an involve close coordination with
development and operations teams• Criticized as being to inflexible and not taking in account change
within a project
![Page 15: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/15.jpg)
#RSAC
Software Development Methodologies
15
Agile
Iterative software development in short “sprints” of 1-4 weeks
Focus to produce working software that allows business teams to provide better feedback after each sprint
Business teams conduct tradeoff analysis and adapt requirements after each sprint (and are willing to give up requirements)
More frequent interaction between software development, test, and business teams
![Page 16: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/16.jpg)
#RSAC
How Did We Get to DevOps?
16
Waterfall Agile DevOps Secure DevOps
Business
Development
Operations
Security
![Page 17: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/17.jpg)
#RSAC
The State of Application Security
17
Organizations have become better at identify web application vulnerabilities via automated scanning
Automation still only catches 30-50% of application vulnerabilities
Organizations have become better at identifying application vulnerabilities than fixing them
Much of the effort involves testing and SDLC improvement
Chasm still exists between security and development teams
![Page 18: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/18.jpg)
#RSAC
Case Study: Etsy
18
![Page 19: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/19.jpg)
#RSAC
Case Study: Etsy
19
![Page 20: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/20.jpg)
#RSAC
Case Study: Etsy
20
Etsy pushes to production 30 times a day on average
Schema changes weekly
Code reviews before commits
Automated tests before deploy
Verification conducted frequently and in small batches
No release managersSource: ”Continuous Delivery: The Dirty Details,” Mike Brittain, Etsy
![Page 21: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/21.jpg)
#RSAC
Case Study: Etsy – Key Takeaways
21
Make things safe by default
Detect risky functionality / Focus on efforts
Automate as much as you can
Know when the house is burning down
Source: “Effective Approaches to Web Application Security, Zane Lackey, http://www.slideshare.net/zanelackey/effective-approaches-to-web-application-security
![Page 22: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/22.jpg)
#RSAC
Case Study: Netflix
22
![Page 23: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/23.jpg)
#RSAC
Case Study: Netflix
23
![Page 24: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/24.jpg)
#RSAC
Case Study: Netflix
24
Everything is built for “three”
Fully automated build tools to test and make packages
Fully automated machine image bakery
Fully automated automated image deployment
Independent teams responsible for both Dev and Ops
![Page 25: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/25.jpg)
#RSAC
Case Study: Netflix
25
All systems choices assume some part will fail at some point
Availability over consistency
Scanning for vulnerabilities in production via the “Simian Army”
![Page 26: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/26.jpg)
#RSACHow Application Security Remains Relevant in a DevOps World
26
Pulling a Tiger by the Tail?
![Page 27: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/27.jpg)
#RSACHow Application Security Remains Relevant in a DevOps World
27
Understand that you will miss things
Software will be deployed without your knowledge and not security tested (always)
You will have functionality in your production environment you don’t understand
Understand your job just got harder
And you can’t say “no!”
![Page 28: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/28.jpg)
#RSACUnderstand There are Competing World Views of DevOps and Security
28
Do you try to adapt current application security/SDLC approaches with more automation?
OR
Do you accept that you can only be prepared to improvise when code is in production
![Page 29: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/29.jpg)
#RSAC
Where do You Go from Here?
29
![Page 30: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/30.jpg)
#RSACDevOps Concepts if You Take Adaptation Approach
30
Automate every security process possible
Squeeze application testing cycles and automate entire process
Fully automate application vulnerability resolution process
Consider new technologies such as IAST/RASP
Incrementally increase application monitoring in production environments – standardize & automate
![Page 31: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/31.jpg)
#RSAC
DevOps Concepts if are Forced to Improvise
31
Focus on testing in production environments
Create processes and scanning systems to tear down vulnerable functionality
Recognize that production is where you might first learn of new features!
Recognize application attack patterns in production environments via big data
Fix vulnerability!
![Page 32: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/32.jpg)
#RSAC
2016 Gartner Recommendations
32
If you haven’t already, get involved in DevOps initiatives
Remain true to DevOps philosophy: Teamwork and transparency
Require security and management vendors to:
Fully API-enable their platform services
Provide out-of-the box support for common DevOps toolchain environments
Provide out-of-the box support for containers and management systems
Make OSS software module identification and vulnerability scanning a priority in 2016
Don’t use containers spanning trust levels on same system
![Page 33: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/33.jpg)
#RSAC
33
Next week you should:
Be immediately comfortable having a discussion about DevOps and application security with your colleagues and management
In the first three months following this presentation you should:
Understand your organization’s DevOps strategy
Apply initial application security strategies to your organizations DevOps practices
Within six months you should:
Be a partner with your business units to rapidly develop software while addressing security risks throughout the process
Apply What You Learned Today
![Page 34: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/34.jpg)
#RSAC
Resources
34
”Continuous Integration: Improving Software Quality and Reducing Risk,” Paul Duvall
”Continuous Delivery: The Dirty Details,” Mike Brittain, Etsy
“DevOpsSec: Delivering Secure Software Through Continuous Delivery,” Jim Bird
“Effective Approaches to Web Application Security, Zane Lackey, Signal Science
“Integrating Security in DevOps: DevSecOps,” Neil McDonald, Gartner
![Page 35: The Need for Speed: AppSec in a DevOps World › portal › internal › resources › DocumentLibr… · Be immediately comfortable having a discussion about DevOps and application](https://reader033.vdocuments.us/reader033/viewer/2022042310/5ed89c586714ca7f47683ee0/html5/thumbnails/35.jpg)
#RSAC
Questions and AnswersJohn B. Dickson@johnbdickson