DevSecOps Shift Left Security - Incident Response Consortium › wp-content › uploads ›...

Post on 08-Jun-2020

0 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of DevSecOps Shift Left Security - Incident Response Consortium › wp-content › uploads ›...

DevSecOps – Shift Left Security

Prioritizing Incident Response using Security Posture

Assessment and Attack Surface Analysis

Themes

Vulnerabilities are Low Hanging Fruit

Why so many breaches that Anti-Virus missed…?

2015 largest disclosed breaches

Known Critical Vulnerabilities are Increasing

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

2011 2012 2013 2014 2015 2016

Vulnerabilities

Total High (CVSS 7-10)

WannaCry

Retrospective

WannaCry Timeline and Remediation

0

100

200

300

400

500

600

700

THO

USA

ND

S

EternalBlue Exploit WannaCry MS17-010 Patch Release

Authenticated / Agent Detection

Continued + Unauthenticated Detection

Endpoint Breach Prevention by Reducing

Attack Surfaces

Discover

and

Know your

Assets

1

Detect

and

Measure

Vulnerabilities

2

Prioritize

Remediation

3

Identify

and

Deploy

Patches

4

Exercise: “I already know all my assets…”

Auto-Deploy Qualys Cloud Agent (Vuln)

Vulnerability Results

Exploitability Posture

Get Proactive – Reduce the Attack Surface!

Get Visibility

into your Public

Clouds

Common AWS Misconfigurations

Continuous

Security

Monitoring

Actionable Responses – Reduce Attack Surface

Can Security Teams do

better?

Digital Transformation – Priorities

Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-study/microsoft-digital-transformation-infographic-asia

Digital Transformation – Barriers

Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-study/microsoft-digital-transformation-infographic-asia

DevSecOps = / DevOps + Security

False Approach ~ False Start ~ Failure

Plan Code Test Package Release Deploy Monitor Operate

Dev Ops

Secu

rity

Secu

rity

Secu

rity

Secu

rity

Secu

rity

Secu

rity

Secu

rity

wait! wait! wait! wait! wait! wait!

Security + DevOps = a Revolt or Left Out?

Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-flaming-torches/

Food Safety is a Security Problem

Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-

DevSecOps – Shift in Thinking

Shift Time

Case Study: Financial Services Mobile Wallet

Before: Lack of Security Automation Delays Release

At least two weeks until the AMI is certified for production

Vulnerability Management Teams

Machine Builders VM Scan/Report

48 Hours

VM Scan/Report 48 Hours

Security

Born in the Cloud: New builds in AWS every 60 days

Automated Regression & Test-Driven Development

Docker containers abstracts applications from OS

DevOps

Commercial/Open Source vulnerabilities are detected & fixed on same release cadence

Automated regression finds patch issues faster

OS vulnerabilities are patched separate from Applications

1

2

3

After: Security at the Source in DevOps Pipeline

APPROVE and

PUBLISH

QUALYS ASSESS

ON DEV

INSTANCES

OS

Qualys

Scanner

AUTOMATICALY

ADD QUALYS

CLOUD AGENT

OS

Qualys

Agent

AMAZON MACHINE

IMAGE (AMI)

Qualys

Agent

Vulnerability Metric Benefits

Shift Techniques

Case Study: One of Largest Ecommerce Companies

Prevent Software Check-Ins that use Vulnerable Libraries

Apply Technique

Tag Vulnerable Libraries in Source Control

1

Shift Technique

Automatically open tickets for Developers on security issues

Apply Technique

Vulnerabilities in Production are Treated as Defects

Shift Technique

2

Excessive Remediation Times are escalated to CEO

Apply Technique

Open Vulnerabilities Reported to Business Unit VPs

Shift Technique

3

Shift Tools

Find/Implement the right tools for the DevOps Processes…

... But: You may not need to procure new tools

APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans

Case Study: Financial Investment Services

Solution Challenge

400+ Web Apps in production

Web Security Assessment found they had a lot of “easily” mitigated app vulnerabilities

Integrated the production Web Security Assessment tool into DevOps processes via API

Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues

Continuously assess Web Apps in the dev process so issues are not re-introduced

Hard for developers to fix security issues in production

1

2

3

Integrate Production Security Tools into DevOps

Selenium

Qualys WAS

Jira Issues

Selenium

Qualys WAS

Jira Issues

DevSecOps: Practical Steps to Get Started

Open Q &A

Top related

A DevOps State of Mind: Continuous Security with DevSecOps ... · A DevOps State of Mind: Continuous Security with DevSecOps + Containers ... CI/CD Source Control Management Collaboration
 Documents
  CP-DevSecOps...Automate Security tests in DevOps CP-DevSecOps is the surest way for you to practically experience contiuous security testing or DevSecOps using the most in demand
 Documents
DevSecOps – Security at the speed of Developmenttechworld.event.idg.se/wp-content/uploads/sites/15/... · Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed
 Documents
DevSecOps Certified Professional (DSOCP)...SDLC Models & Architecture with Agile, DevOps, SRE & DevSecOps, SOA & Micro services - Concept Let’s Understand about Software Development
 Documents
Cloud Security at Scale via DevSecOps · Cloud Security at Scale via DevSecOps Integrating Security with DevOps Camil Samaha, ... Dev Git/master Get / Pull Code AMIs Send Build Report
 Documents
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 Technology
DevSecOps – Agility with Security · 4 DevSecOps – Agility with Security In summary, DevSecOps aims to be a movement that extends all of the organisational benefits achieved through
 Documents
From DevOps to DevSecOps: 2 Dimensions of Security for DevOps
 Software
Learn how ZolonTech bridges the gap between DevOps and Security DevSecOps Whit… · With the evolution of DevOps, automation of developing, testing and deploying the code has become
 Documents
Secure DevOps before DevSecOps€¦ · ately secured environment. Carelessly implemented Dev[Sec]Ops can broaden an already vulnerable attack surface. Your DevOps pipelines weren’t
 Documents
DevOps Campus Overview eBook FINAL - ITSM Academy Campus Overview e… · CONTINUOUS DELIVERY DEvops TEST ENGINEER- ARCHITECT DEVSEcops ENGINEER- CONTINUOUS DELIVERY ARCHITECTM DevOps
 Documents
Rugged DevOps: Bridging Security and DevOps
 Technology
Enterprise Cloud Security via DevSecOps
 Documents
MAKING THE JUMP FROM DEVOPS TO DEVSECOPS€¦ · DEVSECOPS IS A SECURITY ENABLER By leveraging automation and fixing issues sooner, Security can focus on the cooler stuff that they
 Documents
A DevSecOps Guide - Bitpipe... A DevSecOps Guide • 3 DevSecOps: Making It Happen After understanding the value of a DevOps mindset, making the cultural shift and reaping the benefits,
 Documents
DevSecOps - Infosys...DevSecOps which extends DevOps concepts to make security an integral part of DevOps, instead of keeping it at the tail-end of the release, is definitely a solution
 Documents
DevSecOps - The big picture v1 - Meetupfiles.meetup.com/19432258/DevSecOps - The big picture_v1.0.pdf · the DevOps picture. In other words, when you hear "DevOps" today, you should
 Documents
Security and DevOps - Managing Security in a DevOps Enterprise
 Software
DevSecOps – Agility with Security€¦ · 6 DevSecOps – Agility with Security Figure 1 - "DevOps Done Well" - Murray Goldschmidt The need to identify issues and resolve them quickly
 Documents
Introducing Security Champions to the DevSecOps Life Cycle
 Documents

Copyright © 2022 FDOCUMENTS