Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
OFFICE OF INFORMATION SECURITY
DevSecOps – A faster, secure way for Software Development
URAL FORUM: Information Security of Financial Sphere
February 2020
Official Use Only
Application Security Risks
Attackers can potentially use many different paths through your application to impart
harm to your business or organization. Each of these paths represent a risk.
OWASP Top Ten 2017
Slide 2
Official Use Only
Waterfall vs Agile
Slide 3
Official Use Only
Cost of Fixing Application Vulnerability
Slide 4
Official Use Only
From Waterfall to Agile to DevOps…
• DevOps is the union of people, process, and technologies to enable continuous delivery of value to end users
• DevOps refers to replacing siloed Development and Operations to create multidisciplinary teams that now work together with shared and efficient practices and tools
• Essential DevOps practices include agile planning, continuous integration, continuous delivery, and monitoring of applications
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 5Official Use Only
The DevSecOps Mindset
• Open collaboration on shared objectives
• Security at the source
• Reinforce and elevate through automation
• Risk-oriented operations and actionable insights
• Holistic approach to security objectives
• Proactive monitoring and recursive feedback
• Automated operations security
• Operations engineering
Slide 6Official Use Only
Official Use Only
Sec
Sec
Dev Ops
Security Config
SAST
Security as Code
Threat Model
Security Monitor
Security Scan
Secure Coding
3rd Party Libraries
Secure Transfer
Digital Sign
Security Analysis
Security Audit
Security Patch
DAST
Pen Test
DoD DevSecOps Software Lifecycle
Target State of DevSecOpsKey Capabilities
• Threat modelling
• OWASP dependency checks
• Base container image scans
• Routine infrastructure scans
• Embedded Security-as-Code in design patterns
• Leverage automated "template checker”
• Vulnerability scans on app container images and on running containers
• Vulnerability scans on serverless functions
• Unified Risk Framework for (Infra & Apps) vulnerability assessment and remediation
• Routine credential scans on selected Prod/QA apps
• Expand config checks for Azure and AWS
• Secure Azure DevOps InfrastructureNominal Foundational Intermediate Advanced Leading
Capability Rating
Official Use Only
Expected Value of DevSecOps
Official Use Only
Increased AutomationAutomated & Repeatable
process to ensure consistent
delivery with no manual handoff
.
VisibilityGet insights into application code,
coverage, security vulnerabilities
and testing results
AgilityQuick and frequent delivery of
features to end users using the
automated DevSecOps pipelines
Embedded SecurityProvide security feedback early in the
development lifecycle and help mitigate
security challenges
ReusabilityMaximize WBG investments and promote
the use of standard components and
service catalogs
StabilityLeverage service catalog to
ensure infrastructure meets
Enterprise requirements
Official Use Only
Q & A
Slide 9Official Use Only
DevOps - Understand Cycle Time
• Start with observation of business, market, needs, current user behavior, and available telemetry data
• Then orient with the enumeration of options for what you can deliver, perhaps with experiments
• Next decide what to pursue
• Then act by delivering working software to real users
• All of this occurs in some cycle time
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 10Official Use Only
DevOps - Strive for Validated Learning
• The cycle time determines how quickly feedback is gathered to determine what happens in the next loop
• The feedback gathered with each cycle should be real, actionable data
• This is called validated learning
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 11Official Use Only
DevOps - Shorten Your Cycle Time
• When DevOps practices are adopted, the cycle time is shorten by:
• working in smaller batches
• using more automation
• hardening the release pipeline
• improving telemetry
• deploying more frequently
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 12Official Use Only
DevOps - Optimize Validated Learning
• The more frequent the deployments, the more opportunity to change or continue, and to gain validated learning each cycle
• This acceleration in validated learning is the value of improvement
• It is the sum of the achieved improvements and the avoided failures
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 13Official Use Only
DevOps Enablers
• Continuous Integration drives the ongoing merging and testing of code, which leads to finding defects early
• Other benefits include less time wasted on fighting merge issues and rapid feedback for development teams
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 14Official Use Only
DevOps Enablers(cont.)
• Continuous Delivery of software solutions to production and testing environments helps organizations quickly fix bugs and respond to ever-changing business requirements
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 15Official Use Only
DevOps Enablers (cont.)
• Version Control enables teams located anywhere in the world to communicateeffectively during daily development activities as well as to integrate with software development tools for monitoring activities such as deployments
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 16Official Use Only
DevOps Enablers (cont.)
