CONFIDENTIAL© 2019 Synopsys, Inc.1
Risk-Based Adaptive DevSecOps
Build Secure, High-Quality Software Faster
Meera Rao
DevSecOps Practice Director
Synopsys Software Integrity Group

CONFIDENTIAL© 2019 Synopsys, Inc.2
Agenda
DevSecOps challenges
Previous solutions
Risk-based adaptive DevSecOps (RAD) framework
4 risk-based adaptive models

CONFIDENTIAL© 2019 Synopsys, Inc.3
DevSecOps challenges

CONFIDENTIAL© 2019 Synopsys, Inc.4
DevSecOps challenges
• Barrier to velocity and innovation
• Causes deadlines to slip
• Time-consuming and doesn’t support
hourly deployments
• Needs a lot of customization
• No uniform way to provide continuous
feedback
• Scaling remains a challenge
• Finally, no risk-based approach
Software security is often viewed as an impediment to DevOps

CONFIDENTIAL© 2019 Synopsys, Inc.5
Current solutions

© 2019 Synopsys, Inc.6
Application security touchpoints
The use of security analysis techniques on a specified (i.e., designed) or functional
(i.e., running) instance of a software application to identify potential vulnerabilities or other risk
Plan
</>
Code
commit
• Security requirements
• Threat models
• Risk analysis
• IDE integration
• Static analysis
• Pre-commit
Build DeployRelease
Operate
and
Monitor
• SAST and SCA
• Manual code review
• DAST/IAST
• SAST
• Fuzz testing
Test
• Secure configuration
• Packaging for
deployment
• Operational protections
• Penetration testing
• Continuous scanning
• Bug bounty
• Red teaming
• RASP

© 2019 Synopsys, Inc.7
3-tiered SAST solution
Solution: Centralized SSG service bureau (out-of-band)
When in SDLC—SAST or manual code review on demand
Frequency—Ad hoc basis, nightly or weekly
Purpose
Comprehensive review
Achieve deeper coverage
Solution: Hybrid model (commit, build, and test time)
When in SDLC—check-in builds
Frequency—As developers check in code
Purpose
Reduce risk, inline with pipeline
Capture real-time metrics
Solution: Self-service (pre-commit)
When in SDLC—Just in time within developers' IDEs
Frequency—As code is being developed
Purpose
Developer enablement
Just-in-time security expert
Assurance
Reduce risk,
ongoing detection
Prevent
and enable
Manual
code review
with SAST
tools
SAST
in the
pipeline
SAST in IDE
pre-commit
hooks

CONFIDENTIAL© 2019 Synopsys, Inc.8
SAST integration in pipeline
SAST01
The SAST tool runs in the
IDE as developers write code.
The tool is configured to
detect vulnerabilities that
have zero false positives,
including issues such as SQL
injection and XSS. The scan
should take seconds.
SAST02
The SAST tool is automated on
the CI server. The tool is
configured for the client’s top 10
issues, such as command
injection and hard-coded keys.
The tool also uses rules from
SAST01. The scan should take
4–5 minutes so developers get
feedback fast.
SAST03
The SAST tool uses rules for
the OWASP Top 10 and any
customized rulesets written for
client-specific APIs. The scan
can be run in parallel with other
activities and should take 10–15
minutes.
SAST04
The SAST tool uses
comprehensive rulesets. All
previous rulesets are excluded.
The goal is to find issues before
the code goes to production.
The scan should take anywhere
from an hour to 3–4 hours,
depending on production
velocity.

CONFIDENTIAL© 2019 Synopsys, Inc.9
Major and minor pipelines
Pre-commit
• IDE SAST check
• Git hooks
• Threat modeling
• Risk analysis
Commit
• Clean and compile
• Lightweight SAST
• Gather metrics
• Create bug tickets
Build
• Package and publish
artifact
• Build and scan container
images
• SCA
• Comprehensive SAST
• Gather metrics
• Create bug tickets
Test
• QA testing
• DAST/IAST
• Gather metrics
• Create bug tickets
Pre-commit
• IDE SAST check
• Git hooks
Commit
• Clean and compile
• Lightweight SAST
• Gather metrics
• Create bug tickets
Build
• Package and publish
artifact
• Build and scan container
images
• Gather metrics
• Create bug tickets
Test
• QA testing
• Lightweight DAST
• Gather metrics
• Create bug tickets
CI/CD
minor
pipeline
CI/CD
major
pipeline

