The Path of DevOps Enlightenment for InfoSec

DevOps Days Kansas City @WICKETT

THE PATH OF DEVOPS ENLIGHTENMENT

FOR INFOSECJAMES WICKETT

SIGNAL SCIENCES

Want the slides?

james@signalsciences.com

‣ HEAD OF RESEARCH AT SIGNAL SCIENCES

‣ ORGANIZER OF DEVOPS DAYS AUSTIN

‣ LYNDA.COM AUTHOR ON DEVOPS

‣ BLOG AT THEAGILEADMIN.COM

@WICKETT

‣ WHY DO WE HAVE DEVOPS?

‣ DID WE BUILD DEVOPS PROPERLY?

‣ IS THE DEVOPS CULTURE LOST?

‣ CAN WE GET IT BACK?

‣ CAN WE PROTECT DEVOPS FROM FURTHER DISTORTION?

QUESTIONS ON MY MIND

My Journey

‣ WEB AND ECOMM FOR $1B COMPANY

‣ BRUTAL ONCALL ROTATIONS

‣ +24HR DEPLOYMENTS

‣ WATERFALL, WATERFALL, WATERFALL

‣ FRIENDS ARE BORN FROM ADVERSITY

FIRST BIGCO JOB

‣ IN 2007 WENT STARTUP AND AWS CLOUD

‣ LEARNED A BIT ABOUT FAILURE AND HAPPINESS

‣ REJOINED OLD TEAM IN 2010 FOR NEW CLOUD VENTURE BACK IN BIGCO

CLOUDING FOR PROFIT

‣ DEVOPS AND INFRA AS CODE

‣ NOT CD, BUT DEPLOYS DAILY

‣ AT BIGCO DELIVERED 4 SAAS PRODUCTS IN 2 YEARS WITH DEVOPS AND CLOUD

ENTER DEVOPS

‣ FOUND RUGGED SOFTWARE

‣ MET GENE KIM IN 2012 IN A BAR IN AUSTIN

‣ CREATED GAUNTLT

‣ LATER, JOINED SIGNAL SCIENCES

DEVOPS AND SECURITY

DevOps is Friendship

Compassion for Ops

Dev:Ops

Labor Inequity Permeates IT Ranks

100:10:1

Dev:Ops:Sec

Yet, I remained optimistic for DevOps+Security

ENTER DOUBTS

‣ DEVOPS ON A BUS AT RSA

‣ EXPO FLOOR AT DOCKER CON AND THE DEVOPS TOOLCHAIN

TWO EVENTS

HAD WE ALLOWED DEVOPS TO BE A NEW GIMMICK OR SLOGAN ?

WHAT HAD DEVOPS BECOME?

‣ WHY DO WE HAVE DEVOPS?

‣ DID WE BUILD DEVOPS PROPERLY?

‣ IS THE DEVOPS CULTURE LOST?

‣ CAN WE GET IT BACK?

‣ CAN WE PROTECT DEVOPS FROM FURTHER DISTORTION?

QUESTIONING DEVOPS

OUR ROOTS: FRIENDSHIP

There is irony in my story…

‣ TEACH THREE DEVOPS CLASSES IN THE DEVOPS FOUNDATIONS SERIES AT LYNDA / LINKEDIN LEARNING

‣ WRITE DEVOPS AND SECURITY ARTICLES AS PART OF MY ROLE AT SIGNAL SCIENCES

Back to Our Roots

CULTURE IS THE MOST IMPORTANT ASPECT TO DEVOPS

SUCCEEDING IN THE ENTERPRISE

- PATRICK DEBOIS

‣ MUTUAL UNDERSTANDING

‣ SHARED LANGUAGE

‣ SHARED VIEWS

‣ COLLABORATIVE TOOLING

4 KEYS TO CULTURE

FRIENDSHIP

Make a friend at DevOps Days KC

Security is in Crisis

Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong.

The root of the problem is twofold: we’re protecting the wrong things,

and we’re hurting productivity in the process.

THINKING SECURITY, STEVEN M. BELLOVIN 2015

[Security by risk assessment] introduces a dangerous fallacy: that structured inadequacy is almost as

good as adequacy and that underfunded security efforts plus risk

management are about as good as properly funded security work

Security is often the cultural outlier in an

organization

many security teams work with a worldview where their goal is to inhibit change as much as possible

“SECURITY PREFERS A SYSTEM POWERED OFF AND UNPLUGGED”

- DEVELOPER

“…THOSE STUPID DEVELOPERS”

- SECURITY PERSON

It is 30 times cheaper to fix security defects in dev

vs. Prod

NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing

It is 30 times cheaper to fix security defects in dev

vs. Prod

NIST, 2002, The Economic Impacts of Inadequate Infra for Software Testing

Security must Change or Die

“every aspect of managing WAFs is an ongoing process. This is the antithesis of set it and forget it technology. That is the real point of this research. To maximize value from your WAF you need to go in with everyone’s eyes open to the effort required

to get and keep the WAF running productively.”

