© 2015 , we45 1

Security in DevOpsConcept Presentation

Topics of Discussion

Current State of Application Delivery

Current Challenges with Application Security

The Application Driven Enterprise Goal

The we45 SecDevOps Framework

© 2015 , we45 2

Current State of Application DeliveryMassive Decrease in Application Delivery and Deployment Timelines:

Amazon ships code every 12 seconds.

Increased Use of Agile Development Practices in the SDLC

Increased Adoption of Cloud for Application Delivery

Increased Adoption of DevOps practices to: Reduce friction between Development and Operations

Increase Collaboration in all areas of Application Delivery

Leverage Continuous Integration, Delivery and Deployment to release code to production faster

Leverage Automation – To increase Throughput

© 2015 , we45 3

© 2015 , we45 4

Today – The Application Driven Economy

© 2015 , we45 5

Attributes of an Application Driven Enterprise

Throughput – Revenue generated from delivering

apps to customers

Operating Resources– Resources expended to

generate Throughput

© 2015 , we45 6

The Goal

© 2015 , we45 7

Increase Throughput while simultaneously reducing the Operating

Resources

© 2015 , we45 8

4 in 5

Cost  of  fixing  a  security  bug,   in  production.

200Average  Number  of  Days  required   to  fix  a  high/medium   security  bug

$30K

Managers  and  Product  Engineering   Heads  see  Security  as  the  biggest  bottleneck

74%Number  of  Apps  with  atleast one  serious  vulnerability

The Numbers

App security bottleneck – blocking the release

© 2015 , we45 9

Requirements Design Develop Test Security  Test

Releases are blocked until security vulnerabilities are fixed, resulting in:

• Higher Operational Resources to fix Security Bugs

• Slower Release Cycles

• Slower Throughput

• Breakdown of Agile and DevOps

App security bottleneck – security iterations

© 2015 , we45 10

Requirements Design Develop Test Security  Test Release  to  Customer

Apps cannot be used until security vulnerabilities are fixed, resulting in:

• Higher Sales Cycle – reducing Throughput

• Unhappy Customers

• Higher of Cost of Development to fix Security Issues – Higher

Operational Resources

Customer rejects the app till security vulnerabilities are fixed.

Security Flaws always do the following:

Break down the Agile and DevOps lifecycle

Cause reduction of Application Delivery Throughput

Result in Lower Customer Satisfaction

Increase time and resources in fixing security flaws

© 2015 , we45 11

we45 SecDevOps Framework

Designed to Integrate Security into the organization’s DevOps

practices

Combination of Training + Consulting + Implementation => Delivering Maximum Impact on Application Security through a Multi-

Pronged Approach

Guaranteed to meet the goal:Increase Throughput while reducing Operational Resources in Application Delivery

© 2015 , we45 12

How does it work?

It is a combination of the following:

System and Component Driven Threat Modeling + Security By Design

Custom Security Automation Suite –integrated with CI (Continuous DAST)

Automated Security Testing –Integrated with Continuous Deployment

Post-Deployment Security Validation

© 2015 , we45 13

Threat  Modeling  and  Secure  By  

Design

SAST  and  Continuous  

DAST

Pre  &  Post  Deployment  Security  Testing

A Highlight of the SecDevOps Approach

© 2015 , we45

14

Product  Backlog  -­‐Requirements

Sprint  Backlog  -­‐Sprint  

Requirements

Design

DevelopIntegrate

Test

Release

Requirements

Design  and  Prototype

Development,  Iterations,  Prototype

Testing

Release  and  Deploy Security  Risk  Assessment   +  

Threat  Model

Security  Design  Review

Peer  Code  Review  +  Training

Customized  Automated  Security  

Testing  in  CI

Security  in  Release  and  Config

Management

© 2015 , we45 15

Threat Modeling + Security By Design

Threat Modeling is essential in integrating security into the SDLC.

Threat Modeling done at the System and specific component level provides micro and macro perspectives

Threat Modeling – Valuable Input for Security Testing and Security Automation

Serves as Valuable Input for Security By Design

we45’s SecDevOps Framework => STRIDE Threat Modeling with DREAD for measurement

STRIDE•Spoofing•Tampering•Repudiation•Information  Disclosure•Denial  of  Service•Elevation  of  Privileges

DREAD•Damage•Reproducibility•Exploitability•Affected  Users•Discoverability

© 2015 , we45 16

Custom Security Automation Suite

Current State of Application Security Testing (DAST):

Only 30-40% of Security Vulnerabilities are identified through Security Testing Tools (Automated tools)

Manual Application Security Testing is slow…

we45’s SecDevOps Framework incorporates a hybrid approach:

Perform Automated Test through Automated Tools

Provide Custom Security Scripts to simulate manual application security testing

Integrate the entire suite with Continuous Integration

Application  Security  

Testing  (DAST)  -­‐ 100%  Coverage

Automated  Vulnerability  Assessment  

Tools

Custom  Automation  of  

Manual  Security  Tests

© 2015 , we45 17

Benefits – Custom Security Automation Suite

Perform a High Quality Penetration Test for EVERY RELEASE!! (Not quarterly/bi-annual/annual)

Integrated with CI – Build Fails if Security has failed. No escape from fixing security flaws

Greater Visibility – Complete Reporting of Tests, Payloads and Pass/Fail Information

Combination of Manual and Automated => 100% Vulnerability/Parameter Coverage

Issues can be re-created and repeated without Penetration Testers being involved.

Granular Vulnerability Management using we45’s VME (Vulnerability Management Engine)

Coverage – Custom Security Automation Suite

© 2015 , we45 18

OWASP/SANS/WASC  Vulnerabilities

Specialized  Business  Logic  Vulnerabilities

Identify  Vulnerabilities   -­‐Insecure  Platform  Libraries  and  Third  

Party  API

Vulnerabilities   in  the  Network  and  OS  

Layer

© 2015 , we45 19

Automated Testing – Continuous Deployment

Automated Test Suite integrated with Continuous

Deployment products/standalone, to perform:

Host and OS Security Checks

Vulnerabilities in App Servers, DBs, NoSQL DBs, etc

Vulnerabilities in Network Configurations

Integrate with Continuous Deployment Products like Chef,

Ansible, Puppet, etc.

© 2015 , we45 20

Additional Elements – we45 SecDevOps Framework

Automated Static Code Analysis (SAST)

Designing a security oriented Continuous Monitoring Strategy

Focused Training Workshops for Different Teams: Certified Web Security Professional (Developing Secure Web Apps and Web Services) –Developers and Architects

Certified Mobile Security Professional (Developing Secure Mobile Apps and Web Services) –Developers and Architects

Certified SecDevOps Professional (Comprehensive Insight into implementing SecDevOps for your organization) – Developers, Architects, Operations Personnel, DevOps Engineers

© 2015 , we45 21

Conclusions

DevOps or Agile without Security is ineffective

Security is usually the most pervasive bottleneck

we45’s SecDevOps Framework ensures that Security is

integrated into the SDLC and DevOps Framework

This results in achievement of Enterprise Goals of: Higher Throughput through Application Delivery with a simaltaneous reduction in

Operating Resources

thank you

22© 2015 , we45