DevSecOps: Injecting Security into DevOps - c4i.gmu.edu · ‘Fast & agile’ phases • DevSecOps...
Transcript of DevSecOps: Injecting Security into DevOps - c4i.gmu.edu · ‘Fast & agile’ phases • DevSecOps...
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
Youneedmorethanasecurityplan,youneedaStrategy…
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOps: Injecting Security into DevOps
GilliamE.Duvall,PhD,EngrDataSecurityStrategies,LLC
AFCEA/GMUCriticalIssuesinC4ISymposium21-22May2019
Graphic:commons.wikimedia.orgWithDoDmodifications
Sec
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
Agenda
• WhatisDevOps?
• HowDoesDevSecOpsWork?• RoleofCulture,Process&Technology• Useofmetrics&KPIs
• DoDSoftwareDevelopment• CurrentState• DesiredState• DevSecOpsexample
• DIBRecommendations:forFutureDevOps&DevSecOps
1
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
WhatisDevOps?
“DevOpsistheprocessofcontinuouslyimprovingsoftwareproductsthroughrapidreleasecycles,globalautomationofintegrationanddeliverypipelinesandclosecollaborationbetweenteams.”
• ThegoalofDevOpsistoshortenthetimeandreducethecost oftransforminganideaintoaproductthatcustomersuse
• DevOpsmakesheavyuseofautomatedprocessestospeedupdevelopmentanddeployment
• Anorganizationabletobuildsoftwarefourtimesfasterthanitscompetitorhasasignificantcompetitiveadvantage
• Historyhasshownthatcustomersvalueinnovativeproductsthatmaybeincompleteatfirst,butimprovequicklyandsteadily
• OrganizationsadoptDevOpstoreducethecostandlatencyofdevelopmentcycles,andanswertheircustomer’sdemands.
https://freecontent.manning.com/where-security-meets-devops-test-driven-security/
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
GlobalDevOpsSurveyParticipation
3
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevOpsConcepts
• CombiningDevelopment&Operationsprocesses• Bestsolutioncombiningspeed&agilitytomanagingrapidchange
ofcoding(codechangevelocity)inbusinessapplications• Codingevolutionshappeninsprints,with cadence;fastapplication
deliverytocustomerswithbusinessimprovementsinanunconstrainedsoftwarechangeprocess
• TheabilitytocompetemoreeffectivelythanusinglegacyITmethods• An evolutionarysuccessorintheworldofsoftwaredevelopment
lifecycle(SDLC)models(e.g.,WaterfallandAgile)• HighperformingDevOps- automated codedevelopment
/testing/delivery• Infrastructure-as-code(IaC) – refreshcloudenvironmentusing
machinereadablecode,vicephysicalhardwareconfiguration• Continuousintegration/continuousdelivery(CI/CD)
4
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
TraditionalBuildSDLCvs aDevOpsLoop
5
DoDInstruction5000.02,withChange3,2017
Graphic:commons.wikimedia.org
‘AsIs’state:Slow&rigid
BuildSchedules
‘ToBe’state:Fast&agile
CI/CD
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
StagesofDevOpsEvolution
6Puppet|2018StateofDevOpsReport
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
Agenda
• WhatisDevOps?
• HowDoesDevSecOpsWork?• RoleofCulture,Process&Technology• Useofmetrics&KPIs
• DoDSoftwareDevelopment• CurrentState• DesiredState• DevSecOpsexample
• DIBRecommendations:forFutureDevOps&DevSecOps
7
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
WhatisDevSecOps?
