1. The document discusses strategies around automating security processes to keep pace with rapid software development cycles. It notes problems that arise when security cannot keep up, such as lack of business agility.
2. Automating security checks and integrating them into continuous integration/delivery pipelines is proposed as a solution. This includes running automated vulnerability scans on code check-ins and having security bugs break the build.
3. A cultural shift is needed where security is a shared responsibility and developers/operations staff understand security outputs. Continuous learning and improving processes will also help security scale effectively.
2. Misys
BFL
Helping companies turn to towards
their intelligence and otherwise.
Consultant with companies to help
them in their agile, business transformation
and digital transformation journeys
Training and mentoring Architects and
Technology leaders
Enterprise Architecture Expert with the
Digital India Initiative
ExVice Chair TOGAF® Standing
Committee
Governing Board Member CCICI
WHAT DO I DO ?
5. BUILD
Compiling source files
Packaging compiled files into compressed formats (such as jar,
zip)
Producing installers
Creating or updating of database schema or data
Reduce errors
Testing in time consuming and expensive
Does not require Human intervention
AUTOMATE
TEST
Too Many Test cases
Every other day there are new devices and scenarios
proliferating
Leave no stone unturned
6. DEVS CHURN CODE
CheckIn Continuous
Testing
Continuous
Deployment
Continuous
Monitoring
Configuration
Management
Containerization
Continuous
Integration
B AT M A N – A L L O V E R T H E P L A C E
GIT
JENKINS
SE
PUPPET DOCKER
JENKINS
AUTOMATE
ACROSS ENVIRONMENTS
MostlyTest Env
Docker 1.9 can be
used in prod
NAGIOS
7. PLAN DEV SVS BUILD TEST DEPLOY
CHECKIN
TRIGGER PULL
TEST FAILSFEEDBACK
CHECKIN
FEEDBACK
PUSHTO PRODUCTION
TEST PASS
IT IS ABOUT AUTOMATINGTHIS LOOP
USER STORIES
FEATURES
EPICS
USER STORIES
FEATURES
EPICS
JIRA IDE
GIT JENKINS PULSE PUPPET
10. The list of things that can go wrong for an
autonomous vehicle “is almost infinite,”
Luc Vincent, who heads R&D for Lyft’s self-driving car unit.
11. If you went down a narrow one way street that was blocked off by construction is it
okay to break the law and back down the one way street?
Could the car handle teenagers pranking and yelling conflicting commands?
Can the car understand hand signals from police or road-side workers?
Can the car recognize a fake street sign that someone put up or a damaged one?
https://www.linkedin.com/pulse/ais-phoenix-project-moment-daniel-jeffries/
EDGE CASESTHAT ARE EDGY
13. “We have machines that learn in a very
narrow way,” said Bengio. “They need much
more data to learn a task than human
examples of intelligence, and they still make
stupid mistakes.” Yoshua Bengio, director of Mila (AI institute in Montreal)
14. TEST CASES WERE MINIMAL WHENTHINGS WERE
WATERFALL AND THE APPLICATION WAS USED
WITHIN A FIREWALL.
WITH A APPLICATION NOW USED BY MILLIONS
OF USERSTHE EDGE CASES ARE MIND BLOGGLING
15. WHAT ARE WE MISSING HERE ?
Courtesy :Henrik Kniberg
17. Browsers
Devices
Operating Systems
Rapid Rate of New Code Being Pushed
Machine do not show Fatigue or Human Errors
Leave No Stone Unturned
Catch Defects before they are shipped
WHY AUTOMATE ?
UNITTESTING
INTEGRATIONTESTING
END TO END TESTING
20. ENTER ROBOT EXIT HUMAN – IT DOES NOT WORKTHATWAY
Picture : pixabay
21. Reduce errors
Testing in time consuming and expensive
Difficult to set Multi Lingual Sites
Does not require Human intervention
Speed and Extensive coverage
Machines do not fatigue
RepetitiveTests
Time consuming and Manual difficult
Time Intensive
Mission Critical BusinessTest Cases
When Automation
Test Cases are needed ?
WHY AUTOMATE ANDWHENTO ?
22. WHERE MANUALTESTING EXCELS ?
New test cases not even tested once manually
Requirements Changing frequently
Need cognitive thinking to make sense of the use cases
29. In 2017, the Equifax credit reporting agency
used Struts in an online portal, and due to
Equifax not identifying and patching a
vulnerable version of Struts, attackers were
able to capture personal consumer information
such as names, Social Security numbers, birth
dates and addresses of over 148 million US
consumers, nearly 700,000 UK residents, and
more than 19,000 Canadian customers.
33. DEV SECOPS / SEC DEV / RUGGED DEV OPS
= SECURITY AUTOMATION AT SCALE
ENTER
34. IMPACT OF SECURITY ON BUSINESS
Proliferation of Shadow IT
Business Agility impacted due to slow security cycles.
Security unable to keep pace with Business
Adhoc projects and rogue development
True DevOps requires maturity
Slow threat assessments
Not enough patching
Reactive security posture of the company
SECURITY OPERATIONS
37. 1. We need to discover a solution that is valuable, usable, feasible and viable.
2. We need to deliver a solution that is reliable, scalable, performant and
maintainable.
& Of Course SECURE
WHATWE ARE NOT CAPTURING ARETHE UNDERLYING ISSUES
38. Value Risk - will they use/buy it?
Usability Risk - can they use it?
Feasibility Risk - can we build it?
Business Viability Risk - will this work for our business?
Security Risk – Is our solution vulnerable ?
