Put Security Into Your DevOps NOW Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018
Defining Devops State of Devops Report (Puppet, Dora):..set of practices and cultural values that has been proven to help organizations of all sizes improve their software release cycles, software quality, security, and ability to get rapid feedback on product development. Amazon Web Services: cultural philosophies, practices, and tools that increases an organization s ability to deliver applications and services at high velocity Wikipedia: strongly advocate automation and monitoring at all steps of software construction, from integration, testing, releasing to deployment and infrastructure management. DevOps aims at shorter development cycles, increased deployment frequency, more dependable releases, in close alignment with business objectives. Sources: 2017 State of DevOps Report, Presented by Puppet and DORA Amazon Web Services : https://aws.amazon.com/devops/what-is-devops/ Wikipedia: https://en.wikipedia.org/wiki/devops 2
More Applications released 30x Faster 2020+ Software @ DevOps Speed d 2015 2010 App App App App Number of Applications Release Frequency 3 Source: Better outcomes, faster results. Continuous delivery and the race for better business performance, Forrester Thought Leader Paper commissioned by HP (now Hewlett Packard Enterprise)
AppSec Risk by the Numbers 1,900,000,000 Records lost globally in the first half of 2017 1,400,000 Sensitive PII records lost in a single US breach 15% Survey respondents reported a breach 23% Survey respondents citing their application as source 4 References: breachlevelindex.com and SANS 2017 Application Security survey
Top Breaches by Type 1H 2017 571 5 Reference: Verizon DBIR 2017
Embedding Security into the SDLC= Huge Benefits Without Fortify, you deal with: With Fortify, you benefit from: Slow time to market Lots of false positives Longer scans Slow remediation Few vulnerabilities found 30x faster time to market 95% fewer false positives 10 15x faster scans 10x faster remediation 2x more vulnerabilities found 6
Promise vs Reality of Security in DevOps Where does security currently fit 99% of those surveyed agreed that DevOps is an opportunity to improve application security none 17% Testing during Development 20% But only 20% perform application security testing during development. Most wait until late in the SDLC or not at all! Network 25% Pre-Production Gate 38% 7 Reference: Application Security and DevOps Report 2016
If there s something we need to comply with, let s turn it into an automated test. Mark Schwartz, former CIO USCIS DevOps Enterprise Summit 2014
Tenants of Dev Sec Ops Automated Testing Security Testing must be comprehensive and automated within the pipeline Able to make automated decisions on security testing Fail Fast Fix Fast Developers equipped to fix security issues rapidly Immediate security feedback into into singular Issue Management Integrated Feedback Cloud Deployable Able to provision entire pipeline as code 10
Integrate application security with DevOps DevOps requires an expanded scope of application security from development through Traditional scanning and testing and into production. SCA, FoD WebInspect 11 Confidential
Fortify Software Security Assurance Automated Comprehensive Security Focused static analysis Dedicated Software Security Research Group not crowdsourced nor after-thought Over 800 Vulnerability Categories covered with quarterly updates Developers Plugins to take them to Vulnerable Line Of Code for fix, and Security Assistant for Prevention Build Adapters for automating build integration CI Plugins for scanning at build time and updating build status Issue Management Integrations Headless installs for cloud deployment into ephemeral environments 12
Best Programming Language Coverage 25+ Programming Languages supported and counting + 10
Static Software Scanning Process Check in Code Scheduled or Triggered Check-out and Build Continuous Integration Jenkins, TFS, etc. (Auto) Deliver for Analysis Code Repository REPEAT AS NECESSARY Vulnerability Findings Developers Issue Tracking Developer Fixes Bug / Finding Scrum Scanning Engine (SCA) Submit Findings to Bug Tracker Mgmt Portal (SSC) Security/Tech Lead
Developer Desktop Security Assistant Real time checking for most common issues as you type 15
Developer Desktop IDE Plugins Scan and fix vulnerabilities before committing. Open scan files generated from build integrations or security auditors for line of code detail vulnerability overlaid on your code and fix information 16
Build Integrations Out of the Box GNU Make MSBuild XCodeBuild Build Integrations make it easy to integrate automated static analysis into the complete build process. Out of the box support for a wide variety of BUILD TOOLS Robust Fortify Command Line utilities exist for additional integrations. 17
Continuous Integration Plugins Fortify Client Fortify FPR Utility 18
Jenkins Plugin Simplifies creating a Fortify Scan job via Jenkins Performs scan, uploads to Software Security Center Updates BUILD STATUS based on criteria Reports security status within the plugin no need to login anywhere else for quick status checks. 19
Jenkins Plugin Filter results based on template of your prioritizations Fail the build based on a search syntax 20
Fortify SCA With Continuous Integration Easy Integration: Integrate into the actual build with out-of-the-box integrations and utilities Flexible Architecture: Perform scan directly on build server or offload to included CloudScan array Deployable: Source Code Analyzer is easily deployed via a Jenkins job for ephemeral systems Build Status Support: Using integrations, utilities or API to read results and make realtime build status decision 21
CloudScan Optional Architecture included with Fortify Only code translation performed on build machine, then shipped to CloudScan for longer running scan phase. FPR file is uploaded to SSC and parsed for build status as normal. Centralizes scanning to a few machines shared across multiple build machines Removes intensive and slower scanning process from build pipeline. 22
Software Security Center Enterprise Ready Software Security Management LDAP/SSO/CAC Ready Artifact and Vulnerability Management Portfolio level KPI s and Metrics Open Reporting Interface with STIG and FISMA Reports Swaggerized RESTFul APIs Issue Management Integrations 23
Issue Management Integrations Application Lifecycle Management Fortify Service Integration Extendable Plugin Architecture 24
Key Software Security Center Integrations Automatically Receive scan files from build integrations Automated management metrics updating Swaggerized APIs for deeper automation Web-based results reviewing Automated downloading of scan files to developers Fortify instances on their desktop Push results automatically to issue management with extensible plugin framework STIG Compliance Reporting 25
Audit Assistant Machine learning to make AppSec more efficient Identify true vulnerabilities with up to 98% accuracy and prioritize them for remediation faster Return value-added time to your developers and auditors Focus on triaging and investigating high priority vulnerabilities. 26
WebInspect Automated Dynamic Scanning Remote headless provisioning for ephemeral environments (requires on-site persistent license management server in infrastructure) Swaggerized API for automated scanning. Import test results into Software Security Center to aggregate with Static analysis metrics and Issue Management integration Results exportable as FPR format and can be opened and viewed in IDE Plugins or Audit Workbench just like static results. 27
Developer Code Repository Continuous Integration Jenkins, TFS, etc. Continuous Delivery Docker Dynamic Testing WebInspect, Functional Test, Performance Test Deployment IDE Plugin Security Assistant Static Code Analyzer Correct vulns as typing Scans full unit code and corrects before committing Reviews and fixes issues identified in downstream testing Issue Tracking CI Plugins Build Integration, Static Code Analyzer Triggered or scheduled build and scan Software Security Center Security Auditor WebInspect Jenkins job to API to perform scan Audit workbench Review results, update templates, submit findings to Issue Management
Where are you with Devops? Do you have a plan for embedding security into it?
Thank You.