Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empowering Development Teams
•Als PPTX, PDF herunterladen•
1 gefällt mir•232 views
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC).
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empowering Development Teams
Ähnlich wie Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empowering Development Teams (20)
Mehr von Black Duck by Synopsys
Mehr von Black Duck by Synopsys (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empowering Development Teams
- 1. Leveraging Black Duck Hub to maximize focus Entersekt’s approach to empowering development teams By Philip Botha
- 2. Making the online world safer
- 3. From the Windy City…
- 4. …to the Cape Winelands
- 5. • Phishing attacks cost global organizations billions every year • One out of 5 fraudulent transactions originate in the mobile channel • More than 90% of mobile apps contain basic vulnerabilities Our problem: A global authentication pandemic LinkedIn suffers data breach NEWS Zeus Botnet Eurograbber Steals $47 Million Don’t bank on your phone – it could be hacked by Zeus ‘trojan horse’ New vulnerabilities reported on a weekly basis Successful attacks not even making headlines anymore
- 6. • Founded in 2008 by 5 engineering students • One of the founders’ mother defrauded • They wanted to do something that matters • Not daunted by current failings of security solutions • A novel approach with existing tech A solution: Entersekt’s story
- 7. Going live in 2012: Nedbank as a case study 0 10 20 30 40 50 60 70 80 30-Jan… 03-Feb 07-Feb 11-Feb 15-Feb 19-Feb 23-Feb 27-Feb… 02-Mar 06-Mar 10-Mar 14-Mar 18-Mar 22-Mar 26-Mar… 30-Mar 03-Apr 07-Apr 11-Apr 15-Apr 19-Apr 23-Apr… 27-Apr 01-May 05-May 09-May 13-May 17-May 21-May… 25-May 29-May 02-Jun 06-Jun 10-Jun 14-Jun 18-Jun… 22-Jun 26-Jun 30-Jun Attempts Fraud Entersekt go- live Nedbank does not even appear on SARS e-filing phishing site!!
- 8. A growing global footprint Johannesbur g Mauritius Atlanta Beirut Dubai Lago s Minneapoli s Sydney Amsterda m Cape Town Zurich Palo Alto
- 9. How we solved the problem
- 10. The 4 pillars of the Entersekt approach
- 11. How phishing defeats the one time password
- 12. Out of band authentication beats phishing
- 13. Product: The Transakt model
- 14. Gartner prediction about Entersekt tech
- 15. How Black Duck Hub makes us better
- 16. 1. Risk management • Approved open source? • How secure? • Can we be diligent and agile? 2. Ability to identify open source licenses 3. Scaling • Manual vulnerability assessment process • Getting behind with updates Our open source challenges
- 17. “Black Duck met Entersekt’s checklist of what we needed in an open source vulnerability management solution better than any other vendor.” The obvious choice was...
- 18. 1. Seamless integration and ease of use 2. Relevant feedback 3. Earlier in the SDLC 4. Real-time and continuous monitoring 5. Automated notifications Black Duck Hub checks the boxes
- 19. 6. Easy-to-digest reports with minimal false positives 7. Jenkins support and secure scanning 8. Code doesn’t leave intranet 9. Identify open source licenses Black Duck Hub checks the boxes (cont.)
- 20. Getting the best out of the Hub
- 21. 1. Urgent vs important 2. Build pipeline challenges • Jenkins jobs differ in each team/project • Black Duck sometimes executed manually 3. No best practice/standard 4. Maintenance owner Lessons learned
- 22. Empowering the development teams
- 23. Empowering the development teams (cont.) Architect Evangelist Security Evangelist Toolsmith
- 24. 1. Phased roll-out in teams • Phase 1: Education • Phase 2: Implement a standard pipeline framework • Phase 3: Hardening cycle • Phase 4: Policy Management and Jira integration 2. Team agreements Empowering the development teams (cont.)
- 25. CI/CD BUILD Tool: Docker/Maven DEPLOY •DEV •QA •INT •LT Tool: Docker TEST •J Unit •Automated Tool: Docker Releas e? RELEASE •PROD •Release repos COMMIT Tool: Git OS SECURITY Tool: Black Duck Hub STATIC CODE ANALYSIS Tool: SonarQube DASHBOARD Tool: Docker ALERTS Tools: Slack/email Pull Request Merge Master
- 26. Pipeline framework template BUILD Tool: Docker/Maven DEPLOY •DEV •QA •INT •LT Tool: Docker TEST •J Unit •Automated Tool: Docker Releas e? RELEASE •PROD •Release repos COMMIT Tool: Git OS SECURITY Tool: Black Duck Hub STATIC CODE ANALYSIS Tool: SonarQube DASHBOARD Tool: Docker ALERTS Tools: Slack/email Pull Request Merge Master
- 27. Pipeline framework template (cont.)
