Rethinking Product Security: Cloud Demands a New Way

Transcription

1 SESSION ID: CSV-R11 Rethinking Product Security: Cloud Demands a New Way Reeny Sondhi Chief of Product Security Autodesk Tony Arous Head of Application Security Autodesk

2 Agenda Who is Autodesk and what transformation are they in the middle of? Redefining Product Security Lessons Learned How can you apply what you learned to your job?

3 Autodesk Digital Transformation About Autodesk: Make anything Autodesk makes software for people who make things. If you ve ever driven a high-performance car, admired a towering skyscraper, used a smartphone, or watched a great film, chances are you ve experienced what millions of Autodesk customers are doing with our software Products Digital transformation to the cloud Teams across the globe Diverse range of agile approaches

4 Holistic Approach to Product Security Architecture, Software, Infrastructure, Incident Management PRODUCT LIFECYCLE & ENGINEERING PROCESS Agile Development Continuous Integration Continuous Deployment Plan Develop Build Test Release Deploy Monitor Respond Secure Development Lifecycle Train, Secure Design, Secure Coding, Security Testing, Assessment SECURITY PRACTICES & TOOLS Cloud Security Identify, Protect, Detect, Respond, Recover Product Development üaccess control ülogging ücryptography, key mgmt üsecure design principles üinput Validation ücoding standards üfuzzing ütraining POLICIES & STANDARDS Cloud security üenvironment hardening ücontinuous Monitoring üoperational Enablement Response & Incident Mgmt üreporting procedures üresponse SLO ücustomer Communication

5 Security Strategy Built on Industry Standards

6 Product Security: How We Build Security from Development to Production APPLICATION SECURITY CLOUD SECURITY COMPLIANCE Threat & Vulnerability Management Security Hardening & Configuration Management Identity & Access Management Threat Prevention, Detection and Containment (Network and Perimeter Security) End-Point Security (Host Security) Incident Response ISO Certification SSAE-16 SOC 2 Attestation for all 360 Apps CSA STAR EU Model Clauses Standards & Policies Security Features Source Code Analysis Secure Design & Threat Modeling Open Source Analysis Security Testing Education and Awareness Security Incident Response

7 Objective Reduce security weaknesses in our products and infrastructure by proactively building repeatable/sustainable security practices embedded within our development, deployment and maintenance lifecycle

8 Old world vs. where we are headed OLD WORLD Many different tools Lack of standardization Slow, ineffective results GOING FORWARD Single tool per function Centralized operations Standardized process Difficult to Report Track progress Identify risks

9 First: Why CI/CD is Important Staying competitive in a fast moving world Quickly adapt software to meet ever-changing shifts in market needs Greater efficiency, collaboration, and re-use in Engineering Requires frequent delivery of new functionality Tighter integration of products & workflows Encourage collaboration Engineering tools and workflows highly siloed Easier to help on other projects when dev environment is standard

10 What is CI/CD? (Waterfall à CI/CD) Waterfall Requirements Planning Develop Test Release RTM Requirements Agile WaterSCRUMFall Develop Plan/Dev/Test Stabilize Release RTM CI/CD Requirements Continuous Planning (Kanban?) Continuous Delivery Dev Test RTM (incremental)

11 Autodesk CI/CD: Development Tool Stack Communication Project Wiki (Documentation) Slack (Chat) Jira (Bug tracking, Agile Project Mgmt.) Each tool has: Ownership Solutions Migration support Metrics Inner-source dev. model to encourage contribution Content GitHub (Source Code Mgmt.) Artifactory (Package Mgmt.) CI/CD Jenkins (Orchestration) (L10N) Checkmarx/ Fortify/Nexus/ WhiteSource/etc. (Security) Docker (Containers) Vault (Secrets) CI/CD Unified CloudOS Infrastructure Promote Promote Dev Staging Prod

12 Security Integration in Tool Set COMPONENT SELECTION External Sources DESIGN DEPLOY BUILD Internal Components DEVELOP TEST RELEASE

13 Design Threat Modeling Typical Threat Model Comprehensive documentation Weeks to assess Constantly changing vs. Simple User Story Code is Design Threat model only exceptions to standardized security frameworks

14 Build Static Analysis Security tools seamlessly integrated with automated controls for every build Automated reporting when security standards deviated Targeted security vulnerabilities through custom rules Continuous real-time feedback Initially alert, then fail builds Deep static analysis scanning (can be done out of band) Semantic Structural Control flow Pattern Analysis Taint analysis Data analysis

15 Build Open Source & Third Party Component Analysis Software Supply Chain Implement a software component analysis process to automatically create a bill of materials for a system Minimize security risks in the software by identifying risk in third- party components 80 percent of the code in today s applications comes from libraries and frameworks More than 50,000 of the software components in the Central Repository have known security vulnerabilities.

16 Acceptance/Test DAST, IAST & Fuzzing Dynamic Analysis Security Testing Useful for testing web and mobile apps, but they don t always play nicely in CI/CD Spin off to run out of band Interactive Application Security Testing Instruments running code and uses control flow and data flow analysis to trace and catch security problems at the point of execution Lower false positives than running static analysis. Fuzzing Valuable in finding security vulnerabilities (especially injection bugs) Testing of APIs, files (can be done out of band)

17 Infrastructure as Code Define and manage system configuration through code that can be versioned and tested in advance using tools like Chef Increases the speed of building systems that are scalable, consistent and secure Provides powerful advantages for security: Program security policies directly into the configuration code Building hardening policies into configuration code Detect variances from the expected baseline and alert, assigning a score based on compliance or automatically revert them Patch vulnerabilities quickly and safely

18 Compliance as Code Minimize paperwork and overhead Automated runtime rule-driven compliance Provides visibility, traceability for support and continuous validation Audit trail for every change request

19 Program Rollout, Metrics & Dashboards

20 Product Security Program Rollout: Define security non-negotiables Product Development Production 1. Designate a Product Security Advocate per Product Family 2. Conduct Threat Modeling and fix critical/high defects (TM) 3. Eliminate Top Issues: NEW Code only All critical/high vulns OAST (Opensource analysis: CLM, White Source) DAST (Dynamic Analysis: WebInspect, Contrast) SAST (Source code analysis: Fortify/Checkmarx) 4. Training: 100% of employees pass role-specific security exams New employees must complete goal specific training 5. Reduce Mean Time to Remediation [MTTR] Desktop products: P0/P1 resolved <30 days Cloud products: P0/P1 resolved <48 hours 1. Hardening Use Certified Components (Hardened OS s, tools, etc.) 2. Logging Collect server logs for event analysis Web, database, application, domain controllers and network systems 3. Secure Identities & Access Require multi-factor authentication for Developers/Admins/Users 4. Patching Follow a regular patching cadence for Windows and Linux 5. Endpoint Protection

21 Product Development: Security Dashboard

22 Production: Security Dashboard

23 Lessons Learned on the Transformation Journey Move to a single CI/CD solution is key Efficiency Consistency Simplification Driving towards standards rather than to each his/her own is instrumental in containing the scope of what we need to secure Central management of tools and implementation in the corporate CI/CD framework is critical Dashboards are not boring Culture is a cop out and bringing people along on the journey is key 23

24 Key Takeaways & Application Tips Build a roadmap for your secure development lifecycle transformation Appoint security champions across all teams with accountability Spread awareness to help your developers understand and adopt security requirements Inject security tools within your CI/CD process Start small and experiment the changes with a few small teams Automate every lifecycle step with immediate feedback

25 Questions?