DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Transcription

1 DevSecOps Shift Left Security Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

2 Themes

3 Vulnerabilities are Low Hanging Fruit

4 Why so many breaches that Anti-Virus missed? 2015 largest disclosed breaches

5 Known Critical Vulnerabilities are Increasing 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 Vulnerabilities Total High (CVSS 7-10)

6 WannaCry Retrospective

7 THOUSANDS WannaCry Timeline and Remediation 700 MS Patch Release EternalBlue Exploit WannaCry 600 Authenticated / Agent Detection Continued + Unauthenticated Detection

8

9 Endpoint Breach Prevention by Reducing Attack Surfaces

10 1 Discover and Know your Assets

11 2 Detect and Measure Vulnerabilities

12 3 Prioritize Remediation

13 4 Identify and Deploy Patches

14 Exercise: I already know all my assets

15 Auto-Deploy Qualys Cloud Agent (Vuln)

16 Vulnerability Results

17 Exploitability Posture

18 Get Proactive Reduce the Attack Surface!

19 Get Visibility into your Public Clouds

20 Common AWS Misconfigurations

21 Continuous Security Monitoring

22 Actionable Responses Reduce Attack Surface

23 Can Security Teams do better?

24 Digital Transformation Priorities Source:

25

26 Digital Transformation Barriers Source:

27

28 DevSecOps = / DevOps + Security

29 Security Security Security Security Security Security Security False Approach ~ False Start ~ Failure Plan Code Test Release Package Deploy Operate Monitor Dev Ops wait! wait! wait! wait! wait! wait!

30 Security + DevOps = a Revolt or Left Out? Source:

31 Food Safety is a Security Problem Source:

32 DevSecOps Shift in Thinking

33 Shift Time

34 Case Study: Financial Services Mobile Wallet

35 Before: Lack of Security Automation Delays Release Machine Builders VM Scan/Report 48 Hours Vulnerability Management Teams VM Scan/Report 48 Hours At least two weeks until the AMI is certified for production

36 1 2 DevOps Born in the Cloud: New builds in AWS every 60 days Automated Regression & Test-Driven Development Security Commercial/Open Source vulnerabilities are detected & fixed on same release cadence Automated regression finds patch issues faster 3 Docker containers abstracts applications from OS OS vulnerabilities are patched separate from Applications

37 After: Security at the Source in DevOps Pipeline AMAZON MACHINE IMAGE (AMI) QUALYS ASSESS ON DEV INSTANCES AUTOMATICALY ADD QUALYS CLOUD AGENT APPROVE and PUBLISH Qualys Scanner Qualys Agent OS OS Qualys Agent

38 Vulnerability Metric Benefits

39 Shift Techniques

40 Case Study: One of Largest Ecommerce Companies

41 1 Shift Technique Tag Vulnerable Libraries in Source Control 2 Shift Technique Vulnerabilities in Production are Treated as Defects 3 Shift Technique Open Vulnerabilities Reported to Business Unit VPs Apply Technique Prevent Software Check-Ins that use Vulnerable Libraries Apply Technique Automatically open tickets for Developers on security issues Apply Technique Excessive Remediation Times are escalated to CEO

42 Shift Tools Find/Implement the right tools for the DevOps Processes... But: You may not need to procure new tools APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans

43 Case Study: Financial Investment Services

44 1 Challenge 400+ Web Apps in production Solution Integrated the production Web Security Assessment tool into DevOps processes via API 2 Web Security Assessment found they had a lot of easily mitigated app vulnerabilities Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues 3 Hard for developers to fix security issues in production Continuously assess Web Apps in the dev process so issues are not re-introduced

45 Integrate Production Security Tools into DevOps Selenium Qualys WAS Selenium Qualys WAS Jira Issues Jira Issues

46 DevSecOps: Practical Steps to Get Started

47 Open Q &A