DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3...

The NYS Forum, Inc.

DevSecOps OverviewNovember 14, 2018

Business Innovation & Emerging Technologies Workgroup

1

Business Innovation & Emerging Technology First Thursday of every month

Next: Dec 6, 2018 @ 4PMRight Here!

The NYS Forum, Inc.



2

Susan KaufmanAccenture Security

Senior Manager, Application Security

Presenting Workgroup

3


SECURITY IN A DEVOPS AND AGILE WORLD

DevOps

CULTURETighter communication and integration between system engineering and development teams

PROCESSESAutomated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams

TECHNOLOGIESAdvanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc.)

Agile Development

SHORTER RELEASE CYCLESShift work “to the left” as much as possible, to ensure no major issues or defects are found late in the release cycle

SMALLER BATCH SIZESReviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered

CROSS-FUNCTIONAL TEAMSCross-functional teams is the norm, to ensure up-to-date information on project milestones and activities in agile developments

What does it mean for Security?

Security needs to evolve, and become a support and partner in the equation –leveraging everything DevOps has to offer –to:

• Build on existing people, processes and tools to successfully drive security requirements in solutions

• Enable development teams to succeed in creating secure application

• Secure applications from plan and design phases to on-going operations and retirement

• Embrace new technologies


4


WHY DEVSECOPS?

WA

LL

OF

CO

NF

LIC

T

WA

LL

OF

CO

NF

LIC

T

WA

LL

OF

CO

NF

LIC

T

WANT FLEXIBILITY

WANT SPEED

WANT STABILITY

WANT SECURITY

CUSTOMERS DEVELOPMENT OPERATIONS SECURITY

•New features

•Safety

•Faster time to market

• Implement changes

•Pressure to deliver

features quickly

•Monitor and respond to

events

•Enhance services

•Reduce vulnerabilities

•Protect customers

and the enterprise

AGILE DEVELOPMENTFixes This

DEVOPSFixes This

DEVSECOPSFixes This

WA

LL

OF

CO

NF

LIC

T


5


Process

Technology

People

Scoping &

Requirements

Security in

Design:

Threat Modeling

Security Testing

in Build: Static

Code Analysis

Security in Test:

Dynamic Code

Analysis

Security in Deploy:

Penetration Testing

Security in

Operations:

SecOps

SECURITY IN THE PRODUCT DEVELOPMENT LIFECYCLE


6


DEVSECOPS IN ACTION


7


DEVSECOPS TRANSFORMATION MODEL


8


Susan Kaufman

Accenture Security

Senior Manager, Application Security

+1.617.584.6647

[email protected]

9


SECURITYACCENTURE

DecSecOpsMake Shift Happen


10

Johnny WongDirector of Veracode Presales Consultants

CA Technologies, a Broadcom Company

Agenda

1 Security Breaches

2 History of DevOps

3 Benefits of DevSecOps

4 How to Implement DevSecOps

5 Summary / Questions

Security Breaches

Breaches Through the App Layer

How: Vulnerability on website built and maintained by third-party vendor in support of a charity.

Result: Usernames and passwords for 76 million households and 7 million business were stolen.

Financial Institution

How: Hackers exploited a known vulnerability in an open source component

Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs.

Financial Institution

How: Sophisticated kill chain including exploitation of vulnerable web application

Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers

Retailer

History of DevOps

Benefits of DevSecOps

The Goal?

Cost to fix

When do we test?

Fitting into Agile and DevOps

Copyright 2005, Mountain Goat Software

The real cost of a bug?

Find TrackDevelop Fix Re-test

Develop

Bug

NoBug

Develop Develop Develop

The Goal?

How to Implement DevSecOps

Strategy

What’s a DevOps Team?

DevOps Team

DevOps – Process: Where is security?

Security

The First Way: Systems Thinking

Relationships

Mutual Accountability

The Second Way: Amplify Feedback Loops

Measurement is Key

Training and Awareness

Train Yourself on the Process

Help them fix what they find

The Third Way: Experimentation and Learning

Security Champions

Summary

• DevOps is inevitable – learn it

• Rethink the goal of your AppSec program

• Relationships and shared accountability is key to securing apps

• Train developers and help them fix what they find

• Adjust to the speed of DevOps and right-size your security requirements

Questions?

Thank you.