• IntegratessecuritywithCI/CDintodailymission/businessapplicationdevelopment• ‘Secure&safe’practicesare
injectedintoeach oftheseven‘Fast&agile’phases
• DevSecOpsconceptsintegratewellwithenterpriseobjectivestoincorporate:• Costsavings• Automation• Cloudadoption
• Studies*haveindicatedDevSecOpshighperformersspend50%lesstimeremediatingsecurityissues
Graphic:commons.wikimedia.orgw/DoDmodificationDevOps
CI/CD‘Fast&agile’phases
‘Secure&safe’Practices
Sec
8
*Puppet|2016StateofDevOpsReport
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsPrinciples
• Successfulimplementationinvolves• Culture(people)• Processes(communication,feedback)• Technology(todeliversecurityat
developer’sspeed)• “Movessecuritytotheleft”byempowering
developerteamsto‘do’security• Integratessecurity&QAteamsintothe
developmentprocesssooner• DevSecOpsprinciplestofollow:
1. Automatesecurityinallphases(esp.testing,monitoring,audit&response)
2. Allowdeveloperstofailquickly(TestDrivenSecurity)
3. Nofalsealarms(thresholdmgmt.)4. Buildsecuritychampions(withinthedeveloper
community)5. Processtransparency(communicates“normal”)
Graphic:commons.wikimedia.orgw/DoDmodification
9
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsCulturalChange
10
Collaboration(teaming)betweenDevelopers,Operators&thecybersecuritySMEs
VERACODEGUIDE- THESECURITYPROFESSIONAL’SROLEinaDevSecOpsWorld
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsProcessElements
11
JIDO,SecDevOps CONOPS,Ver 1.0,2017
Processestoimprove:Communication,Collaboration,Reporting,Measurements,ConceptIntegration
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsTechnologyStack(example)
12
DIBSWAPStudyFinalRelease,May2019
Graphic:commons.wikimedia.orgw/DoDmodification
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsContinuousMonitoring
13
ContinuousmonitoringiscomprisedofmetricsandKeyPerformanceIndicators(KPIs)
• TheidealLoggingPipelineisautomated andallowsanalyzeoftypesoftraffic,application-levelsecuritymetrics&securityincidentsinreal-time
• KPIsreflecttheperformanceofaDevSecOpsprogram
Ref:ISC2
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsKPIMonitoring&Testing
Sometypicalmetrics&KPIs• Availability• ChangeFailure• ChangeLeadTime• ChangeVolume• CustomerIssueResolutionTime• CustomerIssue• DefectBurnRate• DefectDensity• DeploymentFrequency• LoggingAvailability• MeanTimeBetweenFailures(MTBF)• MeanTimetoFailure(MTTF)• MeanTimetoRecovery(MTTR)• NumberofFunctional/AcceptanceTests• NumberofPassed/FailedSecurityTests• NumberofUnit/IntegrationTests• SecurityBenchmarkDeviation• SecurityControls• TestCoverage• TimetoPatch• TimetoValue• VulnerabilityPatchingFrequency• VulnerabilityPatchingLeadTime
Graphic:commons.wikimedia.orgw/DoDmodification
InteractiveAppSecTesting(IAST)/Run-timeAppSecProtection(RASP)*
• Continuoussecurityservicesusingembeddedagents
• Real-timeintegratedtesting,monitoring&protection
IAST&RASP
*www.softwaresecured.comRef:ISC2
Basedonmission/business
needsandcompliancerequirements
14
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DerivedDevSecOpsPerformanceMetrics
15
DefectDensity:thenumberofbugsidentifieddividedbythecodebaseofanapplication.Usedtosetgoals&measureprogresswithinteamsandwithinspecificapplicationsorservices
DefectBurnRate: amountoftimetofixvulnerabilitiesinanapplication.Focuslessonthequantityofdefectsandinsteadturntohowquicklythosedefectsareaddressedbytheteam.
TopVulnerabilityTypesandTopRecurringBugs:securityteamstracktopvulnerabilitytypeswillbeinamuchbetterpositiontohelpdevelopersmakelong-termimprovementsinthewaytheycode.
Number of AdversariesperApplication:securityteamsthatwanttoimprovetheirdeveloper'sriskIQshouldbeaskingthemhowmanyadversariestheythinkanapplicationactuallyhas.
AdversaryReturnRate:thismetricgetsdevelopersinvestedinthinkingabouthowapplicationsarebeingattackedandhowoftenanadversaryisusingthesametactics,techniquesandprocedures.
