DevSecOps – Why Aren’t You Doing It?

1 Brian Liceaga, CISSP

`

`

Agenda

• State of DevOps • Value of DevOps • Benefitting from DevOps • DevSecOps • What you can do as InfoSec

2

`

`

The State of DevOps - 2017

• Automation is a huge boon to organizations. • DevOps applies to all organizations. • Lean product management drives higher organizational performance. • High performers vs low performers:

• 46 times more frequent code deployments. • 440 times faster lead time from commit to deploy. • 96 times faster mean time to recover from downtime. • 5 times lower change failure rate (changes are 1/5 as likely to fail).

3

`

`

Problems that continue to affect InfoSec teams

• Slow patching processes (all systems…not just external servers!) • Lack of visibility into the changes being made in applications and systems • Lack of or slow BC/DR execution abilities • Disconnect between Infra/App Dev and Security

• Security being left behind in Agile • Infra is making security decisions everyday without the Security team

• Security policies, processes, procedures seen as red tape • Organizations adopting new technologies without Security input • Traditional on-prem tooling not compatible with cloud

4

Are any of these issues affecting your company?

`

`

The Value of DevOps

• Infrastructure as Code - Defining and managing system configuration through code that can be versioned and tested in advance, rather than using a manual process.

• Continuous Delivery - Using Continuous Integration and test automation to build pipelines from development to test and then to production provides an engine to drive change.

• Continuous monitoring and measurement - Creating feedback loops from production back to engineering, collecting metrics, and making them visible to everyone to understand how the system is actually used and using this data to learn and improve.

• Learning from failure – Since failure will happen, using it as learning opportunities to improve through constructive postmortems.

5

`

`

6

Wait this stuff sounds pretty good…maybe security benefit too!

`

`

Benefitting from DevOps!

• Infrastructure as Code • Less humans clicking around in the IaaS management console! • Automatically enforce security policies at runtime • BC/DR dream come true

• Continuous Delivery

• Code flaws are detected and patched sooner

• Continuous monitoring and measurement • Testing what security controls work best in your environment • Insight into security threats and enable “Attack-Driven Defense”

• Learning from failure

• Continuously red teaming (constant state of compromise) • More resilient systems and more resilient organizations

7

`

`

“Immutable” Infrastructure

• Destroy virtual servers with each deploy so updated code goes on new, patched servers.

• Don’t give malware a habitat to thrive in • Removing access to production servers/containers

8

Cattle vs. Kittens

vs.

`

`

Environment Evolution

• Physical Servers -> Virtual Machines • Monolithic Apps Service Oriented Architectures Microservices • Onprem Cloud (XaaS offerings) • Servers Containers Serverless?

9

`

`

Keeping Up With Velocity

• MVPs should have security too • Establishing “approved” code committers • Ensure all activity is being centrally logged

• VCS, IaaS API calls, flow logs, correlate server logs with metadata tags, etc.

• No sensitive data should be logged!

• Bring knowledge/credibility to the table • Befriend the Product Managers! • Security awareness

10

DevOps and Agile move fast

`

`

Shifting Security to the Left

1. Culture of Collaboration

2. Translate Paper into Code

3. Fanatical Testing and Instrumentation

4. Provide Intuitive Security

Measurement

5. Continuous Science 11

Built-in vs Bolt-on

Source: Shannon Lietz DevSecOps Foundation

`

`

The Art of DevSecOps

• SecOps? DevOps? TechOps? DevSecOps? DevOpsSec?....Krav Maga?

12

Names don’t matter...actions do!

Source: DevSecOps Foundation

`

`

The Security Funnel

13 Source: DevSecOps Foundation

`

`

Continuous Science

14 Source: DevSecOps Foundation

`

`

Security as Code

• Threat modeling • IDE checks/ secure coding • Peer review

15

1. Pre-commit 2. Commit / CI

3. QA and Acceptance

4. Prod Deploy / Post-Deploy

• SAST • Software composition analysis • Abuse/misuse cases • Git-secrets

• DAST • Automated security attacks (e.g.

Fuzzing, Gauntlet) • Configuration management

• Configuration management • Continuous vulnerability scanning • Automated runtime defense

`

`

Compliance as Code

• Compliance as Code tries to minimize paperwork and overhead (but yes you still need an IS policy!)

• Assess infrastructure’s adherence to compliance requirements and monitor it on an ongoing basis

• Policies and rules are enforced and tracked through automated controls

16 AWS Inspector

`

`

Automating Corrective Action Working Smarter • More prevention…less investigation • Adopting DevSecOps

• 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident

Our Approach Corrective action to contain incident

AWS Lambda is triggered based on security policy violations

`

`

Automating Corrective Action - Use Case

MFA is Removed https://github.com/evolvesecurity/lambdolf

X X X X

X

User removes MFA Triggers Lambda Lambda revokes all IAM access for the account in violation

`

`

DevSecOps Manifesto

1. Leaning in over Always Saying “No” 2. Data & Security Science over Fear, Uncertainty and Doubt 3. Open Contribution & Collaboration over Security-Only Requirements 4. Consumable Security Services with APIs over Mandated Security

Controls & Paperwork 5. Business Driven Security Scores over Rubber Stamp Security 6. Red & Blue Team Exploit Testing over Relying on Scans & Theoretical

Vulnerabilities 7. 24x7 Proactive Security Monitoring over Reacting after being Informed

of an Incident 8. Shared Threat Intelligence over Keeping Info to Ourselves 9. Compliance Operations over Clipboards & Checklists

19

`

`

What can you do as InfoSec?

• Adopt DevOps mindset (if your org isn’t doing it, then push for it or lead it within InfoSec)

• Redefine your role and relationships with the company • Enabling DevSecOps requires a team of engineers instead of

analysts • Train existing analysts in DevOps and automation • Operate in a constant state of compromise • Fail fast and adapt quickly

20

A New and Improved Security Team

`

Contact: Brian Liceaga, CISSP Email: Brian@EvolveSecurity.io Evolvesecurity.io

THANK YOU!

21

`

`

References

• DevSecOps.org • DevOpsSec by Jim Bird. Published by O'Reilly Media, Inc., 2016 • Flaticon

22