Johnny Wong, Director of Veracode Presales Consultants

CA Technologies, a Broadcom [email protected]

DecSecOpsThe Big Picture


43

John BoebingerSenior Principal Consultant

CA Technologies, a Broadcom Company

•John Boebinger, Senior Principal Consultant, CA Technologies

Agenda

1 The Old Way

2 Agile is better, but…

3 Component Testing

4 Negative Testing

5 A Walk Through the Continuous Delivery Process

In the Old Days…

• Very long development cycles (many months or even years)

• Waterfall Methodology

• Code in isolation

• Finally assemble the entire stack and test

• Send long bug list to developers

• Mass firefighting to figure out whose module has the bug

• Rinse and repeat…

Problems

• Quality and Security cannot be tested in by QA

• Quality and Security must be a part of the complete Continuous Delivery process

• If you don’t, worst case, you end up here…

Agile is better, but…

• Still a disconnect between requirements and testing• Not always testing thoroughly

• Over testing some areas, not testing others sufficiently

• Tests need to be created directly from the requirements• User Stories need to be translated into tests

• Are the requirements adequate?• Frequently, they are not

• Part of the iterative process of learning how to create complete requirements

Traditional Testing – The Entire Stack

48

Mainframe Data Legacy External

>C

MQ JDBC HTTP SOAP

ESB

Exercise the

Web UITest Engine

Component Testing

49


>C

MQ JDBC HTTP SOAP

ESB

Mainframe

Exercise the

SUT

Service Virtualization


>C

MQ JDBC HTTP SOAP

ESB

Response

Request

API Test

Component Testing

• Need be able to completely test each component in isolation• Especially if other components aren’t yet available

• Ideally the developer can completely test at their desktop

• All levels of testing• Functional Testing

• Regression Testing

• Performance Testing

• Negative Testing

• Advantage – They will never know…

Component Testing – The How

• How to they test a new car engine design?• Hint – not in a car

• They use an engine test bed

• Create a test bed for software components

• Automated UI or API tests for the front end• In agile methodology the first thing a developer is

supposed to do is write tests…

• Simulated back ends• Can be done with stubs and mocks

• But best done with Service Virtualization

Negative Testing

• Not good enough to say it works once in a row in a perfect environment

• Need to stress test the component with unusual conditions

• Creating good negative testing environment is not easy• Requires experience in what kinds of things can go wrong

• One of the largest banks says 80% of their testing is negative testing• “People just have no sense of humor when it comes to their own money…”

Negative Testing - Speed

• Number to remember – 3.6• That’s how many seconds a user will wait at an hourglass…

• Need to create backends that are slow• Normally a back end may respond in 300 milliseconds

• How does the System Under Test handle a 10 second response?

• Does it inform the user that things are slow and they should be patient?

• Or does it just sit there like it has hung

• Need to create a fast backend• Not as much of a problem, but too fast a response can be an issue

• There can be timing problems

Negative Testing – Bad Data

• We have been testing bad data from users for decades• Input a birthdate where they are supposed to put a SSN, for example

• How will the system under test handle bad data from the back end• Expect a number and instead get an alphabetic

• For example, expecting an amount and instead get a name

• Does the SUT handle it gracefully?

• Or does the end user see an “Illegal Exception” error• And think the police are on their way…

Negative Testing – Data out of Order

• Sometimes assumptions are made about how data will appear

• For example:• A person record is transmitted followed by transaction records

• Person1 -- Xaction1—Xaction2—Person2—Xaction3—Xaction4

• What if a record goes missing?• Person1 -- Xaction1—Xaction2—{missing record}—Xaction3—Xaction4

• Do those last two transactions get charged to person 1’s account?

• Or does the System Under Test do sufficient checking?

A Walk Through theDevSecOps Continuous

Delivery Process

RequirementsUser StoriesRelease Plan

Import User Stories to automatically Create,

Visualize and Optimize Test Cases, determine data

requirements

Data Preparation

Plan Build RunDeployTest

Testing

- Subset/Mask Test Data- Create/Reserve Test Data

Unit and Full Stack Testing- Test Automation Library- Load Testing- API Testing

Config/Deploy

performancefeedback

- Provision Entire Stack- Confirm Configurations- Approve Changes- Successfully Deploy- Internal or Cloud

Testing Integration

Remove Constraints with Virtual Services- Simulate unavailable

components- Simulate Backend Load- Negative Testing Backend

Develop and Commit Code, Version Control,

Continuous Integration. Build and Initiate Release,

Vulnerability Scan

Code

Model

automation automation automationautomation

Single View

Measure/Feedback

- Customer Experience- Service Level- Application Tier- Infrastructure Tier- Dynamic Capacity- Feedback to PO/PM

Control Access

- Provide scalable access to APIs

- Control access to APIs- Switch between

environments- Create Virtual Services

Test deployed code forSecurity

vulnerabilities

Validate

Intake

Summary

• Quality and Security cannot be just tested in at the end

• Requirements need to be translated into tests

• Testing needs to be done thoroughly at the component level

• Negative testing is critical

• Step back and look at the complete process

Questions?

Thank you.John Boebinger

Senior Principal ConsultantCA Technologies, a Broadcom Company

[email protected]

The NYS Forum, Inc.



61

Business Innovation & Emerging Technology First Thursday of every month

Next: Dec 6, 2018 @ 4PMRight Here!

DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3...

Documents

Transcript of DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3...