Security at the Speed of DevOps

Tony RiceSenior Application Security Engineer, Cisco Systems

Security at the Speed of DevOps

Research Triangle 2016

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

TL;DR: Agile development moves too fast, hire robots

Richard Sargent

3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agile vs. Waterfall

Sprint 2

Waterfall

Sprint 1 Sprint 3

“The Homer” courtesy of Fox

Backlog Backlog Backlog

4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Does Agile promote Security?

Security in the Software Lifecycle (1.2) - Department of Homeland Security

Our highest priority is to satisfy the customer through early and continuous delivery of software.

Welcome changing requirements, even late in development.

Deliver working software frequently on a shorter timescale.

Developers will be trusted by both management and customers to get the job done.

Hire motivated individuals and trust them to get the job done.

The most efficient and effective communication method is face-to-face conversation.

Working software is the primary measure of progress.

Sponsors, developers, and users should be able to maintain a constant pace indefinitely.

Continuous attention to technical excellence and good design enhances agility.

Simplicity--the art of maximizing the amount of work not done--is essential.

The best architectures, requirements, and designs emerge from self-organizing teams.

The team must reflect on its efficacy at regular intervals and adjust its behavior accordingly.

5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Does Agile promote Security?

Security in the Software Lifecycle (1.2) - Department of Homeland Security

Our highest priority is to satisfy the customer through early and continuous delivery of software.

Welcome changing requirements, even late in development.

Deliver working software frequently on a shorter timescale.

Developers will be trusted by both management and customers to get the job done.

Hire motivated individuals and trust them to get the job done.

The most efficient and effective communication method is face-to-face conversation.

Working software is the primary measure of progress.

Sponsors, developers, and users should be able to maintain a constant pace indefinitely.

Continuous attention to technical excellence and good design enhances agility.

Simplicity--the art of maximizing the amount of work not done--is essential.

The best architectures, requirements, and designs emerge from self-organizing teams.

The team must reflect on its efficacy at regular intervals and adjust its behavior accordingly.

6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements Design Coding Test Deploy

Software Delivery Life Cycle

7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cost to Fix

$1

$100-1000

$15

$30

Source: Software Engineering Economics, Barry W. Boehm

Cost to Fix

$1

$100-1000

$15

$30

Requirements Design Coding Test Deploy

8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cost to Fix

$1

$100-1000

$15

$30

Source: Software Engineering Economics, Barry W. Boehm

Defect Introduction

30%

18%

Requirements Design Coding Test Deploy

9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cost to Fix

$1

$100-1000

$15

$30

Source: Software Engineering Economics, Barry W. Boehm

Vulnerability Introduction

Requirements Design Coding Test Deploy

10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cost to Fix

$1

$100-1000

$15

$30

Source: Software Engineering Economics, Barry W. Boehm

86%Defect Discovery

Requirements Design Coding Test Deploy

11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Solution1. Introduce fewer bugs2. Discover them earlier

xkcd#327

12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements Design Coding Test Deploy

Defect Discovery YesterdayTomorrow

13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Source NASA JSC

Send the Robots

15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Manual Everything

✗ Code merged by hand (senior developer)✗ Ad hoc manual builds, manual tests✗ Measurement: customer complaints

16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Source NASA JSC

Hire a Chief Robot

17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Continuous Integration

✔ Automated builds✔ Automated integration testingMeasurement: build quality

18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Secure by Design

✔ Security included in requirements✔ Common security librariesMeasurement: adoption

19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Vulnerability Scanning

✔ Automated Vulnerability Scanning✔ Code quality testsMeasurement: vulnerability counts

“ “constantly think about how you could be doing things better and questioning yourself Elon Musk

21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Developer Culture Shift

✔ Test driven development, unit test reuse✔ Dynamic & Static Automated Vulnerability Scanning✔ Code Review / Pair ProgrammingMeasurement: vulnerability counts, code review records

22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

TESTING

TESTING!!

xkcd#303

23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Continuous Deployment

✔ Version control for all artifacts✔ Proactive Monitoring✔ Stable, reproducible development environmentMeasurement: deployments per day

24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

Requirements & Design Coding Integration Test Deploy

Continuous Security

✔ Zero manual intervention from check-in to deployment✔ Only inputs: code, configs and tests✔ Development priority on refactoring legacy code, testsMeasurement: code coverage

25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public

• Haskins, Bill, Jonette Stecklein, Brandon Dick, Gregory Moroney, Randy Lovell, and James Dabney. "8.4.2 Error Cost Escalation Through the Project Life Cycle." INCOSE International Symposium 14.1 (2004): 1723-737. NASA Technical Reports Server. NASA Johnson Space Center.

• Boehm, Barry W. Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, 1981. ISBN 0138221227

• Puppet Labs. State of DevOps Report (2014):.

• Martin, James. An Information Systems Manifesto. Englewood Cliffs, NJ: Prentice-Hall, 1984. ISBN 0134647696.

• Security in the Software Lifecycle, Department of Homeland Security (August 2006)

• Moving Targets: Security and Rapid-Release in Firefox, Sandy Clark, et al.

Additional Reading

http://www.slideshare.net/tony_rice

http://www.slideshare.net/tony_rice