TimetoValue: Timebetweenafeaturerequest(userstorycreation)andrealizationofbusinessvaluefromthatfeature.
Ref:https://businessinsights.bitdefender.com/seven-winning-devsecops-metrics-security-should-track
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevSecOpsPerformanceBenchmarks
16
2017DevOpsResearch&Assessment(DORA)Report
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
Agenda
• WhatisDevOps?
• HowDoesDevSecOpsWork?• RoleofCulture,Process&Technology• Useofmetrics&KPIs
• DoDSoftwareDevelopment• CurrentState• DesiredState• DevSecOpsexample
• DIBRecommendations:forFutureDevOps&DevSecOps
17
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DefenseInnovationBoard– ViewsonSoftwareDevelopment
18
Currentstate– theproblem:• SoftwareisubiquitousandU.S.nationalsecurityreliesonsoftware
• Theabilitytoacquireanddeploysoftwareiscentraltonationaldefenseandintegratingwithallies.
• ThethreatstheU.S.faceschangerapidly,• DoD’sabilitytoadaptandrespondisnowdeterminedbyitsabilitytodevelop
anddeploysoftwaretothefield• ThecurrentapproachtosoftwaredevelopmentisaleadingsourceofrisktoDoD
• Ittakestoolong,istooexpensive&exposeswarfighterstounacceptablerisk• Softwareisnot beingusedtoenableamoreeffectiveforce,strengthenourability
toworkwithallies,andimprovethebusinessprocessesoftheDepartment• Nothingischanging:mostofthishasbeensaidbefore- 1987DSBreporton
militarysoftware“SoftwareisNeverDone:RefactoringtheAcquisitionCodeforCompetitiveAdvantage”--DefenseInnovationBoard,3May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DoDDevOpsDesiredState
19
• Speedandcycletimearethemostimportantmetricsformanagingsoftware• DoDneedstodeployandupdatesoftwarethatworksforitsusersat
thespeedof(mission)need• ExecuteinsidetheOODAloopofouradversariestomaintain
advantage• Softwareismadebypeopleandforpeople,sodigitaltalentmatters
• DoD’scurrentpersonnelprocessesandculturewillnotallowitsmilitaryandciviliansoftwarecapabilitiestogrownearlyenoughtomeetitsneeds.
• Newmechanismsarerequired.• Softwareisdifferentthanhardware(andnotallsoftwareisthesame)
• Hardwarecanbedeveloped,procured,andmaintained• Softwareisanenduringandevolvingcapabilitythatmustbe
supportedandcontinuouslyimprovedthroughoutitslifecycle
From“SoftwareisNeverDone:RefactoringtheAcquisitionCodeforCompetitiveAdvantage”-- DefenseInnovationBoard,3May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DefenseInnovationBoardTenCommandmentsofSoftware
20
1.Makecomputing,storage,andbandwidthabundanttoDoDdevelopersandusers.
2.Allsoftwareprocurementprogramsshouldstartsmall,beiterative,andbuildonsuccess‒orbeterminatedquickly.
3.Theacquisitionprocessforsoftwaremustsupportthefull,iterativelifecycleofsoftware.
4.AdoptaDevSecOpscultureforsoftwaresystems.
5.Automatetestingofsoftwaretoenablecriticalupdatestobedeployedindaystoweeks,notmonthsoryears.
6.Everypurpose-builtDoDsoftwaresystemshouldincludesourcecodeasadeliverable.
7.EveryDoDsystemthatincludessoftwareshouldhavealocalteamofDoDsoftwareexpertswhoarecapableof
modifyingorextendingthesoftwarethroughsourcecodeorAPIaccess.
8.Onlyrunoperatingsystemsthatarereceiving(andutilizing)regularsecurityupdatesfornewlydiscoveredsecurity
vulnerabilities.
9.Securityshouldbeafirst-orderconsiderationindesignanddeploymentofsoftware,anddatashouldalwaysbe
encryptedunlessitispartofanactivecomputation.
