Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
DevOps and Security: It’s Happening. Right Now.
Helen Bravo
Director of Product Management at Checkmarx
• Intro to DevOps
• Integrating security within DevOps
– Problems with traditional controls
– Steps to DevOps security
Agenda
What is DevOps About?
An unstoppable deployment process
� in small chunks of time
DevOps is Happening
Companies that have adopted DevOps
Can TRADITIONAL
web application
security controls fit
in"
� a DevOps environment?!
Traditional Web Application Security Controls
• Penetration Testing
• WAF (Web Application Firewall)
• Code Analysis
Penetration Testing- Takes Time!
Penetration Testing
– 300 pages report
– 3 weeks assessment time
– 2 weeks to get it into development
Web Application Firewall (WAF)
Thinking Continuous
Deployment?
Think Continuous
Configuration!
Code Analysis
• Setup time
• Running time
• Analysis time
� just too slow!
� Do Nothing?
Required: A New Secure SDLC Approach
Step by Step
Step 1: Plan for Security
• Identify unsecured APIs and frameworks
• Map security sensitive code portions. E.g. password
changes mechanism, user authentication
mechanism.
• Anticipate regulatory problems, plan for it.
Step 1: Plan for Security
Step 2: Engage the Developers.
And Be Engaged
• Connect developers to security
– Going to OWASP? Bring a developer with you!
• Is your house on fire? Share the details with your
developers.
• Have an open door approach
• Set up an online collaboration platform E.g. Jive,
Confluence etc.
Step 2: Engage the Developers. And Be Engaged
Step 3: Arm the Developers
• Secure frameworks:
– Use a secure framework such as Spring Security, JAAS, Apache
Shiro, Symfony2
– ESAPI is a very useful OWASP security framework
• SCA tools that can provide security feedback on pre-commit stage.
– Rapid response
– Small chunks
Step 3: Arm the Developer
Step 3: Automate the Process
• Integrate within your build (Jenkins, Bamboo,
TeamCity, etc.)
– SAST
– DAST
• Fail the build if security does not pass the bar.
Step 3: Automate the Process
DevelopCode
CommitSource Control
Build Trigger
Unit Tests
Deploy
to
ProductionDeploy to
Test Env
Report
&
Notify
Publish to
release
repository
Continuous Deployment
DevelopCode
CommitSource Control
Build Trigger
Tests
Deploy
to
ProductionDeploy
to Test
Env
Report
&
Notify
Publish to
release
repository
Automatic
security
test
SCA
Test
Security within Continuous Deployment
Step 5: Use Old Tools Wisely
Step 5: Use Old Tools Wisely
• Periodic pen testing
• WAF on main functions
• Code review for security sensitive code portions.
Summary
• DevOps is happening. Right Now.
– During the time of this talk, Amazon has released
75 features and bug fixes.
• Security should not be compromised
• Don’t be overwhelmed. Start small
Summary
The 3 Takeaways
1. Plan from the ground
2. Engage with your developers
3. Integrate security into automatic build
process.
Questions?
Thank you