- WHITEPAPER FROM AN UNDISCLOSED WAF VENDOR

Bottleneck Approach

THE AVERAGE TIME TO DELIVER CORPORATE IT PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER 10

MONTHS IN THE LAST 5 YEARS

Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016

THE GROWTH OF [SECURITY] FUNCTIONS WHICH IS TOO OFTEN POORLY COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.

Many security professionals have a hard time adapting their existing practices to a world where requirements can change every few weeks, or where they are never written down at all.

DevOps A New Traveling Companion

for Security (…and probably the only way to survive)

High performers spend 50 percent less time remediating security issues than

low performers. By better integrating information security objectives into daily work, teams achieve higher levels of IT performance and build

more secure systems. 2016 State of DevOps Report

High performing orgs achieve quality by incorporating

security (and security teams) into the delivery process

2016 State of DevOps Report

http://www.youtube.com/watch?v=jQblKuMuS0Y

The New Path

OLD PATH VS. NEW PATHEmbrace Secrecy Create Feedback LoopsJust Pass Audit! Compliance adds ValueEnforce Stability Create Chaos

Build a Wall Zero Trust NetworksSlow Validation Fast and Non-blocking

Certainty Testing Adversity TestingTest when Done Shift LeftProcess Driven The Paved Road

A security team who embraces openness about what it does and

why, spreads understanding. - Rich Smith

Runtime is arguably the most important place to

create feedback loops

‣ ACCOUNT TAKEOVER ATTEMPTS

‣ AREAS OF THE SITE UNDER ATTACK

‣ MOST LIKELY VECTORS OF ATTACK

‣ BUSINESS LOGIC FLOWS

DETECT WHAT MATTERS

Are you under attack?

Where?

Options: RASP, NGWAF or Web Protection Platform

‣ POLICIES AND PROCEDURES IN PLACE

‣ EFFECTIVE EXECUTION OF THOSE POLICIES TO ALLOW YOU TO KEEP FUNCTIONING

‣ MOST OF PCI AND OTHER FRAMEWORKS PROVIDE REASONABLY GOOD PRACTICES *IF* YOU REMOVE ALL THE WATERFALL BITS

UNDERSTAND AUDITORS

[Deploys] can be treated as standard or routine changes that have been pre-approved by management, and that don’t require a heavyweight change review meeting.

Separation of Duties Considered Harmful

Developers with Access to Production, Oh My!!!

https://www.schellmanco.com/blog/2012/12/auditing-devops-developers-with-access-to-production/

Check out DevOps Audit Defense Toolkit

https://cdn2.hubspot.net/hubfs/228391/Corporate/DevOps_Audit_Defense_Toolkit_v1.0.pdf

‣ ADD IN CHAOS TO YOUR SYSTEM AND APPLICATION

‣ CHAOS MONKEY

‣ ANTI-FRAGILE

‣ RELEASE IT! BOOK

CHAOS ENGINEERING

‣ ADDS MISCONFIG TO THE STACK AND CHECKS TO SEE IF IT GETS DETECTED

‣ NEW OPEN SOURCE TOOL!

‣ RUNS AS A LAMBDA

CHAOS SLINGR

‣ I AM BEING PEN TESTED ANYWAY, WHY NOT FIND OUT WHAT THEY ARE FINDING?

‣ 24/7 PEN TESTING

‣ BUILDS DEVELOPER CONFIDENCE

‣ FINDS MIX OF LOW HANGING FRUIT AND SOMETIMES MUCH MORE!

