Presenting a framework for building an AppSec program in a DevOps environment; specifically one that is moving towards CI/CD. Abstract: Pentesters are tired of breaking things, writing a report, and walking away. Security teams are caught in a backlog that prevents them from ever staying ahead. Developers curse security for slowing them down. How can we address these seemingly incompatible and insurmountable issues in an organization, especially at scale? The answer to this may be found in a practice called "DevSecOps" that has been gaining momentum in large organizations that need to move fast and ensure a high level of security across their applications and operations. It is a practice that attempts to address all of these issues through two core principles- automation and education. Using experience gained from working with several large fortune 500 companies, this talk will cover the basics of DevSecOps, and dive into specific tools and processes that organizations of any size can implement to immediately improve their speed of delivery while maintaining a strong and measurable security baseline.

1. How To Move Mountains
Aaron Hnatiw
aaron@securitycompass.com
Twitter: @insp3ctre
www.securitycompass.com

2. Senior Security Researcher, Security Compass
Aaron Hnatiw
• College professor of application security
• Developer
• System administrator
• Security consultant
• Network security engineer
Twitter: @insp3ctre

3. What is this talk about?

4. DevOps: the solution is the
problem (for security)

5. DevOps: The solution

6. Speed of business

7. Developers == QA, operations,
security

8. Waterfall SDLC > agile > CI/CD

11. DevOps: The problem

12. Security as gatekeepers

13. 100:10:1

16. DevOps && Security

17. Gatekeepers

18. Implementation

19. Education

20. Belt Program

21. Security Champions

22. Centre of Excellence

23. Continuous Learning

24. 1. Threat modelling

25. 2. Regular check-ins

26. 3. Open office

27. 4. Maintain interest

28. Continuous Learning
1.Threat modelling
2.Regular check-ins
3.Open office
4.Maintain interest

29. Automation

30. Build custom tooling

32. +
Application Security Engineer

33. Start small

34. Modular tools

35. Fool me twice...

36. Unit tests

37. Infrastructure as code

38. Pentests++

40. Tuning

41. API

42. WHERE DO I START?

43. WHERE TO START
▸ SD Elements
▸ OWASP Top 10 Cheat Sheet
▸ CWE/SANS Top 25 Most Dangerous Software Errors
▸ Again- old findings and mistakes

44. WHERE TO START (OTHER TOOLS)
▸ Lemur (Netflix): https://github.com/Netflix/lemur
▸ Repokid (Netflix): https://github.com/Netflix/repokid
▸ Simian Army (Netflix): https://github.com/Netflix/SimianArmy
▸ Phan (Etsy): https://github.com/etsy/phan
▸ Elastalert (Yelp): https://github.com/Yelp/elastalert
▸ Brakeman: http://brakemanscanner.org/
▸ Twitter uses this and hired the developer

45. WHERE TO START (AWS)
▸ AWS CodePipeline
▸ AWS Inspector
▸ CloudFormation
▸ AWS Config
▸ AWS CloudWatch Events
▸ Action with Lambda

46. ▸ Education
▸ Developers are being asked to write code securely. Enable this through
Continuous Learning (CI/CD... CL!)
▸ Automation
▸ Build an integrated system that finds security issues easily and
automatically, with actionable results
▸ Remediation
▸ CI/CD allows us to push out security fixes faster than ever before
Education + Automation = Remediation
Aaron Hnatiw
aaron@securitycompass.com
Twitter: @insp3ctre
www.securitycompass.com