DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3...
Transcript of DevSecOps Overview - NYS Forum Home · 11/14/2018 · DevSecOps Overview November 14, 2018 ... 3...
The NYS Forum, Inc.
DevSecOps OverviewNovember 14, 2018
Business Innovation & Emerging Technologies Workgroup
1
Business Innovation & Emerging Technology First Thursday of every month
Next: Dec 6, 2018 @ 4PMRight Here!
The NYS Forum, Inc.
DevSecOps OverviewNovember 14, 2018
Business Innovation & Emerging Technologies Workgroup
2
Susan KaufmanAccenture Security
Senior Manager, Application Security
Presenting Workgroup
3
Business Innovation & Emerging Technologies Workgroup
SECURITY IN A DEVOPS AND AGILE WORLD
DevOps
CULTURETighter communication and integration between system engineering and development teams
PROCESSESAutomated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams
TECHNOLOGIESAdvanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc.)
Agile Development
SHORTER RELEASE CYCLESShift work “to the left” as much as possible, to ensure no major issues or defects are found late in the release cycle
SMALLER BATCH SIZESReviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered
CROSS-FUNCTIONAL TEAMSCross-functional teams is the norm, to ensure up-to-date information on project milestones and activities in agile developments
What does it mean for Security?
Security needs to evolve, and become a support and partner in the equation –leveraging everything DevOps has to offer –to:
• Build on existing people, processes and tools to successfully drive security requirements in solutions
• Enable development teams to succeed in creating secure application
• Secure applications from plan and design phases to on-going operations and retirement
• Embrace new technologies
Presenting Workgroup
4
Business Innovation & Emerging Technologies Workgroup
WHY DEVSECOPS?
WA
LL
OF
CO
NF
LIC
T
WA
LL
OF
CO
NF
LIC
T
WA
LL
OF
CO
NF
LIC
T
WANT FLEXIBILITY
WANT SPEED
WANT STABILITY
WANT SECURITY
CUSTOMERS DEVELOPMENT OPERATIONS SECURITY
•New features
•Safety
•Faster time to market
• Implement changes
•Pressure to deliver
features quickly
•Monitor and respond to
events
•Enhance services
•Reduce vulnerabilities
•Protect customers
and the enterprise
AGILE DEVELOPMENTFixes This
DEVOPSFixes This
DEVSECOPSFixes This
WA
LL
OF
CO
NF
LIC
T
Presenting Workgroup
5
Business Innovation & Emerging Technologies Workgroup
Process
Technology
People
Scoping &
Requirements
Security in
Design:
Threat Modeling
Security Testing
in Build: Static
Code Analysis
Security in Test:
Dynamic Code
Analysis
Security in Deploy:
Penetration Testing
Security in
Operations:
SecOps
SECURITY IN THE PRODUCT DEVELOPMENT LIFECYCLE
Presenting Workgroup
6
Business Innovation & Emerging Technologies Workgroup
DEVSECOPS IN ACTION
Presenting Workgroup
7
Business Innovation & Emerging Technologies Workgroup
DEVSECOPS TRANSFORMATION MODEL
Presenting Workgroup
8
Business Innovation & Emerging Technologies Workgroup
Susan Kaufman
Accenture Security
Senior Manager, Application Security
+1.617.584.6647
9
Business Innovation & Emerging Technologies Workgroup
SECURITYACCENTURE
DecSecOpsMake Shift Happen
Business Innovation & Emerging Technologies Workgroup
10
Johnny WongDirector of Veracode Presales Consultants
CA Technologies, a Broadcom Company
Agenda
1 Security Breaches
2 History of DevOps
3 Benefits of DevSecOps
4 How to Implement DevSecOps
5 Summary / Questions
Security Breaches
Breaches Through the App Layer
How: Vulnerability on website built and maintained by third-party vendor in support of a charity.
Result: Usernames and passwords for 76 million households and 7 million business were stolen.
Financial Institution
How: Hackers exploited a known vulnerability in an open source component
Result: Social Security Numbers and personal data for more than 143 million Americans stolen. Three executives lose their jobs.
Financial Institution
How: Sophisticated kill chain including exploitation of vulnerable web application
Result: Hackers stole names, mailing addresses, phone numbers and email addresses for more than 70 million shoppers
Retailer
History of DevOps
Benefits of DevSecOps
The Goal?
Cost to fix
When do we test?
Fitting into Agile and DevOps
Copyright 2005, Mountain Goat Software
The real cost of a bug?
Find TrackDevelop Fix Re-test
Develop
Bug
NoBug
Develop Develop Develop
The Goal?
How to Implement DevSecOps
Strategy
What’s a DevOps Team?
DevOps Team
DevOps – Process: Where is security?
Security
The First Way: Systems Thinking
Relationships
Mutual Accountability
The Second Way: Amplify Feedback Loops
Measurement is Key
Training and Awareness
Train Yourself on the Process
Help them fix what they find
The Third Way: Experimentation and Learning
Security Champions
Summary
• DevOps is inevitable – learn it
• Rethink the goal of your AppSec program
• Relationships and shared accountability is key to securing apps
• Train developers and help them fix what they find
• Adjust to the speed of DevOps and right-size your security requirements
Questions?
Thank you.
