Más contenido relacionado

Presentaciones para ti(20)

Similar a Webinar – Risk-based adaptive DevSecOps (20)


Más de Synopsys Software Integrity Group(20)


Webinar – Risk-based adaptive DevSecOps

  1. CONFIDENTIAL© 2019 Synopsys, Inc.1 Risk-Based Adaptive DevSecOps Build Secure, High-Quality Software Faster Meera Rao DevSecOps Practice Director Synopsys Software Integrity Group
  2. CONFIDENTIAL© 2019 Synopsys, Inc.2 Agenda DevSecOps challenges Previous solutions Risk-based adaptive DevSecOps (RAD) framework 4 risk-based adaptive models
  3. CONFIDENTIAL© 2019 Synopsys, Inc.3 DevSecOps challenges
  4. CONFIDENTIAL© 2019 Synopsys, Inc.4 DevSecOps challenges • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly deployments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach Software security is often viewed as an impediment to DevOps
  5. CONFIDENTIAL© 2019 Synopsys, Inc.5 Current solutions
  6. © 2019 Synopsys, Inc.6 Application security touchpoints The use of security analysis techniques on a specified (i.e., designed) or functional (i.e., running) instance of a software application to identify potential vulnerabilities or other risk Plan </> Code commit • Security requirements • Threat models • Risk analysis • IDE integration • Static analysis • Pre-commit Build DeployRelease Operate and Monitor • SAST and SCA • Manual code review • DAST/IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for deployment • Operational protections • Penetration testing • Continuous scanning • Bug bounty • Red teaming • RASP
  7. © 2019 Synopsys, Inc.7 3-tiered SAST solution Solution: Centralized SSG service bureau (out-of-band) When in SDLC—SAST or manual code review on demand Frequency—Ad hoc basis, nightly or weekly Purpose Comprehensive review Achieve deeper coverage Solution: Hybrid model (commit, build, and test time) When in SDLC—check-in builds Frequency—As developers check in code Purpose Reduce risk, inline with pipeline Capture real-time metrics Solution: Self-service (pre-commit) When in SDLC—Just in time within developers' IDEs Frequency—As code is being developed Purpose Developer enablement Just-in-time security expert Assurance Reduce risk, ongoing detection Prevent and enable Manual code review with SAST tools SAST in the pipeline SAST in IDE pre-commit hooks
  8. CONFIDENTIAL© 2019 Synopsys, Inc.8 SAST integration in pipeline SAST01 The SAST tool runs in the IDE as developers write code. The tool is configured to detect vulnerabilities that have zero false positives, including issues such as SQL injection and XSS. The scan should take seconds. SAST02 The SAST tool is automated on the CI server. The tool is configured for the client’s top 10 issues, such as command injection and hard-coded keys. The tool also uses rules from SAST01. The scan should take 4–5 minutes so developers get feedback fast. SAST03 The SAST tool uses rules for the OWASP Top 10 and any customized rulesets written for client-specific APIs. The scan can be run in parallel with other activities and should take 10–15 minutes. SAST04 The SAST tool uses comprehensive rulesets. All previous rulesets are excluded. The goal is to find issues before the code goes to production. The scan should take anywhere from an hour to 3–4 hours, depending on production velocity.
  9. CONFIDENTIAL© 2019 Synopsys, Inc.9 Major and minor pipelines Pre-commit • IDE SAST check • Git hooks • Threat modeling • Risk analysis Commit • Clean and compile • Lightweight SAST • Gather metrics • Create bug tickets Build • Package and publish artifact • Build and scan container images • SCA • Comprehensive SAST • Gather metrics • Create bug tickets Test • QA testing • DAST/IAST • Gather metrics • Create bug tickets Pre-commit • IDE SAST check • Git hooks Commit • Clean and compile • Lightweight SAST • Gather metrics • Create bug tickets Build • Package and publish artifact • Build and scan container images • Gather metrics • Create bug tickets Test • QA testing • Lightweight DAST • Gather metrics • Create bug tickets CI/CD minor pipeline CI/CD major pipeline
  10. CONFIDENTIAL© 2019 Synopsys, Inc.10 Risk-based adaptive DevSecOps (RAD) framework
  11. CONFIDENTIAL© 2019 Synopsys, Inc.11 Why risk-based adaptive DevSecOps? • Closes the gap between DevOps and security teams • Helps DevOps teams accelerate deployment without compromising security. • Implements intelligence within the pipeline by: ØMatching the team’s velocity ØProviding intelligent feedback ØSupporting organizations at scale ØHelping align people, process, and technology Development Security Operations
  12. CONFIDENTIAL© 2019 Synopsys, Inc.12 Risk-based adaptive DevSecOps (RAD) models AST Model Dynamic Model GRC Model Assurance Model The RAD framework is a fully automated, risk-based, dynamic, adaptable engine that intakes information from various systems to make real-time security activity decisions.
  13. CONFIDENTIAL© 2019 Synopsys, Inc.13 AST Model Tool Description Static analysis security testing (SAST) Analyzes an application’s source code to identify vulnerabilities without execution Dynamic analysis security testing (DAST) Performed specifically to find security defects, usually in web applications Software composition analysis (SCA) Finds reported vulnerabilities in third-party software components Interactive application security testing (IAST) Typically encompasses the use of software test harnesses (i.e., agents) to monitor an application being tested using DAST, as well as corresponding SAST output to further fine-tune testing— enhancing overall testing coverage, speed, and accuracy Infrastructure testing Finds vulnerabilities in provisioned infrastructure that expose the attack surface Runtime application self-protection (RASP) Integrates with an application to prevent attacks at runtime by monitoring and analyzing traffic and user behavior
  14. CONFIDENTIAL© 2019 Synopsys, Inc.14 Dynamic Model Retrieve bill of materials from version control repository. • Understand what code has changed • Quantify how much code has changed • Evaluate significance of code that has changed • Understand whether any open source has changed • Consider the nature of the release (major, minor, or a release candidate) The model uses all the above information and information from other models to trigger appropriate security activities.
  15. CONFIDENTIAL© 2019 Synopsys, Inc.15 GRC Model Is the application internet- facing? Does the applicationcollect, process, orpresent sensitive data(e.g., PII, HCI)? Is this application subject to any security requirements due to government or industry regulations? Some common questions this model uses:
  16. CONFIDENTIAL© 2019 Synopsys, Inc.16 Assurance Model Run lightweight IDE-based SAST tool C: Run pre-commit checks Checks passed? Code check-in successful CI/CD pipeline activities kicked off Commit code to SCM Trigger out-of-band activities Penetration testing Manual code review ARA Threat modeling
  17. CONFIDENTIAL© 2019 Synopsys, Inc.17 Bringing it all together API RAD framework DevSecOps pipeline activities GRC ModelAST Model SAST SCA IAST DAST IAC CS/CC Dynamic Model Assurance Model
  18. CONFIDENTIAL© 2019 Synopsys, Inc.18 Summing it up • No matter what AST tools you’re using, ensure that they support the technologies your organization uses and the applications you’re building in your pipeline. • The results of AST tools and security activities should be pushed to various systems for appropriate data gathering and analysis (GRC tool, defect tracking tool, metrics dashboard). • Out-of-band activities are determined by the RAD framework for assurance, but not part of the automated pipeline. • Reinforce company security standards and provide real-time feedback and guidance so development can address application security goals proactively. • Incentivize teams to make their modules fail the build on security issues. • Improve time to production without compromising your security profile/posture by using the RAD framework.
  19. CONFIDENTIAL© 2019 Synopsys, Inc.19 Questions?
  20. Thank You