Weaving Security into Every Application

Transcription

1 Weaving Security into Every Application Paul Fox AVP Technology AT&T 2018 TM Forum 1

2 Cyber Security Accelerating Threat Telecom Breaches 300,000 Number of complaints filed with the FBI Internet Crime Complaint Center in 2017 Sales $1.4 Billion Reported losses resulting from those complaints in % Telecom companies with 10,000+ employees said they d seen attempted breaches increase in the past year.* 81% said they expect attacks to increase in the coming year.* Source: * TM Forum 2

3 Is your company currently pivoting to DevSecOps? A. I don t know what DSO is B. We are exploring this change C. We plan to implement DSO D. We have implemented DSO Attn AV Team: Play 10 second Audio 2018 TM Forum 3

4 Evolution to DevSecOps Wanting Flexibility Wanting Change Wanting Stability Wanting Security Customers Development Operations Security Create flexibility Improve time to market Create effective change Add/Modify features Create stability Enhance Services Create security Protect customers Protect enterprise Agile Development DevOps DevSecOps Fixes this Fixes this Fixes this 2018 TM Forum 4

5 What is DevSecOps? DevSecOps (DSO) embeds security in the product lifecycle, integrating security through requirements, design, development, test & operations for software delivery. DSO involves the inclusion of threat modeling, risk assessment, automation & analytics. One Team Culture DevOps Breaking down traditional silos, consideration of other roles, common success measures, shift left DevSecOps Security added as part of one team, shift left of Ops team becomes more important with security as a nonfunctional requirement Product Focus Focus on life of software & end to end product knowledge versus project Security becomes key attribute to producing a quality product for our customer; Reduced code complexity Faster Delivery More frequent deployments, automate wherever possible, reduce waste & leverage platforms Model what the top 5% are doing & use data powered insights DevOps promotes Non-functional Requirements upfront & throughout each iteration (along with functional requirements). Security is a non-functional requirement & becomes everyone s responsibility! DATA INSIGHTS TURN ART INTO SCIENCE DATA FUELS AUTOMATIO N Insightful Decisions around software enablement & platform usage Higher Logic Work - benchmark the best teams Reduction of Repetitive Tasks to increase time spent on innovation 2018 TM Forum 5

6 What is your biggest security concern today? [Word Cloud 1] Attn AV Team: Play 10 second Audio 2018 TM Forum 6

7 Why Move to DevSecOps? More agile More reliable Win in the marketplace Sales 46x more frequent deployments* 2x speed in fixing vulnerabilities over dynamic analysis in production** 98% of 300 surveyed companies said they have or plan to integrate DevSecOps 440x faster lead times than their peers* 170x faster mean time to recover* 80% of rapid development teams will embed DevSecOps by 2021 Source: Gartner + *Accelerate (2018) by Nicole Forsgren, PHD; Jez Humble and Gene Kim ** TM Forum 7

8 Pivoting to Security Missed Opportunities for Software Scanning Prior to DevSecOps Under utilization of current tools Scan analysis centralized & manual Many developers ignore scan results Partial static and dynamic scanning Run cycles are long Key Ideas Design Threat Modeling Near-Realtime Static Testing Pre-Prod Dynamic Testing Increased Penetration Testing War games (Red/Blue) ACTION: Security Scanning now happens throughout Continuous Integration & Delivery PMO: Design FMO: Develop Code Test Production Scan Integrate through requirements, design, development, test & operations for software delivery 2018 TM Forum 8

9 DevSecOps Security Methods & Application METHODS : Static Dynamic Penetration Threat Modeling WHAT IT IS & HOW WE USE IT: Static app security testing (SAST) inspects the source code of an app for hardcoded passwords, IP addresses, etc. SAST provides a list of critical findings with ample detail to immediately mitigate vulnerabilities Dynamic application security testing (DAST) tests an application or software product in an operating state. This kind of testing is helpful for industry-standard compliance & general security protections for evolving projects. DAST can identify code issues and top vulnerabilities such as Cross-Site Scripting Penetration testing (pen testing) uses attack methodologies on your own IT systems to identify security gaps. Pen Testing helps discover loopholes in the system such as, ID-Enumeration Vulnerability Threat Modeling is a process by which potential threats can be identified by assessing application design. Threat Modeling allows for risks to be assessed, prioritized & mitigated. Risk Assessment Upon completion of threat modeling, Risk Assessment conducts a holistic analysis of the risks that impact the overall business. Risk Assessment provides analysis to minimize the loss or damage to the company through numerical risk assessment, diagrammatic vulnerability points & strategic operational risk lists TM Forum 9

10 How many security tools do you use in the development process? [Word Cloud 2] Attn AV Team: Play 10 second Audio 2018 TM Forum 10

11 DevSecOps using a CI/CD Pipeline Any synchronous and asynchronous activity can be integrated CI/CD Pipeline: Code Repository CI BUILD CD DEV DEPLOY CD TEST DEPLOY UAT CD PROD DEPLOY IDE Code Quality Pen Testing Non-Invasive Pen Testing Code Complexity Scan Dynamic App Security Testing Static Application Security Testing = Synchronous activity = Asynchronous activity = Security tooling = Code quality tooling = Optional Gate Approval The CI/CD Pipeline can orchestrate activities implemented by commercial or open source tooling TM Forum 11

12 Code Complexity Scan Measuring coding effort via Code Complexity Metrics(CCM)? Code Complexity is an internal benchmark of the quality and maintainability of source code measuring against multiple static source code metrics. Evaluating Lines of Code is not enough Coders must produce maintainable code without technical debt Benefits Ability to pinpoint skill & training gaps & to develop a stronger delivery team with higher quality & lower cost Increase accountability across dev teams with our vendors & partner with them to build more productive teams Speed metrics can be utilized to improve productivity & in time, improve our ability to estimate project efforts 2018 TM Forum 12

13 DevSecOps Mission Statement Move to a unified, automated CI/CD platform by utilizing industry leading technologies that produce higher quality code, faster delivery, decreased cost, and increased security TM Forum 13