• Agile planning and lean project management techniques are used to plan work into sprints, manage team capacity, and help teams quickly adapt to changing business needs
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 17Official Use Only
DevOps Enablers (cont.)
• Monitoring and Logging of running applications including production environments for application health as well as customer usage, helps organizations form a hypothesis and quickly validate or disprove strategies
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 18Official Use Only
DevOps Enablers (cont.)
• Public and Hybrid Clouds have removed traditional bottlenecks and helped commoditize infrastructure
• Whether Infrastructure as a Service (IaaS) is used to lift and shift existing apps, or Platform as a Service (PaaS) to gain unprecedented productivity, the cloud gives a datacenter without limits
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 19Official Use Only
DevOps Enablers (cont.)
• Infrastructure as Code (IaC) is a practice which enables the automationand validation of creation and teardown of environments to help with delivering secure and stable application hosting platforms
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 20Official Use Only
DevOps Enablers (cont.)
• Microservices architecture is leveraged to isolate business use cases into small reusable services that communicate via interface contracts
• This architecture enables scalabilityand efficiency
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 21Official Use Only
DevOps Enablers (cont.)
• Containers are the next evolution in virtualization
• They are much more lightweight than virtual machines, and can be easily configured from files
Microsoft https://docs.microsoft.com/en-us/azure/devops/learn/what-is-devops
Slide 22Official Use Only
Security in DevOps Principles and Goals
• Make security a first-class problem and the security team a first-class participant in DevOps
• Increase trust and transparency between development, operations, and security
• Integrate security practices and ideas into DevOps culture, and DevOps into security culture
• Wire security into DevOps toolchains and workflows to incrementally improve security
SANS https://www.sans.org/security-resources/posters/secure-devops-toolchain-swat-checklist/60/download
Slide 23Official Use Only
DevSecOps Pillars - Governance
Slide 24Official Use Only
• DevSecOps, by design, requires a highly
consistent process that uses a uniform set of
tools and automated controls
• This helps simplify the monitoring and testing of
required controls
DevSecOps Pillars - People
Slide 25Official Use Only
• Remember that people are still the greatest efficiency
(or inefficiency) asset
• Breaking down traditional barriers can be the first and
most important catalyst to your DevSecOps journey
• Start small. Small teams gradually come together
cohesively
• Security specialists understand development pressures
and drive more automation of security testing
• Development teams understand security approaches
and adopt secure coding practices
DevSecOps Pillars - Process
Slide 26Official Use Only
• As speed and quality are key to DevSecOps, try to simplify manual processes as
much as possible without sacrificing security needs
• Since development and deployment are now accelerated much faster than before,
security software development processes should become more factory-like
• Move security requirements as early into the design stage as possible, aiming to
eliminate manual security “gatekeeper” delays later on
DevSecOps Pillars - Technology
Slide 27Official Use Only
• Variety of pipeline tools—testing-as-code, security-as-code,
infrastructure-as-code, compliance-as-code, and others—
can eliminate the need for some manual security activities,
thus boosting velocity
• Development and security teams can become more unified,
defect costs can plummet, and quality can become
consistent throughout the pipeline
• Consider testing these new security tools with specific
product teams before releasing to the enterprise
Security in DevOps Best Practices
• Adapt security testing tools/processes to the developers, not the other way around
• Don’t try to eliminate ALL vulnerabilities during development
• Focus first on identifying and removing the known critical vulnerabilities
• Don’t expect to use traditional DAST/SAST without changes
• Train developers on secure coding
• Adopt a security champion model, implement simple security requirements gathering
• Eliminate the use of known vulnerable components at the source
• Secure and apply operational discipline to automation scripts
• Implement strong version control on all code and components
• Adopt an immutable infrastructure mindset, preventing manual changes to productionGartner https://www.gartner.com/en/documents/3811369
Slide 28Official Use Only
Security Controls in DevSecOps
SANS:https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt446dece13e198075/5e31f71e031402023faff74f/continuous-opportunity-devops-security.pdf
Slide 29Official Use Only
Application Security Key Takeaways
• Integrate application security into the software development process
• Focus on risks that matter to the organization
• Address the root cause
• Security is a shared responsibility
• Adopt a cross-functional approach
• Identify security champions
• Use industry standards as a benchmark
• Establish a program to ensure consistency
Slide 30Official Use Only
Q & A
Slide 31Official Use Only