© 2015 , we45 1

Securing Hyper-ScaleCloud Apps with SecDevOps

Yours Truly – Abhay BhargavCISA, CISSP, SANS-GWAPT, ISO-27001LA, CPA

Author of two international publications on PCI Compliance and Secure Java

Lead Trainer on World’s First Hands-On IoT Security Workshop on Jan 26 @ Dubai

Specialized in Application Security – Mobile, Web, and now, IoT

Developed multiple products and tools - Python Expert

© 2015 , we45 2

Agenda

Current State of Application Delivery

Current Challenges with Application Security

The Application Driven Enterprise Goal

The we45 SecDevOps Framework

© 2015 , we45 3

Today – The Application Driven Economy

© 2015 , we45 4

Attributes of an Application Driven Enterprise

Throughput – Revenue generated from

delivering apps to customers

Operating Resources– Resources expended to

generate Throughput

© 2015 , we45 5

The Goal

© 2015 , we45 6

Increase Throughput while simultaneously reducing the

Operating Resources

Current State of Application DeliveryMassive Decrease in Application Delivery and Deployment Timelines:

Amazon ships code every 12 seconds.

Increased Use of Agile Development Practices in the SDLC

Increased Adoption of Cloud for Application Delivery

Increased Adoption of DevOps practices to: Reduce friction between Development and OperationsIncrease Collaboration in all areas of Application DeliveryLeverage Continuous Integration, Delivery and Deployment to release code to production fasterLeverage Automation – To increase Throughput

© 2015 , we45 7

What is Agile?

Time-Boxed, Iterative Approach to Application Delivery

Focus: CollaborationSpeedFlexibility

Adoption has increased multi-fold > 80%

© 2015 , we45 8

What is DevOps?

© 2015 , we45 9

Common DevOps Practices

Agile Development

Continuous Integration

Continuous Deployment

Continuous Delivery

© 2015 , we45 10

A Look at App related Breaches in 2015

© 2015 , we45 11

Ashley Madison

TalkTalk

Anthem JP Morgan Chase

Experian Ashley Madison

Gaana.com

OPM MacKeeper

Common Factors

Highly scalable Public and Private Cloud Apps

Rapid-release Product Development Environments/Organizations

Utilizing Agile and DevOps Practices

© 2015 , we45 12

© 2015 , we45 13

Application Delivery Application Security

© 2015 , we45 14

4 in 5

Cost of fixing a security bug, in production.

200Average Number of Days required to fix a high/medium security bug

$30K

Managers and Product Engineering Heads see Security as the biggest bottleneck

74%Number of Apps with atleast one serious vulnerability

The Numbers

App security bottleneck – blocking the release

© 2015 , we45 15

Requirements Design Develop Test Security Test

Releases are blocked until security vulnerabilities are fixed, resulting in: • Higher Operational Resources to fix Security Bugs• Slower Release Cycles• Slower Throughput• Breakdown of Agile and DevOps

App security bottleneck – security iterations

© 2015 , we45 16

Requirements Design Develop Test Security Test Release to Customer

Apps cannot be used until security vulnerabilities are fixed, resulting in: • Higher Sales Cycle – reducing Throughput• Unhappy Customers• Higher of Cost of Development to fix Security Issues – Higher

Operational Resources

Customer rejects the app till security vulnerabilities are fixed.

Security Flaws always do the following:

Break down the Agile and DevOps lifecycle

Cause reduction of Application Delivery Throughput

Result in Lower Customer Satisfaction

Increase time and resources in fixing security flaws

© 2015 , we45 17

Case in Study: ACME AdvantageWorld’s leading Software Product Developer for Stock Trading Platforms

Engaged for last 3 years

Vulnerabilities detected were somehow never fixed

New Vulnerabilities introduced rapidly as applications changed

Problem Statement: Security Iterations by several customers

Performing Tool and Manual Testing

© 2015 , we45 18

Serious Problems: ACME Advantage

They tried Web Vulnerability Scanning < 40% Vulnerabilities discovered

Security didn’t keep pace with rapid release cycles – 5 per week

Clash of the Titans: Functional Issues vs Security Issues

© 2015 , we45 19

© 2015 , we45 20

Why not use Web Vulnerability Scanning Tools?Modern Cloud Apps are very complex – especially Stack and Business Logic

Vulnerability Scanners only find low hanging fruit – about 30-40% of the vulnerabilities

Web Services Flaws, Protocol Flaws, Business Logic Flaws, Cryptographic Flaws and Advanced Injection Flaws – Never identified

Cannot find flaws with Analytics, NoSQL and newer Database Technologies

we45 SecDevOps Framework – ACME Advantage

Designed to Integrate Security into the organization’s DevOps practices

Combination of Training + Consulting + Implementation => Delivering Maximum Impact on Application Security through a Multi-Pronged Approach