- 28. A winning team
- 29. 1. Trust 2. Support 3. Ownership 4. Clarity A tool is only as good as the team
- 30. Questions and answers Philip Botha Engineering Excellence Manager philip@entersekt.com www.entersekt.com
Hinweis der Redaktion
- Description: Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC)
- Key Takeaway (s): Who, why and what Who am I: Philip - I work for a company called Entersekt - a software product company and our mission is to make the internet a safer place Presented at Flight Amsterdam – shared some of the challenges we had and lessons we learned a fast growing organization. Why am I talking about Black Duck Hub: Since our mission is to make the internet a safer place and we leverage Open Source technologies it would be quite unfortunate if we introduce vulnerabilities into a customer’s operations. What will I tell people: I believe that tools only as valuable to the organization as the people that use it and how they use it. At Entersekt we trust and entrust our people with a lot of responsibility and it has resulted in a highly engaged and high performing culture Our Software Engineering team haven’t had a single resignation in 26 months and counting and clients only report 1 bug for every 10 releases (and we do about 20 releases a month) I’d like to share some of our ideas with everyone here how we organize and empower our teams in an agile environment especially with a powerful tool like the Black Duck Hub and my hope is that you may take home some thoughts or ideas on how to get the most out of the Hub and your people OR even give me some of thoughts or ideas. But before I do I just want to set the stage by telling you a little bit about myself and the company that I work for.
- Key takeaway: Studied & worked in Chicago Originally from South Africa, but lived in Chicago for 10 years were I studied Computer Engineering & Business then worked for CSC a large consulting firm for 4 years. Baseball quiz - Scott Podsednik – walk-off home run in 9th inning of Game 2 of the 2005 World Series (White Sox vs Houston Astros) There was also a grandslam home run by Paul Konerko in the 7th Reference: https://en.wikipedia.org/wiki/2005_World_Series#Game_4 **Houston Astros won 2017
- Key takeaway: Moved back to South Africa in 2010 Joined Entersekt in 2014 (Situated in Stellenbosch – heart of the Cape Winelands) As the Engineering Excellence Manager my responsibilities include software quality, hiring the right people, making sure they are trained and equip to build excellent software. [joke] Hopefully the origins of my somewhat confused accent make sense.
- Key takeaway: Phishing is a global problem – results in lack of trust in mobile channel Phishing is still a huge problem today costing companies billions every year 20% of transaction fraud occur in the mobile channel Most mobile apps are compromised (making app, esp banking app security crucial) NET: This results in a lot of fear from bank customers to adopt the online and mobile banking channels. Many still prefer to go into a branch or just limit the type of services References: http://www.techrepublic.com/article/report-90-of-mobile-health-and-finance-apps-vulnerable-to-critical-security-risks/ http://bgr.com/2014/01/14/mobile-banking-apps-security-vulnerabilities/ https://www.mobilepaymentstoday.com/articles/the-merchants-role-in-mobile-fraud/ http://blogs.rsa.com/2017-global-fraud-cybercrime-forecast/
- Key takeaway: Entersekt’s journey started with family falling for a phishing scam Founded by 5 Engineering students from Stellenbosch University Desired to start their own company and make an impact in the world Christiaan’s mother lost money due to online fraud (or phishing) They realized that current online security solutions were failing and decided to solve the problem They created a solution that creates a fully encrypted channel between end user and bank using their mobile phone & digital certificates **Christiaan now Product Manager of Identity & Security at Google
- Key takeaway: This is how effective OOB2FA is with end-to-end encryption Our first customer went live in 2012 Immediately saw a 99% reduction in fraud caused by phishing Nedbank not even listed on the warning page of South Africa’s tax collection agency Nedbank had to repurpose an entire department
- Key takeaway: The demand for our solution is growing 5 years on from our first live customer we are in over 40 countries Include our strategic partners & resellers Lots of opportunity in the gray areas Not bad for a company with just over a hundred employees
- Note: Run through this kinda quickly
- Key takeaway: This is what makes our product really cool Use the Mobile phone because we always have it with us User experience must not be cumbersome Secure all attach vectors from mobile app integrity (Jailbreak and keystore compromise detection, code obfuscation) We don’t story any sensitive user data so we are PCI-DSS and GDPR compliant
- Key takeaway: OTPs does not provide adequate second factor authentication Examples of OTP: SMS, email & hardware token Walk-thru steps 1 thru 7
- Key takeaway: Out-of-band authentication allows user to authenticate each transaction Instead of entering OTP in the compromised channel, user responds back directly to bank. The mobile app is enrolled with bank and identified with a unique digital certificate Authentication can be set for sensitive transactions such as adding beneficiaries, doing transfers, payments, etc
- Key takeaway: The components necessary to make this end-to-end encrypted channel possible Mention mobile SDKs, EMR & TSG Lots of open source libraries (e.g. openSSL, ZeroMQ, Docker, Tomcat, node.js, Cassandra, etc) combined with proprietary cryptography protocol stack From a code and technology perspective these are our risk areas
- Key takeaway: Entersekt ahead of it’s time Solution we came up with in 2008 will 12 years later become a standard/best practice We about 2 years ahead of our competition per Gartner
- Key takeaway: Why we need a tool to automate open source risk management In an Agile environment I ask my team: Does the build contain only approved open source components How secure is build? Does it have any security vulnerabilities Can we add diligence and remain agile? Ability to identify open source licenses (Need to make sure what we are using is legal because as a small company we are dependent on funding. Black Duck give us the power to know what we are using and if it is exposing us.) As a small but fast growing company our success is based on worker smarter not harder Keeping an eye out for news on big vulnerabilities not going to scale We are on three platforms, need to support our banks who don’t upgrade a lot, we have to keep clients working. Maintain backward compatibility when you don’t have control over upgrades - you will break upgrade paths. Need long enough support. So we choose our versions more intentional bc we will have to support it and can’t just change to new tech.