SOLVE OR BRAINSTORM ONTHESE RISKS BEFOREYOUWRITE A LINE OF CODE
39. Gartner predicted that 25 percent of
top global 2000 organizations would
have adopted DevOps as a
mainstream strategy
40. CI / CD Solution is one
of the important tools for
DEVSECOPS
41. DEV SEC OPS -WHY
Pace of innovation meets – Pace of Security Automation
Scalable Architectures need Scalable Security
Vulnerabilities need to be healed at the rate at which software is getting churned.
Risk Identification and Remediation at the speed of delivery
42. Slow threat assessments
Can't patch fast enough
Reactive security posture
Lack of business agility
Slow to onboard new customers
Slow turn around time
Trailblazer dev projects gone wrong
Lack of SecOps agility
PROBLEMS ASTHEY STAND
44. WHAT WE NEED ?
MONITORING
&
SECURITY
TO BE ADDEDTO
MAKE IT CONTINOUS
45. CLOUD ADDS TO THE COMPLEXITY
MOVING TO THE CLOUD
BABY STEPS
MORE THAN ONE
CLOUD
MULTI
CLOUD SCENARIO
SECURITY RESOURCES
& CHECKLISTS
COMPLIANCE AND
REGULATIONS
OPEX
47. WHAT DEVELOPERS WANT ?
Ease of checking in and checking out
Able to play and experiment with emerging technologies
Ability to push code regardless of the platform
ABOVE ALL A GOOD NIGHTS SLEEP
48. DEVS
DEV
ITIL COMPLIANCE
REDUCE CARBON
FOOTPRINT
TEST
GO GREEN
SUPPORT DIFF ENVS
TICKETING
SECURITY
VIRTUALIZE
CMRB
PCI DSS
KEEPTHE LIGHTS ON
WRITE CODE
TEST SOME AND
RELEASE
HOW OPERATIONS FOLKS SEE DEVELOPERS
NETWORKS
OS
ACCESS CONTROL
49. WHAT MAKES SECURITY FOLKS RELAX
ALLVULNERABILITIES ARE DISCOVERED AND FIXED INTIME
ALL COMPLIANCES AND REGULATIONS ARE MET
ALL ATTACKS HAVE A PLANNED STRATEGY AND NO SURPISES
ABLE TO KEEP IN PACEWITHTHE SPEED OF DEVELOPMENT
AUTOMATED PROCESSES FOR STATIC AND DYNAMICTEST ( SAST , DAST , IAST )
50. WHAT WE NEED IS TOOLS AND PROCESS ?
MONITORING
&
SECURITY
TO BE ADDEDTO
MAKE IT CONTINOUS
CHECKS PRESENT
CHECKS PRESENT
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
NEEDS ACTION
Static application security testing (SAST)
52. DO NOT LET SECURITY BREAKYOUR BUILD
When Cl breaks (and it breaks) it impacts everyone and everything in the process.
Creating a significant delay in the release cycle.
Start implementing security before the Continuous integration stage.
If you have 365 developers and each developer breaks only a single build once a year (usually much
more), you have an average of one build break per day.
54. SECURITY WISH LIST
OPERATIONAL CHECKS
AUTOMATIC FAULT DETECTION
AND CORRECTION
AUTOMATION REMIADIATION
AUTOMATIC AUDITING & FORENSICS
CODE LEVEL CHECKS
SECURE CODING PRACTICES
PRO ACTIVE CONTROLS IN THE CODE
BUILD LEVEL CHECKS
VULNERABILITY CHECKS
CONFIGURATION SCRUBBING
DEPLOY CHECKS
CONTINOUS VULNERABILITY SCANS
PICK ONLY AUTHENTIC IMAGES
GRANT JUST ENOUGH SERVER ACCESS
66. AUTOMATE AUTOMATE AUTOMATE AS MUCH AS POSSIBLE
GETTHE DEVS ANDTHE OPSTO READ AND INTERPRETTHE RESULTS
ADD REQUIREMENTS INTHEVERY BEGINNING AT DESIGN AND REQUIREMENTS
BUILD BREAKS IFVULNERABILITIES NOTICED INTHE CHECKIN
68. Positive testing determines that your application works as expected. If an error is
encountered during positive testing, the test fails.
Negative testing ensures that your application can gracefully handle invalid input or
unexpected user behavior.
69. Invite both sides of the table to the meeting DEV and OPS
Incidents
Threat Modelling
Security Sprints Etc.
72. CREATE A CULTUREWHICH IS HIGH ONTHE SECURITY DNA
Make it public when you fix things and update on internal wiki
Share Point or CMDB for all fixes on Security
Do not make it personal fix the issue not the person
Arrange for tech talks to spread the know how of the fixes
Educate DEV and OPS to read security tool analysis well
Shadow resources who could build capabilities
73. The further right the project is on the DevOps scale the
further
left it should start implementing security checks
74. COST OF NOT FIXING ATTHE RIGHTTIME
SHIFT LEFTTO GAIN
Courtesy :Tanya Janca, Senior Cloud Developer Advocate, Microsoft
75. MOVE SECURITY UPTHE CHAIN IN REVERSE ORDER
Courtesy :Tanya Janca, Senior Cloud Developer Advocate, Microsoft
78. Add security verification to Cl/CD Pipelines
Critical security bugs break the build
In the first three months following this presentation you should:
Create Negative Unit Tests from existing positive unit tests
Lessons on top 3 security bugs
High security bugs break the build
Within six months you should:
Regular lessons on AppSec, including a security exercise or simulation
Improvements of security processes for speed and removal of obstacles
Creation of parallel security pipeline
Medium security bugs break the build
NEXT STEPS FORYOU