DevSecOps Shift Left Security Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis
Themes
Vulnerabilities are Low Hanging Fruit
Why so many breaches that Anti-Virus missed? 2015 largest disclosed breaches
Known Critical Vulnerabilities are Increasing 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 Vulnerabilities 2011 2012 2013 2014 2015 2016 Total High (CVSS 7-10)
WannaCry Retrospective
THOUSANDS WannaCry Timeline and Remediation 700 MS17-010 Patch Release EternalBlue Exploit WannaCry 600 Authenticated / Agent Detection 500 400 300 Continued + Unauthenticated Detection 200 100 0
Endpoint Breach Prevention by Reducing Attack Surfaces
1 Discover and Know your Assets
2 Detect and Measure Vulnerabilities
3 Prioritize Remediation
4 Identify and Deploy Patches
Exercise: I already know all my assets
Auto-Deploy Qualys Cloud Agent (Vuln)
Vulnerability Results
Exploitability Posture
Get Proactive Reduce the Attack Surface!
Get Visibility into your Public Clouds
Common AWS Misconfigurations
Continuous Security Monitoring
Actionable Responses Reduce Attack Surface
Can Security Teams do better?
Digital Transformation Priorities Source: https://news.microsoft.com/apac/2017/02/20/80-of-businessleaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoftstudy/microsoft-digital-transformation-infographic-asia
Digital Transformation Barriers Source: https://news.microsoft.com/apac/2017/02/20/80-of-businessleaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoftstudy/microsoft-digital-transformation-infographic-asia
DevSecOps = / DevOps + Security
Security Security Security Security Security Security Security False Approach ~ False Start ~ Failure Plan Code Test Release Package Deploy Operate Monitor Dev Ops wait! wait! wait! wait! wait! wait!
Security + DevOps = a Revolt or Left Out? Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-flaming-torches/
Food Safety is a Security Problem Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-
DevSecOps Shift in Thinking
Shift Time
Case Study: Financial Services Mobile Wallet
Before: Lack of Security Automation Delays Release Machine Builders VM Scan/Report 48 Hours Vulnerability Management Teams VM Scan/Report 48 Hours At least two weeks until the AMI is certified for production
1 2 DevOps Born in the Cloud: New builds in AWS every 60 days Automated Regression & Test-Driven Development Security Commercial/Open Source vulnerabilities are detected & fixed on same release cadence Automated regression finds patch issues faster 3 Docker containers abstracts applications from OS OS vulnerabilities are patched separate from Applications
After: Security at the Source in DevOps Pipeline AMAZON MACHINE IMAGE (AMI) QUALYS ASSESS ON DEV INSTANCES AUTOMATICALY ADD QUALYS CLOUD AGENT APPROVE and PUBLISH Qualys Scanner Qualys Agent OS OS Qualys Agent
Vulnerability Metric Benefits
Shift Techniques
Case Study: One of Largest Ecommerce Companies
1 Shift Technique Tag Vulnerable Libraries in Source Control 2 Shift Technique Vulnerabilities in Production are Treated as Defects 3 Shift Technique Open Vulnerabilities Reported to Business Unit VPs Apply Technique Prevent Software Check-Ins that use Vulnerable Libraries Apply Technique Automatically open tickets for Developers on security issues Apply Technique Excessive Remediation Times are escalated to CEO
Shift Tools Find/Implement the right tools for the DevOps Processes... But: You may not need to procure new tools APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans
Case Study: Financial Investment Services
1 Challenge 400+ Web Apps in production Solution Integrated the production Web Security Assessment tool into DevOps processes via API 2 Web Security Assessment found they had a lot of easily mitigated app vulnerabilities Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues 3 Hard for developers to fix security issues in production Continuously assess Web Apps in the dev process so issues are not re-introduced
Integrate Production Security Tools into DevOps Selenium Qualys WAS Selenium Qualys WAS Jira Issues Jira Issues
DevSecOps: Practical Steps to Get Started
Open Q &A