- Key takeaway: Why we need a tool to automate open source risk management Completed two trials with two SAST vendors. We didn’t feel either had an adequate solution for open source security management Our research identified Black Duck as a market leader in that field, and we had Black Duck provide us with a trial of their solution.
- Key takeaway: What we need from Black Duck Hub The set-up process was straightforward, and the feedback from Black Duck demonstrably helped improve our product’s quality. The report output was clear and provided solutions on how to mitigate the risks discovered. The responsiveness and support from both its customer success and technical support teams also led us to make the business decision to select Black Duck
- Key takeaway: What we need from Black Duck Hub
- Key takeaway: Initially we struggled to get the most out of the tool Everything is urgent in a fast growing company Symptoms of capacity challenges: Build pipeline challenges: Engineering teams all implementing CI pipelines a bit differently because the range from mobile, cloud to server architecture Black Duck is part of build phase and sometimes executed manually Everyone used tool differently in terms of how often to run scans, how and when to do triage when issues were found, who was involved. Getting to update and maintain the server was often a pain or after thought
- Key takeaway: We don’t want silos in our development organization How do we support and empower our development teams without creating silos? How do we not suffocate our high performing and highly engaged culture by too much beaurrocracy? We haven’t had a single resignation in 26 months now The law is based on the reasoning that in order for a software module to function, multiple authors must communicate frequently with each other. Therefore, the software interface structure of a system will reflect the social boundaries of the organization(s) that produced it, across which communication is more difficult. https://en.wikipedia.org/wiki/Conway%27s_law
- Key takeaway: We created cross functional and agile teams (w/ Automation Engineer) Our Software Engineering structure based on Spotify model - Cross functional & agile teams We have 7 teams (between 4 to 6 team members) all in one city Have the rights skills and knowledge in each team Avoid silos or dependencies on other departments or teams Empowered through tools and privileges (Examples roles in the Hub) Automation Engineer in each team Part DevOps, part test automation, 100% developer In-house test automation framework built on open source tech (node.js, cucumber, gherkin, appium, etc) Have a passion for software quality and efficiency Their mandate is to serve their team – implement build pipelines that will kick of Black Duck Scans Architect Evangelist position (part of the tribe) Sits in planning and grooming meetings Coach teams on technical design decisions Bridge gap in-between dev teams and also between dev teams and Product Owners Security Evangelist not DevSecOps (https://www.entersekt.com/all-careers/software-security-evangelist) Lot like Architect evangelist Coach/support teams on secure design & implementation Will do pen testing & keen interest in Black Duck reports Lead general education and mindshares of security issues & topics Toolsmith Maintains & updates Portus, Jenkins, ESXi resources A bit like in-house infrastructure/sys admin person but that can also code if needed. Not needed in every team https://www.entersekt.com/all-careers/toolsmith
- Key takeaway: How we got back on track Tools only as valuable to the organization as the people that use it and how they use it. Thus important to support and empower teams as much as possible. Phased roll-out: Black Duck Academy & Security Evangelist Automation Engineers implement a standard pipeline framework. This include a CI/pipeline template and shared tools, workers and dashboard. Pipeline template version controlled in Git for new projects. Save weeks of effort. Teams had to plan and dedicate time to review all existing projects and clean/fix all issues found by Black Duck. Once projects good state enabled policy management to fail builds and create tickets via Jira Team agrees on standard This is not an enforced internal compliance policy enforced by a Security or Risk Officers but rather self imposed by teams When to fail builds (will inform Policy Management rules) How to triage results (comments & ignore) Do reporting, etc
- Key takeaway: Automation Engineers are responsible for this process in each of the teams The Jenkins phases (in yellow) occur twice: Pull request --> automated once reviews complete Merge to Master Manual
- Key takeaway: Explain concept of build pipeline template The Jenkins phases (in yellow) occur twice: Pull request --> automated once reviews complete Merge to Master Manual Infrastructure as code
- Key takeaway: Explain concept of build pipeline template
- Key takeaway: Key ingredients Trust your people to do the right thing Support them with the necessary resources and tools They need to way-in before they buy-in and that is how they will demonstrate ownership Clarity of expectations and what success looks like (i.e. security and due diligence) CLOSING: I sincerely hope the story of our journey so far was informative and perhaps gave you some good ideas for your own context. I thank you for your time and listening to me and I’m happy to answers any questions if you have any. Thanks. References: https://blackducksoftware.atlassian.net/wiki/spaces/INTDOCS/pages/49843511/Hub+SonarQube https://blackducksoftware.wistia.com/medias/dbpsb3xszr