CONFIDENTIAL© 2019 Synopsys, Inc.10
Risk-based adaptive DevSecOps (RAD)
framework

CONFIDENTIAL© 2019 Synopsys, Inc.11
Why risk-based adaptive DevSecOps?
• Closes the gap between DevOps and
security teams
• Helps DevOps teams accelerate
deployment without compromising
security.
• Implements intelligence within the
pipeline by:
ØMatching the team’s velocity
ØProviding intelligent feedback
ØSupporting organizations at scale
ØHelping align people, process, and technology
Development Security
Operations

CONFIDENTIAL© 2019 Synopsys, Inc.12
Risk-based adaptive DevSecOps (RAD) models
AST Model
Dynamic Model
GRC Model
Assurance Model
The RAD framework is a
fully automated, risk-based,
dynamic, adaptable engine
that intakes information
from various systems to
make real-time security
activity decisions.

CONFIDENTIAL© 2019 Synopsys, Inc.13
AST Model
Tool Description
Static analysis security testing
(SAST)
Analyzes an application’s source code to identify vulnerabilities
without execution
Dynamic analysis security testing
(DAST)
Performed specifically to find security defects, usually in web
applications
Software composition analysis
(SCA)
Finds reported vulnerabilities in third-party software components
Interactive application security testing
(IAST)
Typically encompasses the use of software test harnesses (i.e.,
agents) to monitor an application being tested using DAST, as well
as corresponding SAST output to further fine-tune testing—
enhancing overall testing coverage, speed, and accuracy
Infrastructure testing Finds vulnerabilities in provisioned infrastructure that expose the
attack surface
Runtime application self-protection
(RASP)
Integrates with an application to prevent attacks at runtime by
monitoring and analyzing traffic and user behavior

CONFIDENTIAL© 2019 Synopsys, Inc.14
Dynamic Model
Retrieve bill of materials from version control repository.
• Understand what code has changed
• Quantify how much code has changed
• Evaluate significance of code that has changed
• Understand whether any open source has changed
• Consider the nature of the release (major, minor, or a release candidate)
The model uses all the above information and information from other models to trigger
appropriate security activities.

CONFIDENTIAL© 2019 Synopsys, Inc.15
GRC Model
Is the application internet-
facing?
Does the applicationcollect, process, orpresent sensitive data(e.g., PII, HCI)?
Is this application subject to any
security requirements due to
government or industry
regulations?
Some common questions
this model uses:

CONFIDENTIAL© 2019 Synopsys, Inc.16
Assurance Model
Run lightweight
IDE-based SAST tool
C:
Run pre-commit
checks
Checks
passed?
Code check-in
successful
CI/CD pipeline
activities kicked off
Commit code
to SCM
Trigger out-of-band
activities
Penetration
testing
Manual code
review
ARA
Threat
modeling

CONFIDENTIAL© 2019 Synopsys, Inc.17
Bringing it all together
API
RAD
framework
DevSecOps pipeline
activities
GRC ModelAST Model
SAST
SCA
IAST
DAST
IAC
CS/CC
Dynamic Model Assurance
Model

CONFIDENTIAL© 2019 Synopsys, Inc.18
Summing it up
• No matter what AST tools you’re using, ensure that they support the technologies
your organization uses and the applications you’re building in your pipeline.
• The results of AST tools and security activities should be pushed to various systems
for appropriate data gathering and analysis (GRC tool, defect tracking tool, metrics
dashboard).
• Out-of-band activities are determined by the RAD framework for assurance, but not
part of the automated pipeline.
• Reinforce company security standards and provide real-time feedback and guidance
so development can address application security goals proactively.
• Incentivize teams to make their modules fail the build on security issues.
• Improve time to production without compromising your security profile/posture by
using the RAD framework.

CONFIDENTIAL© 2019 Synopsys, Inc.19
Questions?

Thank You