Johnny Wong, Director of Veracode Presales Consultants
CA Technologies, a Broadcom [email protected]
DecSecOpsThe Big Picture
Business Innovation & Emerging Technologies Workgroup
43
John BoebingerSenior Principal Consultant
CA Technologies, a Broadcom Company
•John Boebinger, Senior Principal Consultant, CA Technologies
Agenda
1 The Old Way
2 Agile is better, but…
3 Component Testing
4 Negative Testing
5 A Walk Through the Continuous Delivery Process
In the Old Days…
• Very long development cycles (many months or even years)
• Waterfall Methodology
• Code in isolation
• Finally assemble the entire stack and test
• Send long bug list to developers
• Mass firefighting to figure out whose module has the bug
• Rinse and repeat…
Problems
• Quality and Security cannot be tested in by QA
• Quality and Security must be a part of the complete Continuous Delivery process
• If you don’t, worst case, you end up here…
Agile is better, but…
• Still a disconnect between requirements and testing• Not always testing thoroughly
• Over testing some areas, not testing others sufficiently
• Tests need to be created directly from the requirements• User Stories need to be translated into tests
• Are the requirements adequate?• Frequently, they are not
• Part of the iterative process of learning how to create complete requirements
Traditional Testing – The Entire Stack
48
Mainframe Data Legacy External
>C
MQ JDBC HTTP SOAP
ESB
Exercise the
Web UITest Engine
Component Testing
49
Mainframe Data Legacy External
>C
MQ JDBC HTTP SOAP
ESB
Mainframe
Exercise the
SUT
Service Virtualization
Mainframe Data Legacy External
>C
MQ JDBC HTTP SOAP
ESB
Response
Request
API Test
Component Testing
• Need be able to completely test each component in isolation• Especially if other components aren’t yet available
• Ideally the developer can completely test at their desktop
• All levels of testing• Functional Testing
• Regression Testing
• Performance Testing
• Negative Testing
• Advantage – They will never know…
Component Testing – The How
• How to they test a new car engine design?• Hint – not in a car
• They use an engine test bed
• Create a test bed for software components
• Automated UI or API tests for the front end• In agile methodology the first thing a developer is
supposed to do is write tests…
• Simulated back ends• Can be done with stubs and mocks
• But best done with Service Virtualization
Negative Testing
• Not good enough to say it works once in a row in a perfect environment
• Need to stress test the component with unusual conditions
• Creating good negative testing environment is not easy• Requires experience in what kinds of things can go wrong
• One of the largest banks says 80% of their testing is negative testing• “People just have no sense of humor when it comes to their own money…”
Negative Testing - Speed
• Number to remember – 3.6• That’s how many seconds a user will wait at an hourglass…
• Need to create backends that are slow• Normally a back end may respond in 300 milliseconds
• How does the System Under Test handle a 10 second response?
• Does it inform the user that things are slow and they should be patient?
• Or does it just sit there like it has hung
• Need to create a fast backend• Not as much of a problem, but too fast a response can be an issue
• There can be timing problems
Negative Testing – Bad Data
• We have been testing bad data from users for decades• Input a birthdate where they are supposed to put a SSN, for example
• How will the system under test handle bad data from the back end• Expect a number and instead get an alphabetic
• For example, expecting an amount and instead get a name
• Does the SUT handle it gracefully?
• Or does the end user see an “Illegal Exception” error• And think the police are on their way…
Negative Testing – Data out of Order
• Sometimes assumptions are made about how data will appear
• For example:• A person record is transmitted followed by transaction records
• Person1 -- Xaction1—Xaction2—Person2—Xaction3—Xaction4
• What if a record goes missing?• Person1 -- Xaction1—Xaction2—{missing record}—Xaction3—Xaction4
• Do those last two transactions get charged to person 1’s account?
• Or does the System Under Test do sufficient checking?
A Walk Through theDevSecOps Continuous
Delivery Process
RequirementsUser StoriesRelease Plan
Import User Stories to automatically Create,
Visualize and Optimize Test Cases, determine data
requirements
Data Preparation
Plan Build RunDeployTest
Testing
- Subset/Mask Test Data- Create/Reserve Test Data
Unit and Full Stack Testing- Test Automation Library- Load Testing- API Testing
Config/Deploy
performancefeedback
- Provision Entire Stack- Confirm Configurations- Approve Changes- Successfully Deploy- Internal or Cloud
Testing Integration
Remove Constraints with Virtual Services- Simulate unavailable
components- Simulate Backend Load- Negative Testing Backend
Develop and Commit Code, Version Control,
Continuous Integration. Build and Initiate Release,
Vulnerability Scan
Code
Model
automation automation automationautomation
Single View
Measure/Feedback
- Customer Experience- Service Level- Application Tier- Infrastructure Tier- Dynamic Capacity- Feedback to PO/PM
Control Access
- Provide scalable access to APIs
- Control access to APIs- Switch between
environments- Create Virtual Services
Test deployed code forSecurity
vulnerabilities
Validate
Intake
Summary
• Quality and Security cannot be just tested in at the end
• Requirements need to be translated into tests
• Testing needs to be done thoroughly at the component level
• Negative testing is critical
• Step back and look at the complete process
Questions?
Thank you.John Boebinger
Senior Principal ConsultantCA Technologies, a Broadcom Company
The NYS Forum, Inc.
DevSecOps OverviewNovember 14, 2018
Business Innovation & Emerging Technologies Workgroup
61
Business Innovation & Emerging Technology First Thursday of every month
Next: Dec 6, 2018 @ 4PMRight Here!