26
Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016

Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Embed Size (px)

Citation preview

Page 1: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Security Automation in Agile SDLCReal World CasesOfer MaorDirector of Security Strategy, Synopsys

AppSec California, January 2016

Page 2: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Speaker

• Security Strategy at Synopsys• Founder of Seeker / Pioneer of IAST• Hacker at Heart• Longtime OWASPer• Over 20 Years in Cybersecurity• Avid Photographer

Yes, Agile can bite…

Page 3: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Too MuchData Security by

Developers

Short Cycles Rapid Delivery

PrioritizingRisk

Understandingthe Pain

The Agile Security Challenge™

Page 4: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

AutomationAutomated, Continuous, Practical Testing

Page 5: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case I

Insurance Company Transforming to Agile

Page 6: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case I

Background

Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium

• Insurance Company. Home grown apps• ~15 different systems (Customer/Agent/Internal)• Varying level of agile maturity & transformation• CI-Only to Full-Agile• Focus on new systems

Page 7: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case I

Challenges

Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium

• Limited security background for developers, no existing process• Different “Agile Maturity” – No one process fits all • Insufficient test automation (coverage)• Limited security resources • Strong regulatory requirements• Various technologies (.Net, Java, Legacy MF, more…)

Page 8: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case I

Process

Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium

• Creating strong cooperation (R&D/DevOps/Security)• Security visibility into R&D bugs • Weekly approval committee• R&D Training (Basic!)• Risk Policy (adapting risks, “High” only blocks)• Multiple output channels (tickets, reports, etc.)

Page 9: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case I

Existing CI/DevOps

Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium

• CI – Jenkins. Pulls code from Java/.NET Repositories• Ticket Tracking – HP QC • Static Analysis (mainly for quality). Not integrated into the process• Artifacts deployed to test env (permanent – static)• Test automation – basic (in progress)• Functionality testing – mostly manual

Page 10: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case I

Security Automation

Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium

• Integrate to launch from CI• Integration with both automated (speed) and manual testing (coverage) • Multiple Outputs:

• Jenkins Integration – “High” breaks build (response + HTML data) • QC Integration – Bug Tracking and Remediation• PDF Report – for auditing and committee review

Page 11: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security
Page 12: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case II

UK Retailer, Established Agile Shop

Page 13: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case II

Background

UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low

• UK Retailer with eCommerce Platform• Single Platform, 5 “Flavors” (Customer facing)• “Run of the mill” Agile Shop:

• Scrum based• 3-Weeks long sprints. Strict enforcement• Strong automation

Page 14: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case II

Challenges

• Response to an incident• Minimal existing security• No security background for developers. • Limited security resources • No existing process between security & R&D• Very strict 3 weeks sprints

UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low

Page 15: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case II

Process

• Process driven by R&D, with security supervision• Security “Workflow” created, testing once a week• Week 1 & 2 to identify vulnerabilities in new code• Week 3 test provides verification • Breaking (Medium or higher) on verification – feature pushed out of version • Weekly reports (PDF) to security group for auditing

UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low

Page 16: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case II

Existing CI/DevOps

• CI – Jenkins. • Ticket Tracking – JIRA • All testing environment is done in cloud (Amazon) • Dynamic orchestration of test env – new environments every week (4 servers/instance)• Automated deployment of build artifacts alongside testing framework (Selenium)• Daily execution of test automation (functionality)

UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low

Page 17: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case II

Security Automation

• Dedicated security environment• Adaption of orchestration scripts (for deploying security testing software)• Integration with Selenium• Weekly orchestration test environment and execution of tests• Tests integrated into CI – HTML reports for Jenkins viewing. • PDF Reports for processing and audit

UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low

Page 18: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security
Page 19: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security
Page 20: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case III

eCommerce Giant, Continuous Delivery

Page 21: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case III

Background

eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High

• In Top 10 largest eCommerce sites• Following a long, cross-organization “Agile Transformation” process• Highly advanced Agile/DevOps process• Modular site with multiple front-end and back-end components• Hundreds of engineers (Dev, QA, DevOps, etc.)• Heavy investment in security – already using various tools

Page 22: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case III

Challenges

• Introduction of security automation in QA/DevOps• Multiple components for multiple teams • Extremely dynamic testing environments (dynamically orchestrated and changing)• Home-Grown DevOps – Cloud, CI, Testing, Orchestration, etc.• Highly Agile/Rapid environment – Continuous Delivery with daily artifacts • Security cannot be involved in the daily process

eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High

Page 23: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case III

Process

• Process initiated by the security group, with DevOps cooperation• QA/DevOps training on process (rather than security) • Security tests to run as part as other testing, on a daily basis• Prioritization policy – “Medium” or higher blocks. “Low” scheduled for next version. • Verification Metrics – Usage of another tool in production – must return clean. • Security group supervises the process and has visibility to reports.

eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High

Page 24: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case III

Existing CI/DevOps

• Homegrown CI/Orchestration/Cloud• Ticket Tracking - JIRA• Daily builds creation • Daily creation of cloud environments with various server roles and elastic scaling • Daily orchestration of latest builds and latest test automation versions• Hybrid Automation – Selenium for web/front-end, Homegrown for WS

eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High

Page 25: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Case III

Security Automation

• Orchestration adapted to deploy security testing software as part of existing testing env• Full CI integration• All existing automation directed to integrate with security testing• Security tests run daily • Full JIRA bug tracking integration – with automated delivery per team• Running of additional blackbox scanner on production for reverification

eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High

Page 26: Security Automation in Agile SDLC - Schedschd.ws/.../38/AppSec-SecAutomationInAgile-OferMaor.pdf · Security Automation in Agile SDLC Real World Cases ... • Introduction of security

Thank You!

Questions?