Embed Size (px)
Citation preview
Securing DevOps
DevOn Summit , 14 March 2019, Utrecht, Netherlands
Marudhamaran GunasekaranSenior Security Consultant
DevOn
About the Presenter
Security Consultant / Compliance Manager @ DevOn, Bangalore
OWASP ZAP (Zed Attack Proxy) Contributor and Evangelist
Certified:
Lead Auditor ISO 27001
EC-Council Certified Security Analyst (Certified Ethical Hacker)
DevSecOps Engineering Trainer from DevOps Institute
Scrum Master, Product Owner, Agile Coach
Bounty awards in Microsoft Cloud Services and Technology services
https://vimeo.com/gmaran23
https://twitter.com/gmaran23
https://slideshare.net/gmaran23
https://www.linkedin.com/in/marudhamaran-gunasekaran
Marudhamaran Gunasekaran
Agenda
• Traditional ways of managing security• Security Myths• Network Security vs Software Security• Challenges with automation• Introducing DevSecOps• DevSecOps Playbook• Five pragmatic tips for DevSecOps
Traditional Software Development
Traditional Software Development
• Development Organization• Translate business
requirements to software requirements
• Plan next versions and releases
• Develop and maintain various versions of the software
• IT Organization• Maintain and provision IT
infrastructure
• Monitor network and systems for stability
• Manage access to build and release configuration and servers
• Install required software and framework needed by Software Development Teams
Where’s Security?
Traditional Software Development – Security?
Microsoft’s Security Development Life Cycle
https://www.microsoft.com/en-us/sdl
The Evolution and Revolution
Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their software release cycles, software quality, security, and ability to get rapid feedback on product development
Our highest priority is to satisfy the customer through early and continuous delivery of valuable software
Agile Software Development
DevOps
The Evolution and Revolution - flipside
• Cloud based products and Hybrid IT Organizations
• Rise of shadow IT
SECURITY MYTHS
What the PII?
Do you
process?
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf
First name? Last name?
GDPR
• Last year March 2018• Was still coming in to effect
• This year • 59,000 + reported breaches, 59 imposed fines
https://www.helpnetsecurity.com/2019/02/07/gdpr-numbers-january-2019/
More reported breaches
https://www.helpnetsecurity.com/2019/02/07/gdpr-numbers-january-2019/
Dev’s Security Responsibilities
Ops’ Security Responsibilities
Network Security
Patch management, Network segregation, System level security, Software and Hardware Asset management, …
Software Security is about defensive programming
When Dev Teams or Ops Teams handle security?
https://twitter.com/i/moments/1018794418428628992
Developer Trust and Security - Conundrum
• Agile Principle - TRUST – Trust team members?
• Developer has RDP/SSH access to production because we trust?
Security Bug vs Security flaw?
Technical errors vs Logical flaws
Infrastructure as Code, Virtualization & Containers →More automation can be good
Knock knock, who’s there?
• DevSecOps
• SecDevOps
• DevOpsSec
• SecDevSecOpsSec
• DevTestOps
• BizDevOps
• < Shift Left
DevSecOps
• Everyone is responsible for security
https://2017.appsec.eu/presos/DevSecOps/The%20DevSecOps%20Playbook%20from%20a%20Practitioner%E2%80%99s%20Perspective%20-%20Shannon%20Lietz%20-%20OWASP_AppSec-Eu_2017.pdf
DevSecOps - Principles
• Shift left
• Measurable Outcomes
• Scaling through Automation
• More Cooperation – Everyone is responsible for security
• Security as Code
Shifting Left
• What kind of security practices could be done early in software development?
• Security/Privacy by Design
• Security by Default
Measurable Outcomes
• Do we have an increase in delivery cycles?
• How many repeatable security errors?
• How many vulnerabilities detected in Pen Tests?
Sensible Automation
• Security Code Scans to scan the new code (delta)
• Security Scans that respect false positives
• Security Scans that runs faster and on demand
• Custom security scripts to regress business logic and authorization errors
• Security scans that scans for ‘known bad’ libraries and components
• Security Tooling of the new Age
Security is everyone’s responsibility
• Developer training on security
• Engineering teams’ representatives to attend security conferences
• Security Awareness programs for Product Owners, IT Managers
• Ops (or DevOps) and Security teams collaborate during initial release planning
Security as Code
• Compliance as Code
• Policy as Code
https://2017.appsec.eu/presos/DevSecOps/The%20DevSecOps%20Playbook%20from%20a%20Practitioner%E2%80%99s%20Perspective%20-%20Shannon%20Lietz%20-%20OWASP_AppSec-Eu_2017.pdf
DevOOPS
https://www.theregister.co.uk/2017/11/16/dji_private_keys_left_github/
https://gizmodo.com/uber-got-hacked-because-it-left-its-security-key-out-in-1689138254
DevOOPS
https://www.bleepingcomputer.com/news/security/admin-accounts-with-no-passwords-at-the-heart-of-recent-mongodb-ransom-attacks/
DevOOPS
https://www.theregister.co.uk/2017/10/06/ccleaner_megahack_timeline/
https://2017.appsec.eu/presos/DevSecOps/The%20DevSecOps%20Playbook%20from%20a%20Practitioner%E2%80%99s%20Perspective%20-%20Shannon%20Lietz%20-%20OWASP_AppSec-Eu_2017.pdf
Continuous Software Security Platform
Continuous Security at SDLC and Delivery *
Practice and Knowledge Assessment *
Hack Yourself First Training *
Coach the Coders to Secure on the job *
Secure Code Review *
Penetration Testing *
Environment Scans *Real Time
reporting *Automationand Tuning *
People Practices Tools
DevSecOps
Software Security Focus Areas
Continuous Software Security Maturity
ModelDownloadable at https://devon.nl/CSSMM
Disclaimer
• What is often perceived as the weakest link in security?
Top 5 Tips for Securing the DevOps trend
Security focus early in the software development process
Sensible automation
Security Education and Awareness
Sensible Metrics
Operational Awareness with Incident Response
Example Metrics
• Security Review Comments:• Per Pull Request• Per Sprint
• Security Defects:• Per Release• Per Build• Per Component
• Repeating Security Occurrences:• Per Team• By Component
• Developer Security Knowledge:• Scored 75% and above• Not taken training yet
Example Security as Code
• Compliance as Code: Test if SSH 3 or 2 is available
Example Security as Code
• Policy as Code: Fail or Warn a build when a security bug is found
A sixteen (16) hour certification based course that provides
practical understanding DevSecOps
DevSecOps Engineer Course