BUG BOUNTIES

‣ NO PERIMETER SECURITY

‣ ASSUME COMPROMISE

‣ INSTRUMENT ALL LAYERS

‣ EXTENDS FROM LAPTOPS TO WEB APPS TO CUSTOMER ACCOUNTS

ZERO TRUST NETWORKS

‣ DON’T SLOW DELIVERY

‣ CONTINUOUS TESTING AND VALIDATION

‣ TESTING ON THE SIDE OF THE PIPELINE

‣ PENETRATION TESTING OUTSIDE OF DELIVERY

FAST AND NON-BLOCKING

Currently, at Signal Sciences we do about 15

deploys per day

Roughly 10,000 deploys in the last 2.5 yrs

CD is how little you can deploy at a time

We optimized for cycle time—the time from code

commit to production

Gave power to the team to deploy

Signal Sciences is a software as a service

company and a security company

Security is part of CI/CD and the overall delivery

pipeline

‣DESIGN

‣INHERIT

‣BUILD

‣DEPLOY

‣OPERATE

PIPELINE PHASES

‣INHERIT

‣BUILD

‣OPERATE

SECURITY CONSIDERATIONS

What have I bundled into my app that leaves me

vulnerable?

Do my build acceptance tests and integration tests

catch security issues before release?

Am I being attacked right now? Is it working?

Be Mean to Your Code

The goal should be to come up with a set of automated tests that probe and check security configurations and runtime system behavior for security features that will execute every time the system is built and every time it is deployed.

Security tools are intractably noisy and

difficult to use

A method of collaboration was needed for devs, ops

and security eng.

There needed to be a new language to span the

parties

Started Gauntlt 4 years ago

Open source, MIT License

Gauntlt comes with pre-canned steps that hook security testing tools

Gauntlt does not install tools

Gauntlt wants to be part of the CI/CD pipeline

Be a good citizen of exit status and stdout/stderr

gauntlt.org

$ gem install gauntlt

# download example attacks from github # customize the example attacks # now you can run gauntlt

$ gauntlt

@slow @finalFeature: Look for cross site scripting (xss) using arachni against a URL

Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected."

“We have saved millions of dollars using Gauntlt for the largest healthcare industry

project.”

- Aaron Rinehart, UnitedHealthCare

http://bit.ly/2s8P1Ll

‣ 8 LABS FOR GAUNTLT

‣ HOW TO USE GAUNTLT FOR NETWORK CHECKS

‣ GAUNTLT FOR XSS, SQLI, OTHER APSES

‣ HANDLING REPORTING

‣ USING ENV VARS

‣ CI SYSTEM SETUP

WORKSHOP INCLUDES:

DevOps Days Kansas City @WICKETTgithub.com/gauntlt/gauntlt-demo

github.com/gauntlt/gauntlt-starter-kit

SOURCE: THE THREE WAYS OF

DEVOPS, GENE KIM

Most teams use Gauntlt in Docker containers

https://github.com/gauntlt/gauntlt-docker

Red Team Mondays at Intuit

OVER 30% OF OFFICIAL IMAGES IN DOCKER HUB CONTAIN HIGH PRIORITY

SECURITY VULNERABILITIES

https://banyanops.com/blog/analyzing-docker-hub/

‣ MAKE IT EASY FOR PEOPLE TO DO THE RIGHT THING

‣ JASON CHAN, NETFLIX

‣ GOLD IMAGES

‣ BLESSED BUILDS AND DEPENDENCIES

THE PAVED ROAD

Don’t be a blocker, be an enabler of the business

Contact me

james@signalsciences.com @wickett

The Path of DevOps Enlightenment for InfoSec

Software

Glossary InfoSec

Insert Machine Identity Protection into DevOps Process and Automate Security · 2019-12-12 · For DevOps to embrace secure certificate processes, InfoSec must offer seamless certificate

Risk Assessment. InfoSec and Legal Aspects Risk assessment Laws governing InfoSec Privacy

InfoSec Contest : 2 | InfoSec Tip : 3 | InfoSec Tools : 4 ... · Malwarebytes Anti-Malware Free Malwarebytes Anti-Malware Free utilizes Malwarebytes powerful technology to detect

London Infosec MVS

InfoSec Policy ISO17799

Getting Into InfoSec · Daniel Bohannon @danielhbohannon Getting Into InfoSec via pen Source

Social Psychology & INFOSEC

Innotech Austin 2017: The Path of DevOps Enlightenment for InfoSec

InfoSec Syllabus V7.3

Devops Devops Devops

LDT3208BU Determining IT’s Value Proposition in a Cloud ......Sample RACI For Defining the Operating Model 18 Cloud Enablement CPDS Product DevOps InfoSec IOC Identity and Access

Hacked Vehicles - InfoSec

COBIT5 and InfoSec

COBIT5 and InfoSec Spanish

Pt infosec - 2014 - импортозамещение

Enlightenment Changes in Government. 17.1 The Enlightenment The Enlightenment

BS-InfoSec Bedrijfspresentatie 2013

Infosec 4 The Home

2014 guestlecture-infosec