DevSecOps: Injecting Security into DevOps - c4i.gmu.edu · ‘Fast & agile’ phases • DevSecOps...

CopyrightDataSecurityStrategies,LLC– AllRightsReserved

Youneedmorethanasecurityplan,youneedaStrategy…


DevSecOps: Injecting Security into DevOps

GilliamE.Duvall,PhD,EngrDataSecurityStrategies,LLC

AFCEA/GMUCriticalIssuesinC4ISymposium21-22May2019

Graphic:commons.wikimedia.orgWithDoDmodifications

Sec


Agenda

• WhatisDevOps?

• HowDoesDevSecOpsWork?• RoleofCulture,Process&Technology• Useofmetrics&KPIs

• DoDSoftwareDevelopment• CurrentState• DesiredState• DevSecOpsexample

• DIBRecommendations:forFutureDevOps&DevSecOps

1


WhatisDevOps?

“DevOpsistheprocessofcontinuouslyimprovingsoftwareproductsthroughrapidreleasecycles,globalautomationofintegrationanddeliverypipelinesandclosecollaborationbetweenteams.”

• ThegoalofDevOpsistoshortenthetimeandreducethecost oftransforminganideaintoaproductthatcustomersuse

• DevOpsmakesheavyuseofautomatedprocessestospeedupdevelopmentanddeployment

• Anorganizationabletobuildsoftwarefourtimesfasterthanitscompetitorhasasignificantcompetitiveadvantage

• Historyhasshownthatcustomersvalueinnovativeproductsthatmaybeincompleteatfirst,butimprovequicklyandsteadily

• OrganizationsadoptDevOpstoreducethecostandlatencyofdevelopmentcycles,andanswertheircustomer’sdemands.

https://freecontent.manning.com/where-security-meets-devops-test-driven-security/


GlobalDevOpsSurveyParticipation

3


DevOpsConcepts

• CombiningDevelopment&Operationsprocesses• Bestsolutioncombiningspeed&agilitytomanagingrapidchange

ofcoding(codechangevelocity)inbusinessapplications• Codingevolutionshappeninsprints,with cadence;fastapplication

deliverytocustomerswithbusinessimprovementsinanunconstrainedsoftwarechangeprocess

• TheabilitytocompetemoreeffectivelythanusinglegacyITmethods• An evolutionarysuccessorintheworldofsoftwaredevelopment

lifecycle(SDLC)models(e.g.,WaterfallandAgile)• HighperformingDevOps- automated codedevelopment

/testing/delivery• Infrastructure-as-code(IaC) – refreshcloudenvironmentusing

machinereadablecode,vicephysicalhardwareconfiguration• Continuousintegration/continuousdelivery(CI/CD)

4


TraditionalBuildSDLCvs aDevOpsLoop

5

DoDInstruction5000.02,withChange3,2017

Graphic:commons.wikimedia.org

‘AsIs’state:Slow&rigid

BuildSchedules

‘ToBe’state:Fast&agile

CI/CD


StagesofDevOpsEvolution

6Puppet|2018StateofDevOpsReport


Agenda

• WhatisDevOps?




7


WhatisDevSecOps?

• IntegratessecuritywithCI/CDintodailymission/businessapplicationdevelopment• ‘Secure&safe’practicesare

injectedintoeach oftheseven‘Fast&agile’phases

• DevSecOpsconceptsintegratewellwithenterpriseobjectivestoincorporate:• Costsavings• Automation• Cloudadoption

• Studies*haveindicatedDevSecOpshighperformersspend50%lesstimeremediatingsecurityissues

Graphic:commons.wikimedia.orgw/DoDmodificationDevOps

CI/CD‘Fast&agile’phases

‘Secure&safe’Practices

Sec

8

*Puppet|2016StateofDevOpsReport


DevSecOpsPrinciples

• Successfulimplementationinvolves• Culture(people)• Processes(communication,feedback)• Technology(todeliversecurityat

developer’sspeed)• “Movessecuritytotheleft”byempowering

developerteamsto‘do’security• Integratessecurity&QAteamsintothe

developmentprocesssooner• DevSecOpsprinciplestofollow:

1. Automatesecurityinallphases(esp.testing,monitoring,audit&response)

2. Allowdeveloperstofailquickly(TestDrivenSecurity)

3. Nofalsealarms(thresholdmgmt.)4. Buildsecuritychampions(withinthedeveloper

community)5. Processtransparency(communicates“normal”)

Graphic:commons.wikimedia.orgw/DoDmodification

9


DevSecOpsCulturalChange

10

Collaboration(teaming)betweenDevelopers,Operators&thecybersecuritySMEs

VERACODEGUIDE- THESECURITYPROFESSIONAL’SROLEinaDevSecOpsWorld


DevSecOpsProcessElements

11

JIDO,SecDevOps CONOPS,Ver 1.0,2017

Processestoimprove:Communication,Collaboration,Reporting,Measurements,ConceptIntegration


