DevSecOps – Shift Left Security

Prioritizing Incident Response using Security Posture

Assessment and Attack Surface Analysis

Themes

Vulnerabilities are Low Hanging Fruit

Why so many breaches that Anti-Virus missed…?

2015 largest disclosed breaches

Known Critical Vulnerabilities are Increasing

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

2011 2012 2013 2014 2015 2016

Vulnerabilities

Total High (CVSS 7-10)

WannaCry

Retrospective

WannaCry Timeline and Remediation

0

100

200

300

400

500

600

700

THO

USA

ND

S

EternalBlue Exploit WannaCry MS17-010 Patch Release

Authenticated / Agent Detection

Continued + Unauthenticated Detection

Endpoint Breach Prevention by Reducing

Attack Surfaces

Discover

and

Know your

Assets

1

Detect

and

Measure

Vulnerabilities

2

Prioritize

Remediation

3

Identify

and

Deploy

Patches

4

Exercise: “I already know all my assets…”

Auto-Deploy Qualys Cloud Agent (Vuln)

Vulnerability Results

Exploitability Posture

Get Proactive – Reduce the Attack Surface!

Get Visibility

into your Public

Clouds

Common AWS Misconfigurations

Continuous

Security

Monitoring

Actionable Responses – Reduce Attack Surface

Can Security Teams do

better?

Digital Transformation – Priorities

Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-study/microsoft-digital-transformation-infographic-asia

Digital Transformation – Barriers

Source: https://news.microsoft.com/apac/2017/02/20/80-of-business-leaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoft-study/microsoft-digital-transformation-infographic-asia

DevSecOps = / DevOps + Security

False Approach ~ False Start ~ Failure

Plan Code Test Package Release Deploy Monitor Operate

Dev Ops

Secu

rity

Secu

rity

Secu

rity

Secu

rity

Secu

rity

Secu

rity

Secu

rity

wait! wait! wait! wait! wait! wait!

Security + DevOps = a Revolt or Left Out?

Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-flaming-torches/

Food Safety is a Security Problem

Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-

DevSecOps – Shift in Thinking

Shift Time

Case Study: Financial Services Mobile Wallet

Before: Lack of Security Automation Delays Release

At least two weeks until the AMI is certified for production

Vulnerability Management Teams

Machine Builders VM Scan/Report

48 Hours

VM Scan/Report 48 Hours

Security

Born in the Cloud: New builds in AWS every 60 days

Automated Regression & Test-Driven Development

Docker containers abstracts applications from OS

DevOps

Commercial/Open Source vulnerabilities are detected & fixed on same release cadence

Automated regression finds patch issues faster

OS vulnerabilities are patched separate from Applications

1

2

3

After: Security at the Source in DevOps Pipeline

APPROVE and

PUBLISH

QUALYS ASSESS

ON DEV

INSTANCES

OS

Qualys

Scanner

AUTOMATICALY

ADD QUALYS

CLOUD AGENT

OS

Qualys

Agent

AMAZON MACHINE

IMAGE (AMI)

Qualys

Agent

Vulnerability Metric Benefits

Shift Techniques

Case Study: One of Largest Ecommerce Companies

Prevent Software Check-Ins that use Vulnerable Libraries

Apply Technique

Tag Vulnerable Libraries in Source Control

1

Shift Technique

Automatically open tickets for Developers on security issues

Apply Technique

Vulnerabilities in Production are Treated as Defects

Shift Technique

2

Excessive Remediation Times are escalated to CEO

Apply Technique

Open Vulnerabilities Reported to Business Unit VPs

Shift Technique

3

Shift Tools

Find/Implement the right tools for the DevOps Processes…

... But: You may not need to procure new tools

APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans

Case Study: Financial Investment Services

Solution Challenge

400+ Web Apps in production

Web Security Assessment found they had a lot of “easily” mitigated app vulnerabilities

Integrated the production Web Security Assessment tool into DevOps processes via API

Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues

Continuously assess Web Apps in the dev process so issues are not re-introduced

Hard for developers to fix security issues in production

1

2

3

Integrate Production Security Tools into DevOps

Selenium

Qualys WAS

Jira Issues

Selenium

Qualys WAS

Jira Issues

DevSecOps: Practical Steps to Get Started

•

•

•

•

•

•

•

•

•

•

•

•

•

Open Q &A