AppSec in a DevOps World

Transcription

1 AppSec in a DevOps World Peter Chestna Director of Developer Engagement VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

2 Who am I? 27 Years Software Development Experience 12 Years Application Security Experience Certified Agile Product Owner and Scrum Master At Veracode since 2006 From Waterfall to Agile to DevOps From Monolith to MicroService Consultant on DevSecOps best practices Fun Fact: I love whiskey! Tell me where to drink local whiskey VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

3 Goals Why is AppSec important? How is AppSec traditionally done? Goal of AppSec? What needs to change? VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

4 Applications Are as Risky as Ever 35% of all applications used some kind of hard-coded password 39% of all applications use broken or risky cryptographic algorithms 28% of all applications were vulnerable to open redirect attacks 16% of all applications mix trusted and untrusted data in the same data structure or message VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

5 Lack of App Security is Damaging Companies VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

6 High Profile Breaches Through the App Layer Retailer Financial Institution Healthcare Provider Financial Institution How: Sophisticated kill chain including exploitation of vulnerable web application Result: Hackers stole names, mailing addresses, phone numbers and addresses for more than 70 million shoppers How: Vulnerability on website built and maintained by third-party vendor in support of a charity. Result: Usernames and passwords for 76 million households and 7 million business were stolen. How: Targeted a flaw in OpenSSL, CVE , better known as Heartbleed Result: The theft of Social Security Numbers and other personal data belonging to 4.5 million patients How: Hackers exploited a known vulnerability in an open source component Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

7 California Breaches VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

8 Built mostly from components VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

9 Expanding Digital Footprint FACTORY AUTOMATION SMART PHONES TABLETS ECOLOGY WWW CHAT & IM CAMERAS PHONES PROPERTY MANAGEMENT SHIPPING LOGISTICS API SERVICES TELEVISIONS SMART METERS CLOUD SERVICES AUTOMOBILES WEARABLES THERMOSTATS EHEALTH DEVICES VERACODE INC. ACQUIRED BY CA TECHNOLOGIES HOME AUTOMATION PHYSICAL SECURITY

10 InfoSec VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

11 AppSec VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

12 Is this your current AppSec program? VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

13 Which outcome do you see? VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

14 Plan Dev QA Sec Ops Waterfall!!!!! = Handoff Business Intent App Knowledge Ops Knowledge Agile!! Business Intent App Knowledge Ops Knowledge DevOps VERACODE INC. ACQUIRED BY CA TECHNOLOGIES Continuity

15 AppSec at a glance Plan Code Build Test Stage Deploy Monitor Training (elearning, instructor led, metadata driven) Static Application Security Testing + 3rd Party Risk Analysis Open Source Risk Monitoring Dynamic Application Security Testing Runtime Application Self Protection Threat Modeling Security Grooming Secure Design Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

16 Technology Waterfall Agile DevOps VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

17 The Goal? VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

18 Cost to fix VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

19 When do we test? VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

20 Fitting into Agile and DevOps Copyright 2005, Mountain Goat Software VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

21 The real cost of a bug? Bug Develop Find Track Fix Re-test No Bug Develop Develop Develop Develop VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

22 The Goal? VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

23 Definition of DevOps VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

24 What s a DevOps Team? DevOps Team VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

25 DevOps Process: Where is security? Security VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

26 Strategy VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

27 The First Way: Systems Thinking VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

28 Relationships VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

29 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

30 Mutual Accountability VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

31 The Second Way: Amplify Feedback Loops VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

32 Feedback is a Gift! VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

33 Measurement is Key VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

34 Training and Awareness VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

35 Train Security on the Process VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

36 DevOps Security Integrated into Pipeline 7 Synchronize No Pass? Yes Backlog 3 Static Analysis 6 Static Analysis 6 Unit Tests 7 Deploy to QA/Stage CD 1 Develop 2 Build & Test CI 5 Build 8 Dynamic Analysis 8 Regression Testing 3a Manual Testing* 4 Check in Per Check-in CI/CD Pipeline Pass? Yes Stage then Prod VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

37 Help them fix what they find VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

38 The Third Way: Experimentation and Learning VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

39 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

40 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

41 Security Champions VERACODE INC. ACQUIRED BY CA TECHNOLOGIES

42 VERACODE INC. ACQUIRED BY CA TECHNOLOGIES