we45 secdevops presentation - isaca chennai
TRANSCRIPT
© 2015 , we45 1
Securing Hyper-ScaleCloud Apps with SecDevOps
Yours Truly – Abhay BhargavCISA, CISSP, SANS-GWAPT, ISO-27001LA, CPA
Author of two international publications on PCI Compliance and Secure Java
Lead Trainer on World’s First Hands-On IoT Security Workshop on Jan 26 @ Dubai
Specialized in Application Security – Mobile, Web, and now, IoT
Developed multiple products and tools - Python Expert
© 2015 , we45 2
Agenda
Current State of Application Delivery
Current Challenges with Application Security
The Application Driven Enterprise Goal
The we45 SecDevOps Framework
© 2015 , we45 3
Today – The Application Driven Economy
© 2015 , we45 4
Attributes of an Application Driven Enterprise
Throughput – Revenue generated from
delivering apps to customers
Operating Resources– Resources expended to
generate Throughput
© 2015 , we45 5
The Goal
© 2015 , we45 6
Increase Throughput while simultaneously reducing the
Operating Resources
Current State of Application DeliveryMassive Decrease in Application Delivery and Deployment Timelines:
Amazon ships code every 12 seconds.
Increased Use of Agile Development Practices in the SDLC
Increased Adoption of Cloud for Application Delivery
Increased Adoption of DevOps practices to: Reduce friction between Development and OperationsIncrease Collaboration in all areas of Application DeliveryLeverage Continuous Integration, Delivery and Deployment to release code to production fasterLeverage Automation – To increase Throughput
© 2015 , we45 7
What is Agile?
Time-Boxed, Iterative Approach to Application Delivery
Focus: CollaborationSpeedFlexibility
Adoption has increased multi-fold > 80%
© 2015 , we45 8
What is DevOps?
© 2015 , we45 9
Common DevOps Practices
Agile Development
Continuous Integration
Continuous Deployment
Continuous Delivery
© 2015 , we45 10
A Look at App related Breaches in 2015
© 2015 , we45 11
Ashley Madison
TalkTalk
Anthem JP Morgan Chase
Experian Ashley Madison
Gaana.com
OPM MacKeeper
Common Factors
Highly scalable Public and Private Cloud Apps
Rapid-release Product Development Environments/Organizations
Utilizing Agile and DevOps Practices
© 2015 , we45 12
© 2015 , we45 13
Application Delivery Application Security
© 2015 , we45 14
4 in 5
Cost of fixing a security bug, in production.
200Average Number of Days required to fix a high/medium security bug
$30K
Managers and Product Engineering Heads see Security as the biggest bottleneck
74%Number of Apps with atleast one serious vulnerability
The Numbers
App security bottleneck – blocking the release
© 2015 , we45 15
Requirements Design Develop Test Security Test
Releases are blocked until security vulnerabilities are fixed, resulting in: • Higher Operational Resources to fix Security Bugs• Slower Release Cycles• Slower Throughput• Breakdown of Agile and DevOps
App security bottleneck – security iterations
© 2015 , we45 16
Requirements Design Develop Test Security Test Release to Customer
Apps cannot be used until security vulnerabilities are fixed, resulting in: • Higher Sales Cycle – reducing Throughput• Unhappy Customers• Higher of Cost of Development to fix Security Issues – Higher
Operational Resources
Customer rejects the app till security vulnerabilities are fixed.
Security Flaws always do the following:
Break down the Agile and DevOps lifecycle
Cause reduction of Application Delivery Throughput
Result in Lower Customer Satisfaction
Increase time and resources in fixing security flaws
© 2015 , we45 17
Case in Study: ACME AdvantageWorld’s leading Software Product Developer for Stock Trading Platforms
Engaged for last 3 years
Vulnerabilities detected were somehow never fixed
New Vulnerabilities introduced rapidly as applications changed
Problem Statement: Security Iterations by several customers
Performing Tool and Manual Testing
© 2015 , we45 18
Serious Problems: ACME Advantage
They tried Web Vulnerability Scanning < 40% Vulnerabilities discovered
Security didn’t keep pace with rapid release cycles – 5 per week
Clash of the Titans: Functional Issues vs Security Issues
© 2015 , we45 19
© 2015 , we45 20
Why not use Web Vulnerability Scanning Tools?Modern Cloud Apps are very complex – especially Stack and Business Logic
Vulnerability Scanners only find low hanging fruit – about 30-40% of the vulnerabilities
Web Services Flaws, Protocol Flaws, Business Logic Flaws, Cryptographic Flaws and Advanced Injection Flaws – Never identified
Cannot find flaws with Analytics, NoSQL and newer Database Technologies
we45 SecDevOps Framework – ACME Advantage
Designed to Integrate Security into the organization’s DevOps practices
Combination of Training + Consulting + Implementation => Delivering Maximum Impact on Application Security through a Multi-Pronged Approach
Guaranteed to meet the goal:Increase Throughput while reducing Operational Resources in Application Delivery
© 2015 , we45 21
In essence….Designed to Integrate Security into the organization’s DevOps practices
Combination of Training + Consulting + Implementation => Delivering Maximum Impact on Application Security through a Multi-Pronged Approach
Guaranteed to meet the goal:Increase Throughput while reducing Operational Resources in Application Delivery
© 2015 , we45 22
The Ingredients
Modeling Threats
Training Dev + Ops
Custom Security Automation Suite
Integrating into SecDevOps
© 2015 , we45 23
Threat Modeling and Secure By
Design
SAST and Continuous
DAST
ACME Advantage: Agile Methodology
© 2015 , we45
24
Product Backlog - Requirements
Sprint Backlog - Sprint
Requirements
Design
DevelopIntegrate
Test
Release
Requirements
Design and Prototype
Development, Iterations, Prototype
Testing
Release and Deploy
© 2015 , we45 25
Threat Modeling + Security By Design
Threat Modeling is essential in integrating security into the SDLC.