DevSecOpsTechnologyStack(example)

12

DIBSWAPStudyFinalRelease,May2019



DevSecOpsContinuousMonitoring

13

ContinuousmonitoringiscomprisedofmetricsandKeyPerformanceIndicators(KPIs)

• TheidealLoggingPipelineisautomated andallowsanalyzeoftypesoftraffic,application-levelsecuritymetrics&securityincidentsinreal-time

• KPIsreflecttheperformanceofaDevSecOpsprogram

Ref:ISC2


DevSecOpsKPIMonitoring&Testing

Sometypicalmetrics&KPIs• Availability• ChangeFailure• ChangeLeadTime• ChangeVolume• CustomerIssueResolutionTime• CustomerIssue• DefectBurnRate• DefectDensity• DeploymentFrequency• LoggingAvailability• MeanTimeBetweenFailures(MTBF)• MeanTimetoFailure(MTTF)• MeanTimetoRecovery(MTTR)• NumberofFunctional/AcceptanceTests• NumberofPassed/FailedSecurityTests• NumberofUnit/IntegrationTests• SecurityBenchmarkDeviation• SecurityControls• TestCoverage• TimetoPatch• TimetoValue• VulnerabilityPatchingFrequency• VulnerabilityPatchingLeadTime


InteractiveAppSecTesting(IAST)/Run-timeAppSecProtection(RASP)*

• Continuoussecurityservicesusingembeddedagents

• Real-timeintegratedtesting,monitoring&protection

IAST&RASP

*www.softwaresecured.comRef:ISC2

Basedonmission/business

needsandcompliancerequirements

14


DerivedDevSecOpsPerformanceMetrics

15

DefectDensity:thenumberofbugsidentifieddividedbythecodebaseofanapplication.Usedtosetgoals&measureprogresswithinteamsandwithinspecificapplicationsorservices

DefectBurnRate: amountoftimetofixvulnerabilitiesinanapplication.Focuslessonthequantityofdefectsandinsteadturntohowquicklythosedefectsareaddressedbytheteam.

TopVulnerabilityTypesandTopRecurringBugs:securityteamstracktopvulnerabilitytypeswillbeinamuchbetterpositiontohelpdevelopersmakelong-termimprovementsinthewaytheycode.

Number of AdversariesperApplication:securityteamsthatwanttoimprovetheirdeveloper'sriskIQshouldbeaskingthemhowmanyadversariestheythinkanapplicationactuallyhas.

AdversaryReturnRate:thismetricgetsdevelopersinvestedinthinkingabouthowapplicationsarebeingattackedandhowoftenanadversaryisusingthesametactics,techniquesandprocedures.

TimetoValue: Timebetweenafeaturerequest(userstorycreation)andrealizationofbusinessvaluefromthatfeature.

Ref:https://businessinsights.bitdefender.com/seven-winning-devsecops-metrics-security-should-track


DevSecOpsPerformanceBenchmarks

16

2017DevOpsResearch&Assessment(DORA)Report


Agenda

• WhatisDevOps?




17


DefenseInnovationBoard– ViewsonSoftwareDevelopment

18

Currentstate– theproblem:• SoftwareisubiquitousandU.S.nationalsecurityreliesonsoftware

• Theabilitytoacquireanddeploysoftwareiscentraltonationaldefenseandintegratingwithallies.

• ThethreatstheU.S.faceschangerapidly,• DoD’sabilitytoadaptandrespondisnowdeterminedbyitsabilitytodevelop

anddeploysoftwaretothefield• ThecurrentapproachtosoftwaredevelopmentisaleadingsourceofrisktoDoD

• Ittakestoolong,istooexpensive&exposeswarfighterstounacceptablerisk• Softwareisnot beingusedtoenableamoreeffectiveforce,strengthenourability

toworkwithallies,andimprovethebusinessprocessesoftheDepartment• Nothingischanging:mostofthishasbeensaidbefore- 1987DSBreporton

militarysoftware“SoftwareisNeverDone:RefactoringtheAcquisitionCodeforCompetitiveAdvantage”--DefenseInnovationBoard,3May2019


DoDDevOpsDesiredState

19

• Speedandcycletimearethemostimportantmetricsformanagingsoftware• DoDneedstodeployandupdatesoftwarethatworksforitsusersat

thespeedof(mission)need• ExecuteinsidetheOODAloopofouradversariestomaintain

advantage• Softwareismadebypeopleandforpeople,sodigitaltalentmatters

• DoD’scurrentpersonnelprocessesandculturewillnotallowitsmilitaryandciviliansoftwarecapabilitiestogrownearlyenoughtomeetitsneeds.

• Newmechanismsarerequired.• Softwareisdifferentthanhardware(andnotallsoftwareisthesame)

• Hardwarecanbedeveloped,procured,andmaintained• Softwareisanenduringandevolvingcapabilitythatmustbe

supportedandcontinuouslyimprovedthroughoutitslifecycle

From“SoftwareisNeverDone:RefactoringtheAcquisitionCodeforCompetitiveAdvantage”-- DefenseInnovationBoard,3May2019


DefenseInnovationBoardTenCommandmentsofSoftware

20

1.Makecomputing,storage,andbandwidthabundanttoDoDdevelopersandusers.

