DevSecOps Automating Security in DevOps
A presentation at IPExpo Manchester 2019 in in Manchester, UK by Anant Shrivastava
DevSecOps: What, Why and How Anant Shrivastava, NotSoSecure (Claranet Cyber Security)
About: Anant Shrivastava
Agenda ● What is DevSecOps? ● Why do we need DevSecOps? ● How do we do DevSecOps? ● Integrate Security in Pipeline ● Tools of Trade ● Sample Implementation ● Case Studies
Disclaimer ● I will be listing a lot of tools, It’s not an exhaustive list ● I don’t endorse or recommend any specific tool / vendor ● Every environment is different: Test and validate before implementing any ideas
What is DevSecOps? Effort to strive for “Secure by Default” ● Integrate Security in tools ● Create Security as Code culture ● Promote cross skilling
Why do we need DevSecOps? ● DevOps moves at rapid pace, traditional security just can’t keep up ● Security as part of process is the only way to ensure safety
Shifting Left saves cost & time Developer /QA Penetration Testing
Shifting Left saves cost & time Developer /QA Automated Source Code Review 1 SQL Injection Fewer Man Day Effort No New Deployments Penetration Testing
How do we do DevSecOps? ● DevSecOps is Automation + Cultural Changes ● Integrate security into your DevOps Pipeline ● Enable cultural changes to embrace DevSecOps
Injecting Sec in DevOps
Sample Implementation
Tools of the trade
Tools of the trade
To be or not to be in Pipeline ● API / command line access ● Execution start to final output should be 15 minutes max ● Containerized / scriptable ● Minimal licensing limitations (parallel scans or threads) ● Output format parsable / machine readable (no stdout, yes to json /xml) ● Configurable to counter false negatives / false positives
What about Cloud • The Threat Landscape changes - Identity and Access Management - Billing Attacks • Infrastructure as Code allows quick audit / linting • Focus more on: - Security groups - Permissions to resources - Rouge /shadow admins - Forgotten resources (compromises / billing)
Cultural Aspect ● Automation alone will not solve the problems ● Focus on collaboration and inclusive culture ● Encourage security mindset specially if it’s outside sec team ● Build allies (security champions) in company ● Avoid Blame Game
Security Champion ● Bridge between Dev, Sec and Ops teams ● Build Security Champions ● Single Person per team ● Everyone provided with similar cross skilling opportunities ● Incentivize other teams to collaborate with Sec team ● Internal Bug bounties ● Sponsor Interactions (Parties / get-togethers) ● Sponsor cross skilling trainings for other teams
Security Enablers
Generic Case Study
Case Study
Case Study
More Case Studies
Case Study: Last one I promise Prevention: Patching and Continuous monitoring of Assets
Is it Enough? ● Rite of passage by periodic pen test and continuous bug bounty ● It’s not just important to get feedback but to also action on them ● Risk Acceptance Documentation should be the worst case scenario not your first bet
References • https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20Tips-for-Defendin g-Web-Applications-in-the-Age-of-DevOps.pdf • https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Software%20Supply%20 Chain%20Report.pdf • https://snyk.io/opensourcesecurity-2019/ • https://www.veracode.com/state-of-software-security-report
Key Takeaways ● Security is everyone responsibility ● Embrace security as an integral part of the process, use feedback to refine the process ● DevSecOps is not a one size fit all: your mileage will vary
In this talk, we shall focus on how a DevOps pipeline can easily be metamorphosed into a DevSecOps and the benefits which can be achieved with this. The talk will discuss a number of open source tools and also the cultural changes needed to implement DevSecOps. The talk will also present various case studies on how critical bugs and security breaches affecting popular software and applications could have been prevented using a simple DevSecOps approach.
What you will takeaway from this session:
- Create a security culture amongst the already integrated “DevOps” team.
- Find and fix security bugs as early as possible in the SDLC .
- Promote the philosophy “security is everyone’s problem” by creating Security champions within the organisation.
- Integrate all security software centrally and utilize the results more effectively.
- Measure and shrink the attack surface.
Resources
The following resources were mentioned during the presentation or are useful additional information.
Buzz and feedback
Here’s what was said about this presentation on social media.
