we45 - secdevops concept presentation
TRANSCRIPT
© 2015 , we45 1
Security in DevOpsConcept Presentation
Topics of Discussion
Current State of Application Delivery
Current Challenges with Application Security
The Application Driven Enterprise Goal
The we45 SecDevOps Framework
© 2015 , we45 2
Current State of Application DeliveryMassive Decrease in Application Delivery and Deployment Timelines:
Amazon ships code every 12 seconds.
Increased Use of Agile Development Practices in the SDLC
Increased Adoption of Cloud for Application Delivery
Increased Adoption of DevOps practices to: Reduce friction between Development and Operations
Increase Collaboration in all areas of Application Delivery
Leverage Continuous Integration, Delivery and Deployment to release code to production faster
Leverage Automation – To increase Throughput
© 2015 , we45 3
© 2015 , we45 4
Today – The Application Driven Economy
© 2015 , we45 5
Attributes of an Application Driven Enterprise
Throughput – Revenue generated from delivering
apps to customers
Operating Resources– Resources expended to
generate Throughput
© 2015 , we45 6
The Goal
© 2015 , we45 7
Increase Throughput while simultaneously reducing the Operating
Resources
© 2015 , we45 8
4 in 5
Cost of fixing a security bug, in production.
200Average Number of Days required to fix a high/medium security bug
$30K
Managers and Product Engineering Heads see Security as the biggest bottleneck
74%Number of Apps with atleast one serious vulnerability
The Numbers
App security bottleneck – blocking the release
© 2015 , we45 9
Requirements Design Develop Test Security Test
Releases are blocked until security vulnerabilities are fixed, resulting in:
• Higher Operational Resources to fix Security Bugs
• Slower Release Cycles
• Slower Throughput
• Breakdown of Agile and DevOps
App security bottleneck – security iterations
© 2015 , we45 10
Requirements Design Develop Test Security Test Release to Customer
Apps cannot be used until security vulnerabilities are fixed, resulting in:
• Higher Sales Cycle – reducing Throughput
• Unhappy Customers
• Higher of Cost of Development to fix Security Issues – Higher
Operational Resources
Customer rejects the app till security vulnerabilities are fixed.
Security Flaws always do the following:
Break down the Agile and DevOps lifecycle
Cause reduction of Application Delivery Throughput
Result in Lower Customer Satisfaction
Increase time and resources in fixing security flaws
© 2015 , we45 11
we45 SecDevOps Framework
Designed to Integrate Security into the organization’s DevOps
practices
Combination of Training + Consulting + Implementation => Delivering Maximum Impact on Application Security through a Multi-
Pronged Approach
Guaranteed to meet the goal:Increase Throughput while reducing Operational Resources in Application Delivery
© 2015 , we45 12
How does it work?
It is a combination of the following:
System and Component Driven Threat Modeling + Security By Design
Custom Security Automation Suite –integrated with CI (Continuous DAST)
Automated Security Testing –Integrated with Continuous Deployment
Post-Deployment Security Validation
© 2015 , we45 13
Threat Modeling and Secure By
Design
SAST and Continuous
DAST
Pre & Post Deployment Security Testing
A Highlight of the SecDevOps Approach
© 2015 , we45
14
Product Backlog -‐Requirements
Sprint Backlog -‐Sprint
Requirements
Design
DevelopIntegrate
Test
Release
Requirements
Design and Prototype
Development, Iterations, Prototype
Testing
Release and Deploy Security Risk Assessment +
Threat Model
Security Design Review
Peer Code Review + Training
Customized Automated Security
Testing in CI
Security in Release and Config
Management
© 2015 , we45 15
Threat Modeling + Security By Design
Threat Modeling is essential in integrating security into the SDLC.
Threat Modeling done at the System and specific component level provides micro and macro perspectives
Threat Modeling – Valuable Input for Security Testing and Security Automation
Serves as Valuable Input for Security By Design
we45’s SecDevOps Framework => STRIDE Threat Modeling with DREAD for measurement
STRIDE•Spoofing•Tampering•Repudiation•Information Disclosure•Denial of Service•Elevation of Privileges
DREAD•Damage•Reproducibility•Exploitability•Affected Users•Discoverability
© 2015 , we45 16
Custom Security Automation Suite
Current State of Application Security Testing (DAST):
Only 30-40% of Security Vulnerabilities are identified through Security Testing Tools (Automated tools)
Manual Application Security Testing is slow…
we45’s SecDevOps Framework incorporates a hybrid approach:
Perform Automated Test through Automated Tools
Provide Custom Security Scripts to simulate manual application security testing
Integrate the entire suite with Continuous Integration
Application Security
Testing (DAST) -‐ 100% Coverage
Automated Vulnerability Assessment
Tools
Custom Automation of
Manual Security Tests
© 2015 , we45 17
Benefits – Custom Security Automation Suite
Perform a High Quality Penetration Test for EVERY RELEASE!! (Not quarterly/bi-annual/annual)
Integrated with CI – Build Fails if Security has failed. No escape from fixing security flaws
Greater Visibility – Complete Reporting of Tests, Payloads and Pass/Fail Information
Combination of Manual and Automated => 100% Vulnerability/Parameter Coverage
Issues can be re-created and repeated without Penetration Testers being involved.
Granular Vulnerability Management using we45’s VME (Vulnerability Management Engine)
Coverage – Custom Security Automation Suite
© 2015 , we45 18
OWASP/SANS/WASC Vulnerabilities
Specialized Business Logic Vulnerabilities
Identify Vulnerabilities -‐Insecure Platform Libraries and Third
Party API
Vulnerabilities in the Network and OS
Layer
© 2015 , we45 19
Automated Testing – Continuous Deployment
Automated Test Suite integrated with Continuous
Deployment products/standalone, to perform:
Host and OS Security Checks
Vulnerabilities in App Servers, DBs, NoSQL DBs, etc
Vulnerabilities in Network Configurations
Integrate with Continuous Deployment Products like Chef,
Ansible, Puppet, etc.
© 2015 , we45 20
Additional Elements – we45 SecDevOps Framework
Automated Static Code Analysis (SAST)
Designing a security oriented Continuous Monitoring Strategy
Focused Training Workshops for Different Teams: Certified Web Security Professional (Developing Secure Web Apps and Web Services) –Developers and Architects
Certified Mobile Security Professional (Developing Secure Mobile Apps and Web Services) –Developers and Architects
Certified SecDevOps Professional (Comprehensive Insight into implementing SecDevOps for your organization) – Developers, Architects, Operations Personnel, DevOps Engineers
© 2015 , we45 21
Conclusions
DevOps or Agile without Security is ineffective
Security is usually the most pervasive bottleneck
we45’s SecDevOps Framework ensures that Security is
integrated into the SDLC and DevOps Framework
This results in achievement of Enterprise Goals of: Higher Throughput through Application Delivery with a simaltaneous reduction in
Operating Resources
thank you
22© 2015 , we45