2.Allsoftwareprocurementprogramsshouldstartsmall,beiterative,andbuildonsuccess‒orbeterminatedquickly.

3.Theacquisitionprocessforsoftwaremustsupportthefull,iterativelifecycleofsoftware.

4.AdoptaDevSecOpscultureforsoftwaresystems.

5.Automatetestingofsoftwaretoenablecriticalupdatestobedeployedindaystoweeks,notmonthsoryears.

6.Everypurpose-builtDoDsoftwaresystemshouldincludesourcecodeasadeliverable.

7.EveryDoDsystemthatincludessoftwareshouldhavealocalteamofDoDsoftwareexpertswhoarecapableof

modifyingorextendingthesoftwarethroughsourcecodeorAPIaccess.

8.Onlyrunoperatingsystemsthatarereceiving(andutilizing)regularsecurityupdatesfornewlydiscoveredsecurity

vulnerabilities.

9.Securityshouldbeafirst-orderconsiderationindesignanddeploymentofsoftware,anddatashouldalwaysbe

encryptedunlessitispartofanactivecomputation.

10.AlldatageneratedbyDoDsystems- indevelopmentanddeployment- shouldbestored,mined,andmadeavailable

formachinelearning.DoDmustdevelop/deploysoftwareasfastorfasterthanadversarialtactics--

buildingoncommerciallyavailabletoolsandtechnologiesforthefoursoftwaretypes.

DIBSoftwareAcquisitionandPractices(SWAP)study,May2019


DoDDevSecOpsMetrics

21

• TraditionalmetricswithinDoDisthatsoftwarecomplexity/productivityisoftenestimatedbasedonnumberofsourcelinesofcode(SLOC)

• Whileeasilymeasured,itisnotnecessarilypredictiveofcost,schedule,orperformance• Obsoletemetricsareirrelevant atbestand,atworst,couldbemisleading

• TheprocessforsoftwareDevSecOpstomanagetravelisdifferentfromwhatisrequiredtomanagethesoftwareonanF-35– suggestingataxonomywithfourtypesofsoftwarerequiringfourdifferentapproaches:• TypeA: commercial(“off-the-shelf”)softwarewithnoDoD-specific

customizationrequired• TypeB: commercialsoftwarewithDoD-specificcustomizationneeded• TypeC: customsoftwarerunningoncommodityhardware(indatacentersor

inthefield)• TypeD: customsoftwarerunningoncustomhardware(e.g.,embedded

software)DefenseInnovationBoardMetricsforSoftwareDevelopment,3May2019


DoDDevSecOpsMetrics– cont.

Alternatively,measuresusefulforDoDtotrackDevSecOpsperformanceanddriveimprovementincost/schedule,performance&securityincludethefollowing:

DefenseInnovationBoardMetricsforSoftwareDevelopment,3May2019

DeploymentRateMetrics

ResponseRateMetrics

CodeQualityMetrics

Functionalitymetrics

22


DoDDevSecOpsMetrics– cont.

23

12.Structureofspecifications,code,anddevelopmentandexecutionplatforms13.Structureandtypeofdevelopment&operationalenvironment14.Trackingsoftwareprogramprogress

• 25%unitcostgrowthand50%totalprogramcostgrowththresholdsoftenwillnotmakesenseforcontinuouslydevelopedsoftwareprograms

ProgramManagement,Assessment,andEstimationMetrics

DefenseInnovationBoardMetricsforSoftwareDevelopment,3May2019


DevOpsonaHardwarePlatform

24

LessonsLearned• Culturechangehas

beenthebiggesthurdle

• Theprogrammustrecognizeandacceptthatthingswillgowrong.

• Securitycontrolslimitflexibilityandcommunication


Agenda

• WhatisDevOps?



• DIBRecommendations:FutureDoDDevOps&DevSecOps

25


FutureDoDDevOps&DevSecOpsConcept

26DIBSoftwareAcquisitionandPractices(SWAP)study,May2019

OSD&Congress

OSD&Services

Services&OSD

DoD&Industry


FutureDoDDevOps&DevSecOpsConcepts– cont.

27



FutureDoDDevOps&DevSecOpsConcepts– cont.

28



InConclusion

Wediscussed:

• WhatisDevOps?




29


Questions?

Dr.GilDuvall

President&CEO

DataSecurityStrategies,LLC

e-mail:[email protected]

website:www.datasecuritystrategies.com

30

DevSecOps: Injecting Security into DevOps - c4i.gmu.edu · ‘Fast & agile’ phases • DevSecOps...

Documents

Transcript of DevSecOps: Injecting Security into DevOps - c4i.gmu.edu · ‘Fast & agile’ phases • DevSecOps...