What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security...
Transcript of What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security...
![Page 1: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/1.jpg)
DevSecOpsWhat, Why and How
Anant Shrivastava
NotSoSecure Global Services
@anantshri
![Page 2: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/2.jpg)
About
Anant Shrivastava
• Director NotSoSecure Global Services
• Sysadmin / Development / Security
• Project Owner: AndroidTamer, Codevigilant
• Contributor : OWASP, null, G4H and more
• https://anantshri.info (@anantshri on social platforms)
NotSoSecure Global Services (a Claranet group company)
• Boutique Consulting firm specialized in training and consulting
![Page 3: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/3.jpg)
Agenda
● What is DevSecOps
● Why do we need DevSecOps
● How do we do DevSecOps
● Integrate Security in Pipeline
● Tools of Trade
● Sample Implementation
● Case Studies
![Page 4: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/4.jpg)
Disclaimer
● I will be listing a lot of tools, It’s not an exhaustive list.
● I don't endorse or recommend any specific tool / vendor
● Every environment is different: Test and validate before implementing any
ideas.
![Page 5: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/5.jpg)
What is DevSecOps
Effort to strive for “Secure by Default”
● Integrate Security in tools
● Create Security as Code culture
● Promote cross skilling
![Page 6: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/6.jpg)
● DevOps moves at rapid pace, traditional security just can't keep up
● Security as part of process is the only way to ensure safety
Why do we need DevSecOps
![Page 7: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/7.jpg)
Shifting Left saves cost & time
DeveloperSource Code
RepositoryBuild
CI/CD Server
Staging/QA Production Monitoring Penetration
Testing
![Page 8: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/8.jpg)
Shifting Left saves cost & time
DeveloperSource Code
RepositoryBuild
CI/CD Server
Staging/QA Production Monitoring Penetration
Testing
1 SQL InjectionFewer Man Day EffortNo New Deployments
Automated Source Code Review
![Page 9: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/9.jpg)
How do we do DevSecOps
• DevSecOps is Automation + Cultural Changes
• Integrate security into your DevOps Pipeline
• Enable cultural changes to embrace DevSecOps
![Page 10: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/10.jpg)
Pre-Commit HooksIDE Plugins
Developer
Secrets Management
Code Repository
CI/CD Server
Static Application Security Testing(SAST)Source Composition Analysis (SCA)
Pre-Build
Dynamic Application Security Testing(DAST)
Post-Build
Build Artifacts versioning against code commits
Artifact Repository
Manual Web Application PentestingBusiness Logic Flaws
QA/Staging
Security in Infrastructure as Code(Iaac)Compliance as CodeAlerting and Monitoring
Production
Vulnerability Management
Injecting Sec in DevOps
![Page 11: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/11.jpg)
Sample Implementation
A simplistic flow of DevSecOps Pipeline using some of the tools mentioned earlier
![Page 12: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/12.jpg)
Tools of trade
Pre-Commit Hooks
Software Composition Analysis
Static Analysis Security Testing(SAST)
Secret Management
Threat Modelling Tools ThreatSpec.MicrosoftThreat Modeling Tool
Retire.js
IDE Plugins CAT.net
Git HoundtruffleHog
Keywhiz
Preference Given to opensource tools; we don’t endorse any tool
![Page 13: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/13.jpg)
Tools of trade
Dynamic Security Analysis
Infrastructure Scan
Compliance as Code
WAF
Vulnerability Management
Preference Given to opensource tools; we don’t endorse any tool
Docker Bench for Security
Jackhammer
![Page 14: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/14.jpg)
To be or not to be in Pipeline
● API / command line access
● Execution start to final output should be 15 minutes max
● Containerized / scriptable
● Minimal licensing limitations (parallel scans or threads)
● Output format parsable / machine readable (no stdout, yes to json /xml)
● Configurable to counter false negatives / false positives
![Page 15: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/15.jpg)
What about Cloud
• The Threat Landscape changes• Identity and Access Management• Billing Attacks
• Infrastructure as Code allows quick audit / linting• Focus more on:
• Security groups• Permissions to resources• Rouge /shadow admins• Forgotten resources (compromises / billing)
![Page 16: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/16.jpg)
Cultural Aspect
● Automation alone will not solve the problems
● Focus on collaboration and inclusive culture
● Encourage security mindset specially if it's outside sec team
● Build allies (security champions) in company
● Avoid Blame Game
This is just the tip of the iceberg (Details out of scope for this session)
![Page 17: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/17.jpg)
Security Champion
• Bridge between Dev, Sec and Ops teams
• Build Security Champions
• Single Person per team
• Everyone provided with similar cross skilling opportunities
• Incentivize other teams to collaborate with Sec team
• Internal Bug bounties
• Sponsor Interactions (Parties / get-togethers)
• Sponsor cross skilling trainings for other teams
![Page 18: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/18.jpg)
Generic Case Study
![Page 19: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/19.jpg)
Unaccounted and unmonitored Assets
Prevention: Recurring Asset Inventory and Automated Assessments
Case Study
![Page 20: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/20.jpg)
Case Study
Auth Token accidently exposed
Prevention:Pre-commit Hook and continuous repository monitoring
![Page 21: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/21.jpg)
More Case Studies
Cloud Assets Misconfiguration
Prevention: Continuous monitoring and review of cloud assets and config
![Page 22: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/22.jpg)
Case Study: Last one I promise
Prevention: Patching and Continuous monitoring of Assets
Misconfiguration leading to code disclosure
![Page 23: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/23.jpg)
Is it Enough
• Rite of passage by periodic pen test and continuous bug bounty
• It's not just important to get feedback but to also action on them
• Risk Acceptance Documentation should be the worst case scenario not your first bet
![Page 24: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/24.jpg)
References
• https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defending-Web-Applications-in-the-Age-of-DevOps.pdf
• https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20Chain%20Report.pdf
• https://snyk.io/opensourcesecurity-2019/
• https://www.veracode.com/state-of-software-security-report
![Page 25: What, Why and How DevSecOps - Black Hat Briefings · 2019-04-01 · Static Application Security Testing(SAST) Source Composition Analysis (SCA) Pre-Build Dynamic Application Security](https://reader033.fdocuments.us/reader033/viewer/2022042116/5e93ac6871c6d715d751e6c4/html5/thumbnails/25.jpg)
Key Takeaways
• Security is everyone responsibility
• Embrace security as an integral part of the process, use feedback to refine the process
• DevSecOps is not a one size fit all: your mileage will vary