Threat Modeling done at the System and specific component level provides micro and macro perspectives
Threat Modeling – Valuable Input for Security Testing and Security Automation
Serves as Valuable Input for Security By Design
we45’s SecDevOps Framework => STRIDE Threat Modeling with Bug Tree Methodology
STRIDE•Spoofing•Tampering•Repudiation•Information Disclosure•Denial of Service•Elevation of Privileges
DREAD•Damage•Reproducibility•Exploitability•Affected Users•Discoverability
© 2015 , we45 26
Custom Security Automation Suite
Current State of Application Security Testing (DAST):
Only 30-40% of Security Vulnerabilities are identified through Security Testing Tools (Automated tools)Manual Application Security Testing is slow…
we45’s SecDevOps Framework incorporates a hybrid approach:
Perform Automated Test through Automated ToolsProvide Custom Security Scripts to simulate manual application security testingIntegrate the entire suite with Continuous Integration
Application Security
Testing (DAST) - 100%
Coverage
Automated Vulnerability Assessment
Tools
Custom Automation of Manual
Security Tests
© 2015 , we45 27
Benefits – Custom Security Automation Suite
Perform a High Quality Penetration Test for EVERY RELEASE!! (Not quarterly/bi-annual/annual)
Integrated with CI – Build Fails if Security has failed. No escape from fixing security flaws
Greater Visibility – Complete Reporting of Tests, Payloads and Pass/Fail Information
Combination of Manual and Automated => 100% Vulnerability/Parameter Coverage
Issues can be re-created and repeated without Penetration Testers being involved.
Granular Vulnerability Management using we45’s VME (Vulnerability Management Engine)
Coverage – Custom Security Automation Suite
© 2015 , we45 28
OWASP/SANS/WASC
Vulnerabilities
Specialized Business Logic Vulnerabilities
Identify Vulnerabilities -
Insecure Platform Libraries and Third
Party API
Vulnerabilities in the Network and
OS Layer
© 2015 , we45 29
Automated Testing – Continuous Deployment
Automated Test Suite integrated with Continuous Deployment products/standalone, to perform:
Host and OS Security ChecksVulnerabilities in App Servers, DBs, NoSQL DBs, etcVulnerabilities in Network Configurations
Integrate with Continuous Deployment Products like Chef, Ansible, Puppet, etc.
A Highlight of the SecDevOps Approach
© 2015 , we45
31
Product Backlog - Requirements
Sprint Backlog - Sprint
Requirements
Design
DevelopIntegrate
Test
Release
Requirements
Design and Prototype
Development, Iterations, Prototype
Testing
Release and Deploy Security Risk Assessment +
Threat Model
Security Design Review
Peer Code Review + Training
Customized Automated Security
Testing in CI
Security in Release and Config
Management
© 2015 , we45 32
The Results
100% of High Severity Vulnerabilities were eliminated within the same release.
No excuse for Developers to not fix security issues – Build fails when security fails
Increased Metrics and Visibility per release – Track Vulnerability Status over time and per release
© 2015 , we45 33
Conclusions
DevOps or Agile without Security is ineffective
Security is usually the most pervasive bottleneck
we45’s SecDevOps Framework ensures that Security is integrated into the SDLC and DevOps Framework
This results in achievement of Enterprise Goals of: Higher Throughput through Application Delivery with a simultaneous reduction in Operating Resources
thank you
34© 2015 , we45
www.we45.com
www.linkedin.com/in/abhaybhargav
@abhaybhargav