DevSecOps
Deliver value faster safer
Peter Bink – September 2020

The DevXXXOps explosion
DataOps
DevSecOps
MLOps
GitOps
AIOps
DevDataOps
DesignOps
CloudOps
NoOps
WinOps
=
DevOps 2
DevTestOps

• Advanced Persistent Threat
Also lone wolves:
Gary McKinnon – “Your security is crap”
Source: https://www.varonis.com/blog/apt-groups/
Iran’s nuclear program
(Stuxnet) 2010
2014 – Sony
2016 – Bangladesh Bank
2017 - WannaCry
2016 – Hilary
Clinton
2019 –
Venezuelan
military
Cybercrime – who are they?
2019 – Toyota
data breach
FIG (fun, ideology, and grudge)
Other (errors, glitches, etc.)
And why do they do it?

Security Incidents – New Zealand
• NZX / Metservice / Mt Ruapehu parking / …?
• Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion
shut down their IT systems to stop the attack which impacted their supply.
• Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has
been stolen, ransom has been paid and data has been ‘destroyed’.
• The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of
New Zealanders and other nationalities.
• Contact details of people who have been in contact with New Zealand Police may have been breached.
• A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of
its customers has been taken.
• …
• NZ Firearms register from NZ Police
• Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack
2019
2020

“Applications are the weakest links”
53% of all breaches are caused by vulnerabilities in Applications
Source: 2020 State of application security, Forrester
Source: 2019 Data Breach Investigations Report, Verizon
‘Fun’ facts around data
breaches
Source: 2019 State of the software supply chain report, Sonatype
Source: 2020 State of application security, Forrester
Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis
Source: 2019 Cost of a data breach report, IBM
Source: 2020 Top 5 cyber security stats, Cybersecurity ventures
“Open source continues to infect everything”
85% of your code is sourced from external suppliers
The average time to identify and contain a breach is 279 days
The average total cost of a data breach is $USD 3.92 Million
Cybercrime damage costs are predicted to hit US$ 6 trillion annually

Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Attack Example – 2017 Equifax data breach
US DOJ Indictment: https://www.justice.gov/opa/press-release/file/1246891/download
• In September 2017, credit reporting giant Equifax reported it had been hacked.
• 147.9 million people were affected (40% of US population).
• Names, date of births, drivers license numbers, and social security numbers
were stolen plus 200k credit card numbers.
• Cost Equifax 1.4 Billion.
• Attributed to the People’s Liberation Army (PLA),
the armed forces of the Peoples Republic of China.
• Specifically, the PLA’s 54th Research Institute, also
known as APT10.

• Apache struts vulnerability was not identified on the online dispute portal
• Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp”
• Attacker was not detected immediately
• Individual databases were not segmented from each other
• Databases contained credentials for other servers/databases
US GAO Report: https://www.gao.gov/assets/700/694158.pdf
Attack Example – 2017 Equifax data breach
(CVE-2017-5638)

Attempts to exploit this vulnerability on your servers occur every day
(CVE-2017-5638)
Attack Example – 2017 Equifax data breach

‘Old’ way of working
Penetration testing provides assurance that a solution is secure in its
current state, at the current time, however:
• Any code change has the potential to introduce new vulnerabilities.
• Over time new vulnerabilities will be discovered in
libraries/frameworks.
• A security tester has a limited budget and limited time.
• It is expensive to fix issues or make design changes at the end of the
SDLC.
Finding & fixing security defects at the end of the SDLC
How to move security earlier in the SDLC??????

DevOps and security -
Challenges
• Continuous delivery / often deployments
o and the need for continuous security attention not always match
o and security architecture support for waterfall projects is not similar
• DevOps teams (autonomous) may lack security knowledge
• Use a lot of tooling, libraries and cloud may increase the security risks
• DevOps teams need the freedom to experiment to keep improving
• Empowered and autonomous team have a lot of rights

How this data breach could have been prevented:
Detecting Apache Struts CVE-2017-5638
• Library/Framework Vulnerability Scanning
• Container Vulnerability Scanning
• Static Application Security Testing
• Dynamic Application Security Testing
Designing systems that would be resilient to the Equifax attack
• Web Application Firewall & Virtual Patching
• Input Validation
• Restricting internet access on servers (Firewall/Proxy)
• OS/container Hardening
• Network Segmentation
• Secure Credential Storage (no passwords in databases)
• Ephemeral Environments
https://github.com/OWASP/ASVS
(CVE-2017-5638)
Attack Example – 2017 Equifax data breach

DevOps and security together:
DevSecOps
• Automated security checks can be built into the pipeline
• A lot of tools are available to address security concerns
• Sonarcube - SAST
• OWASP ZAP - DAST
• Whitesource Bolt - SCA
• Microsoft Security Code
• Codacy, Sonarcube, Snyk, Acunetix, logz.io, Contrast security, ….
• Organisations that have mature DevOps practices are 338% more likely
to integrate security across the SDLC (source: Sonatype DevSecOps community
survey 2018)
• Security patches and updates can be applied promptly
• Transparency and continuous improvement
• Long lived product teams: Security is everybody's responsibility

DevSecOps manifesto
Value things on the left over things on the right
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Source: https://www.devsecops.org/

What can be done in the
SDLC?
Shift left and right
Delivery
team
Version
control
Build Test Release Prod
Security training
Security requirements
Threat modelling
Architecture review
Code examples
OWASP Top 10
IDE plugins
Fail the build
SAST/DAST/IAST
Configuration analysis
Application module scanning
Threat modelling as unit test
Automated Pen testing
Static code analysis
Security policy testing
Configuration analysis
Security monitoring
Configuration monitoring

1. We are all responsible
So what is DevSecOps? ????
Questions
2. Engage InfoSec early and often
3. Use the right security tools right
‘Just’ DevOps….. with focus on

Stay safe!
We’re here to put our experience and know-how to work for
you and provide you with guidance. With us it’s about
collaboration and shared success.
Aotearoa is our home and we’ve been supporting enterprise
organisations for more than 15 years. We deliver advice and
solutions that work locally.
It’s critically important to us that you deliver successful
outcomes because there’s a great deal riding on it!
Deliver Value Faster Safer
• DevOps
• DevSecOps
• Site Reliability Engineering
Peter Bink
DevOps / DevSecOps
Grant Reid
DevOps / SRE
linkedin.com/in/grantreid/linkedin.com/in/peter-bink/
peter.bink@solnet.co.nz grant.reid@solnet.co.nz