Guaranteed to meet the goal:Increase Throughput while reducing Operational Resources in Application Delivery

© 2015 , we45 21

In essence….Designed to Integrate Security into the organization’s DevOps practices

Combination of Training + Consulting + Implementation => Delivering Maximum Impact on Application Security through a Multi-Pronged Approach

Guaranteed to meet the goal:Increase Throughput while reducing Operational Resources in Application Delivery

© 2015 , we45 22

The Ingredients

Modeling Threats

Training Dev + Ops

Custom Security Automation Suite

Integrating into SecDevOps

© 2015 , we45 23

Threat Modeling and Secure By

Design

SAST and Continuous

DAST

ACME Advantage: Agile Methodology

© 2015 , we45

24

Product Backlog - Requirements

Sprint Backlog - Sprint

Requirements

Design

DevelopIntegrate

Test

Release

Requirements

Design and Prototype

Development, Iterations, Prototype

Testing

Release and Deploy

© 2015 , we45 25

Threat Modeling + Security By Design

Threat Modeling is essential in integrating security into the SDLC.

Threat Modeling done at the System and specific component level provides micro and macro perspectives

Threat Modeling – Valuable Input for Security Testing and Security Automation

Serves as Valuable Input for Security By Design

we45’s SecDevOps Framework => STRIDE Threat Modeling with Bug Tree Methodology

STRIDE•Spoofing•Tampering•Repudiation•Information Disclosure•Denial of Service•Elevation of Privileges

DREAD•Damage•Reproducibility•Exploitability•Affected Users•Discoverability

© 2015 , we45 26

Custom Security Automation Suite

Current State of Application Security Testing (DAST):

Only 30-40% of Security Vulnerabilities are identified through Security Testing Tools (Automated tools)Manual Application Security Testing is slow…

we45’s SecDevOps Framework incorporates a hybrid approach:

Perform Automated Test through Automated ToolsProvide Custom Security Scripts to simulate manual application security testingIntegrate the entire suite with Continuous Integration

Application Security

Testing (DAST) - 100%

Coverage

Automated Vulnerability Assessment

Tools

Custom Automation of Manual

Security Tests

© 2015 , we45 27

Benefits – Custom Security Automation Suite

Perform a High Quality Penetration Test for EVERY RELEASE!! (Not quarterly/bi-annual/annual)

Integrated with CI – Build Fails if Security has failed. No escape from fixing security flaws

Greater Visibility – Complete Reporting of Tests, Payloads and Pass/Fail Information

Combination of Manual and Automated => 100% Vulnerability/Parameter Coverage

Issues can be re-created and repeated without Penetration Testers being involved.

Granular Vulnerability Management using we45’s VME (Vulnerability Management Engine)

Coverage – Custom Security Automation Suite

© 2015 , we45 28

OWASP/SANS/WASC

Vulnerabilities

Specialized Business Logic Vulnerabilities

Identify Vulnerabilities -

Insecure Platform Libraries and Third

Party API

Vulnerabilities in the Network and

OS Layer

© 2015 , we45 29

Automated Testing – Continuous Deployment

Automated Test Suite integrated with Continuous Deployment products/standalone, to perform:

Host and OS Security ChecksVulnerabilities in App Servers, DBs, NoSQL DBs, etcVulnerabilities in Network Configurations

Integrate with Continuous Deployment Products like Chef, Ansible, Puppet, etc.

A Highlight of the SecDevOps Approach

© 2015 , we45

31

Product Backlog - Requirements

Sprint Backlog - Sprint

Requirements

Design

DevelopIntegrate

Test

Release

Requirements

Design and Prototype

Development, Iterations, Prototype

Testing

Release and Deploy Security Risk Assessment +

Threat Model

Security Design Review

Peer Code Review + Training

Customized Automated Security

Testing in CI

Security in Release and Config

Management

© 2015 , we45 32

The Results

100% of High Severity Vulnerabilities were eliminated within the same release.

No excuse for Developers to not fix security issues – Build fails when security fails

Increased Metrics and Visibility per release – Track Vulnerability Status over time and per release

© 2015 , we45 33

Conclusions

DevOps or Agile without Security is ineffective

Security is usually the most pervasive bottleneck

we45’s SecDevOps Framework ensures that Security is integrated into the SDLC and DevOps Framework

This results in achievement of Enterprise Goals of: Higher Throughput through Application Delivery with a simultaneous reduction in Operating Resources

thank you

34© 2015 , we45

www.we45.com

www.linkedin.com/in/abhaybhargav

@abhaybhargav