10.AlldatageneratedbyDoDsystems- indevelopmentanddeployment- shouldbestored,mined,andmadeavailable
formachinelearning.DoDmustdevelop/deploysoftwareasfastorfasterthanadversarialtactics--
buildingoncommerciallyavailabletoolsandtechnologiesforthefoursoftwaretypes.
DIBSoftwareAcquisitionandPractices(SWAP)study,May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DoDDevSecOpsMetrics
21
• TraditionalmetricswithinDoDisthatsoftwarecomplexity/productivityisoftenestimatedbasedonnumberofsourcelinesofcode(SLOC)
• Whileeasilymeasured,itisnotnecessarilypredictiveofcost,schedule,orperformance• Obsoletemetricsareirrelevant atbestand,atworst,couldbemisleading
• TheprocessforsoftwareDevSecOpstomanagetravelisdifferentfromwhatisrequiredtomanagethesoftwareonanF-35– suggestingataxonomywithfourtypesofsoftwarerequiringfourdifferentapproaches:• TypeA: commercial(“off-the-shelf”)softwarewithnoDoD-specific
customizationrequired• TypeB: commercialsoftwarewithDoD-specificcustomizationneeded• TypeC: customsoftwarerunningoncommodityhardware(indatacentersor
inthefield)• TypeD: customsoftwarerunningoncustomhardware(e.g.,embedded
software)DefenseInnovationBoardMetricsforSoftwareDevelopment,3May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DoDDevSecOpsMetrics– cont.
Alternatively,measuresusefulforDoDtotrackDevSecOpsperformanceanddriveimprovementincost/schedule,performance&securityincludethefollowing:
DefenseInnovationBoardMetricsforSoftwareDevelopment,3May2019
DeploymentRateMetrics
ResponseRateMetrics
CodeQualityMetrics
Functionalitymetrics
22
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DoDDevSecOpsMetrics– cont.
23
12.Structureofspecifications,code,anddevelopmentandexecutionplatforms13.Structureandtypeofdevelopment&operationalenvironment14.Trackingsoftwareprogramprogress
• 25%unitcostgrowthand50%totalprogramcostgrowththresholdsoftenwillnotmakesenseforcontinuouslydevelopedsoftwareprograms
ProgramManagement,Assessment,andEstimationMetrics
DefenseInnovationBoardMetricsforSoftwareDevelopment,3May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
DevOpsonaHardwarePlatform
24
LessonsLearned• Culturechangehas
beenthebiggesthurdle
• Theprogrammustrecognizeandacceptthatthingswillgowrong.
• Securitycontrolslimitflexibilityandcommunication
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
Agenda
• WhatisDevOps?
• HowDoesDevSecOpsWork?• RoleofCulture,Process&Technology• Useofmetrics&KPIs
• DoDSoftwareDevelopment• CurrentState• DesiredState• DevSecOpsexample
• DIBRecommendations:FutureDoDDevOps&DevSecOps
25
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
FutureDoDDevOps&DevSecOpsConcept
26DIBSoftwareAcquisitionandPractices(SWAP)study,May2019
OSD&Congress
OSD&Services
Services&OSD
DoD&Industry
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
FutureDoDDevOps&DevSecOpsConcepts– cont.
27
DIBSoftwareAcquisitionandPractices(SWAP)study,May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
FutureDoDDevOps&DevSecOpsConcepts– cont.
28
DIBSoftwareAcquisitionandPractices(SWAP)study,May2019
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
InConclusion
Wediscussed:
• WhatisDevOps?
• HowDoesDevSecOpsWork?• RoleofCulture,Process&Technology• Useofmetrics&KPIs
• DoDSoftwareDevelopment• CurrentState• DesiredState• DevSecOpsexample
• DIBRecommendations:forFutureDevOps&DevSecOps
29
CopyrightDataSecurityStrategies,LLC– AllRightsReserved
Questions?
Dr.GilDuvall
President&CEO
DataSecurityStrategies,LLC
e-mail:[email protected]
website:www.datasecuritystrategies.com
30