A Secure DevOps Journey
Transcript of A Secure DevOps Journey
November 15, 2016
A Secure DevOps JourneyPeter Chestna, Director of Developer Engagement, Veracode
November 15, 2016
• Development methodologies used at Veracode – Waterfall, Agile, DevOps– People
– Process
– Technology
– Security
• Veracode’s journey– What did we change
– What were the results
Goals
• 2006 – Veracode founded/Waterfall
• 2012 – Agile
• 2013 – Purina
• 2014 – Microservices
• 2015 - DevOps
Veracode Timeline
Felt like…
Transformation – People/Org/Culture
Management• Leading change• Organizational
• Breaking the silos• New specialties
• New skills – care & feeding• New expectations
Individual• Uncertainty/fear/anger• Organizational
• New manager• New team/peers
• New skills – X-functional• New expectations
Looked like…
Transformation - Process
Most of the change occurred in Agile• Waterfall -> Agile was revolutionary• Agile -> DevOps was evolutionary• Like the Monty Python theory of
dinosaurs
Waterfall
Transformation - Technology
AgileDevOps
Not as big of a difference between stagesJust more and more automation
There was Waterfall
In the beginning…
Waterfall - Process
Finding anything late creates a cycle of waste
O
p
e
r
a
t
i
o
n
s
S
e
c
u
r
i
t
y
Q
u
a
l
i
t
y
D
e
v
e
l
o
p
m
e
n
t
A
r
c
h
i
t
e
c
t
u
r
e
R
e
q
u
i
r
e
m
e
n
t
s
Waterfall - People
• Gantt charts• Text documents
• Requirements• Architecture• Designs• Test plans
• Manual tests• Manual deploy
• Shell scripts• SQL cripts
Waterfall - Technology
Old School
Waterfall - Security
Occurred during testing cycle
Back end of process
Mostly manualUnpredictable amount of work
Coming of Age: Agile
Agile - Process
Copyright 2005, Mountain Goat Software
Agile - People
Dev/Q
A
IT
D
ept
OP
S
Org
Se
curity
Agile – Technology Initially
Agile – Security – Early Days
3
Build
4
Static
Analysis
HardeningSprint
5
Security
Results
SecurityResults
2
Check in
1
Develop
AgileBacklog
1
Develop
6
Static
Analysis
7
Synchronize
4
Check in
Static
Analysis
3
Build
& Test
2
AgileBacklog
Agile – Security – Automated and Integrated
5
Build
Nightly
Agile – Security is not limited to automation of static analysis!
Security Champions
Security Grooming
(Requirements Review)
Security as part of the Definition
of Done
Threat ModelingSecure Code
ReviewPen Testing
Pre-Productions Dynamic Analysis
Agile - Culture clash between Dev, OPS and Security
We Have Arrived: DevOps
DevOps - Process
DevOps - People
Break the Silos
ReorganizeChange
the Culture
DevOps - Technology
Automate!
Automate!
Automate!
Feature switching
for controlled
rollout
Rolling upgrades
Zero downtime
Make incremental
changes
DevOps - Security
1
Develop
4
Check in
Static
Analysis
3
Build
& Test
2
Backlog
DevOps – Security – Integrated into CD Pipeline
Pass?
7
SynchronizeNo Yes
7
Deploy to
Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Prod
Per Check-in
5
Build
CDPipeline
Training
(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation Guidance
Secure Code ReviewsManual Penetration Testing
Red Team Activities
Runtime Application
Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat Modeling
Security Grooming
Secure Design
DevOps – Pervasive Security
This Is Our Journey
• Revolution at the micro level
• Evolution at the macro levelInnovation
• Always constructively dissatisfied
• Hypothesize, prototype, measure
• Sharpen the saw
Continuous Improvement
November 15, 2016
Thank You
w w w . v e r a c o d e . c o m
@PeteChestna