DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

Size: px

Start display at page:

Download "DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1"

Duane Powers
5 years ago
Views:

1 DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

2 Agenda State of DevOps Value of DevOps Benefitting from DevOps DevSecOps What you can do as InfoSec 2

3 The State of DevOps Automation is a huge boon to organizations. DevOps applies to all organizations. Lean product management drives higher organizational performance. High performers vs low performers: 46 times more frequent code deployments. 440 times faster lead time from commit to deploy. 96 times faster mean time to recover from downtime. 5 times lower change failure rate (changes are 1/5 as likely to fail). 3

4 Problems that continue to affect InfoSec teams Are any of these issues affecting your company? Slow patching processes (all systems not just external servers!) Lack of visibility into the changes being made in applications and systems Lack of or slow BC/DR execution abilities Disconnect between Infra/App Dev and Security Security being left behind in Agile Infra is making security decisions everyday without the Security team Security policies, processes, procedures seen as red tape Organizations adopting new technologies without Security input Traditional on-prem tooling not compatible with cloud 4

5 The Value of DevOps Infrastructure as Code - Defining and managing system configuration through code that can be versioned and tested in advance, rather than using a manual process. Continuous Delivery - Using Continuous Integration and test automation to build pipelines from development to test and then to production provides an engine to drive change. Continuous monitoring and measurement - Creating feedback loops from production back to engineering, collecting metrics, and making them visible to everyone to understand how the system is actually used and using this data to learn and improve. Learning from failure Since failure will happen, using it as learning opportunities to improve through constructive postmortems. 5

6 Wait this stuff sounds pretty good maybe security benefit too! 6

7 Benefitting from DevOps! Infrastructure as Code Less humans clicking around in the IaaS management console! Automatically enforce security policies at runtime BC/DR dream come true Continuous Delivery Code flaws are detected and patched sooner Continuous monitoring and measurement Testing what security controls work best in your environment Insight into security threats and enable Attack-Driven Defense Learning from failure Continuously red teaming (constant state of compromise) More resilient systems and more resilient organizations 7

8 Immutable Infrastructure Cattle vs. Kittens Destroy virtual servers with each deploy so updated code goes on new, patched servers. Don t give malware a habitat to thrive in Removing access to production servers/containers vs. 8

9 Environment Evolution Physical Servers -> Virtual Machines Monolithic Apps Service Oriented Architectures Microservices Onprem Cloud (XaaS offerings) Servers Containers Serverless? 9

10 Keeping Up With Velocity DevOps and Agile move fast MVPs should have security too Establishing approved code committers Ensure all activity is being centrally logged VCS, IaaS API calls, flow logs, correlate server logs with metadata tags, etc. No sensitive data should be logged! Bring knowledge/credibility to the table Befriend the Product Managers! Security awareness 10

11 Shifting Security to the Left 1. Culture of Collaboration Built-in vs Bolt-on 2. Translate Paper into Code 3. Fanatical Testing and Instrumentation 4. Provide Intuitive Security Measurement 5. Continuous Science 11

12 The Art of DevSecOps Names don t matter...actions do! SecOps? DevOps? TechOps? DevSecOps? DevOpsSec?...Krav Maga? Source: DevSecOps Foundation 12

13 The Security Funnel 13

14 Continuous Science 14

15 Security as Code 1. Pre-commit 2. Commit / CI Threat modeling IDE checks/ secure coding Peer review SAST Software composition analysis Abuse/misuse cases Git-secrets 3. QA and Acceptance DAST Automated security attacks (e.g. Fuzzing, Gauntlet) Configuration management 4. Prod Deploy / Post- Deploy Configuration management Continuous vulnerability scanning Automated runtime defense 15

Compliance as Code Compliance as Code tries to

requirements and monitor it on an ongoing basis

16 Compliance as Code Compliance as Code tries to minimize paperwork and overhead (but yes you still need an IS policy!) Assess infrastructure s adherence to compliance requirements and monitor it on an ongoing basis Policies and rules are enforced and tracked through automated controls AWS Inspector 16

17 Automating Corrective Action Working Smarter More prevention less investigation Adopting DevSecOps 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Our Approach AWS Lambda is triggered based on security policy violations Corrective action to contain incident

18 Automating Corrective Action - Use Case MFA is Removed User removes MFA Triggers Lambda Lambda revokes all IAM access for the account in violation X X X X X

19 DevSecOps Manifesto 1. Leaning in over Always Saying No 2. Data & Security Science over Fear, Uncertainty and Doubt 3. Open Contribution & Collaboration over Security-Only Requirements 4. Consumable Security Services with APIs over Mandated Security Controls & Paperwork 5. Business Driven Security Scores over Rubber Stamp Security 6. Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 7. 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident 8. Shared Threat Intelligence over Keeping Info to Ourselves 9. Compliance Operations over Clipboards & Checklists 19

20 What can you do as InfoSec? A New and Improved Security Team Adopt DevOps mindset (if your org isn t doing it, then push for it or lead it within InfoSec) Redefine your role and relationships with the company Enabling DevSecOps requires a team of engineers instead of analysts Train existing analysts in DevOps and automation Operate in a constant state of compromise Fail fast and adapt quickly 20

21 THANK YOU! Contact: Brian Liceaga, CISSP Evolvesecurity.io 21

22 References DevSecOps.org DevOpsSec by Jim Bird. Published by O'Reilly Media, Inc., 2016 Flaticon 22

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo