This talk by Stefan Streichsbier, Co-Founder of GuardRails.io, provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.
To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”
After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.
The 3 core takeaways for the audience are:
1.) Where security practices have gone wrong so far.
2.) What new technologies will cause a paradigm shift in how security is applied at scale.
3.) How security will look like in 5-10 years.
2. Stefan Streichsbier
@s_streichsbier
Actively involved in building
the Dev(Sec)Ops community
(Events/Author)
Identified severe shortcomings
in security processes and
technologies
Background
Previously professional
white-hat hacker
Founder of GuardRails.io
3. The Present
Do not dwell in the past, do not dream of the future,
concentrate the mind on the present moment. - Buddha
4. The talk is split into three segments:
1. The past: Ride down memory lane
2. The present: Where things are at today
3. The future: Take a look into the crystal ball
Agenda
6. 1760-1830
1870-1914
1947-1989
1990-2020
2021-...
Revolution #1
● New manufacturing processes
● Hand production to machines
● Use of steam and water power
● Rise of population and cities
Revolution #2
● New steel making processes
● Mass production/assembly lines
● Electrical grid systems
● Telephones
Revolution #3/1
● Use of digital logic (MOS transistors)
● 1985: Waterfall methodology
● 1989: Invention of the Internet
● Rise of home computers (15%)
Revolution #3/2
● 1990: First web browser (pictures)
● 1994: First online banking
● 2001: Agile, 2009: DevOps
● 60% access to Internet
Revolution #4
● Merging physical, digital,
and biological worlds
● Quantum Computing
● Robotics
● Artificial Intelligence
The industrial revolutions
7. Focus on Applications
● DevOps
● Containers
● Smart Everything (IoT)
● Rust, Kotlin, Elixir, Swift
1990-1999
● Waterfall
● Public access to the Internet
● Personal computers
● Java, Python, Ruby, JavaScript1990-1999
● 1991: First version of AntiVirus
● 1994: Hack $10 million from Citibank
● 1995: Arrest of Kevin Mitnick
● 1996: Smashing the stack for fun and profit
● 1999: Hundreds of advisories for Windows
2000-2009
● Agile
● Cloud Computing
● Smart phones
● C#, Scala, PowerShell, Go
2010-2020
2000-2009
● 2001: Code Red Worm
● 2003: First Static Analysis Tools
● 2004: Microsoft SDL Version 1
● 2006/8: Building Security In/BSIMM
● 2009: Conficker Worm
2010-2020
● 2010: Operation Aurora/Stuxnet
● 2013: 65M records hacked from Tumblr
● 2016: $101M stolen from Bangladesh Bank
● 2017+: Data breaches Equifax, LinkedIn, ...
01
02
03
04
05
06
Security vs. Software
Focus on Operating System
Focus on Network Services
8. Present State: Software Engineering
A lot has happened in the past and software development has evolved by leveraging the principles of lean
manufacturing and iterative & incremental software processes.
● Slow release cycles (quarters)
● Manual Deployments
● Only code is version controlled
● Strict separation of teams (dev/ops/sec)
● Monolithic Architecture
● Lack of visibility
● Fast release cycles (<days)
● Automatic CI/CD Pipelines
● Everything is version controlled (IaC, etc)
● Cross functional teams (dev/ops/sec)
● Microservice Architecture
● Full Stack Visibility
9. Present State: Security Engineering
Security has evolved a lot as well from existing security testing techniques, to the required skills, to the
mindset of how security can support the business.
● Department of No
● One-off security scans
● Security test at the end
● Waiting for issue reports
● Pentesting mindset
● Business Enabler
● Continuous security scanning
● Upfront security analysis
● Proactive vulnerability detection
● Security Engineering mindset
10. Present State: Challenges
Feedback Time
Many existing security tools take a long time to
scan and as such can’t easily be implemented
in CI/CD pipelines. Nightly scans are still a
thing.
Find vs Fix
The main problem is that most applications
(especially legacy ones), have many security
vulnerabilities when they first get tested.
Knowing that there are vulns is good, but fixing
them would take a lot of time.
Fragmentation
Many solutions out there only provide part of
the picture, which results in needing different
dashboards and unify different data sources to
get actionable visibility. Which is a pain for
managers, security engineers, and developers.
Security Noise
Security tools are traditionally designed for
security engineers and as such aim to provide
a lot of results to catch anything that’s possibly
a vulnerability. Which causes a lot of noise and
tends to result in outputs being ignored.
Integration
Many existing tools work stand alone and
don’t integrate well into the development
workflows. Dropping tools into a CI/CD
pipeline, takes a lot of effort to maintain and
rollout org-wide and is typically not enough.
Testing Techniques
There are a lot of security testing techniques
available these days. SAST. SCA, CCA, DAST,
IAST, RASP, VA, Cloud it is very difficult for
organizations to understand what these do
and how to use them.
11. There are several tools out
there now completely
open source, that in some
cases even outperform
some existing enterprise
security solutions. It is
easier to develop tools
now than 15 years ago.
Harder to justify the price.
Many of the “leading”
software security tools
have been founded over
15 years ago, and a lot of
intellectual property has
been created for a
different era.
Legacy IP
Present State: Inconvenient Truths
Acquisition Grown Increased Pressure Wrong Audience
Most security companies
have started with one
scanning technique and
then with success
acquired more companies
with more techniques,
which have been patched
together.
The traditional software
security tools have been
developed for security
experts, are difficult to
use, very noisy and often
hard to use in CI/CD
pipelines.
12. Present State: A Ray of Hope?
https://twitter.com/dcuthbert/status/1286226224172404738?s=20
13. The promise
● Simple, customizable, and fast static analysis tool
for finding bugs
● Runs offline on uncompiled code in CI, at
pre-commit, or in the editor
● Company and community backed
The idea is indeed interesting, create a kind of smart
grep that allows you to create rules in an easy way,
then open it up for the community, et voila. SAST for
everyone. Suddenly much of the IP of these
“dinosaurs” has lost a lot of value, because now
there is a good solution that’s available for free.
Present State: CodeQL & SemGrep
A Silver Bullet?
● Many concerns not addressed by this
○ Other security testing techniques
○ Curation of rules
○ Rollout and Orchestration
Let’s say a perfect SAST solution is available for
everyone, would that solve all problems?
One of the main issues remains:
Find vs. Fix
14. The Future
There comes a point where we need to stop just pulling
people out of the river. We need to go upstream and find
out why they’re falling in. - Bishop Desmond Tutu
15. Goals that need to be achieved
● Smart Security Scanning
● Unify all security testing techniques
● Native Integration
● Continuous Verification
● Auto-fixing of issues
● Security for developers
● Security available for all
16. Smart Security Scanning
Data science is eating the world
● Rules are a great foundation
○ Leverage crowd to mark issues
● Findings data-set has to be verified
○ Leverage crowd to verify issues
● Identify issues by “understanding code”
○ With high levels of accuracy
17. All in One
Stand on the shoulders of giants
● Adding a layer of abstraction
○ True tight unification of all solutions
● Ability to cross reference issues
○ Based on different scanning techniques
● Central Storage of all data
○ Used for data science
18. Native integration
DevSecOps Native
● Tools should understand all events
○ Code, Runtime, Infrastructure
● No more pipelines that do different things
○ Standardized and fully managed
● Vulnerability lifecycle has to be clear
○ Created, changed, fixed, re-introduced
19. Continuous verification
Scanning is not enough
● Continuously ensure a known safe state
○ Covering all security aspects
● Continuous verification against standards
○ PCI, HIPAA, ASVS, etc
● Provide instant security feedback
○ Whenever anything fails
20. Auto-Fixing Vulnerabilities
Finding is not enough
● Even finding and fixing all new issues
○ Doesn’t really reduce the risk
● Real labor is fixing all issues
○ For each vulnerability class
● Implement controls to prevent it in the future
○ Thus sustainably eradicating issues
Auto-fixing at scale
● Provide just in time training on the issue
○ Leverage gamification to fix more issues
● Leverage data science to fix issues
○ Can be a hybrid approach
● Rely on secure by default frameworks
○ Over others that are less opinionated
21. Empower Developers
Focus on the right audience
● Standardize security issues
○ Which ones are important and why
● Focus on the right risk context
○ Security risk is not equal for every app
● Make it easy to understand and fix issues
○ Shouldn’t take a security PhD to get it
22. Security For All
Make Security Accessible
● There is no security training in schools
○ Should take civil engineering approach
● Security is not affordable to everyone
○ Open source software vulnerabilities
23. The 3 Core Takeaways
01
02
03
Security Practices
Security practices have evolved a lot, but overall there has not been a
clear downward trend in vulnerabilities being fixed.
Data Science
Data science will completely change the way security is going to look in
the future resulting in a paradigm shift.
The Future of DevSecOps
Will be a very bright one. Smart, all-in-one security testing technologies,
that are tightly integrated into developer workflows will provide
continuous verification, auto-fixing and be available to everyone.
24. Who wants a virtual goody bag?
Consisting of:
• GuardRails coupon code
• Links to awesome security lists
• Developer trainings
• List of great security tools
• Security Page templates
• Free digital copy of my book
• … and more
Then send an email to:
iwant@guardrails.io