Más contenido relacionado

Presentaciones para ti(20)

Similar a Solnet dev secops meetup(20)


Solnet dev secops meetup

  1. DevSecOps Deliver value faster safer Peter Bink – September 2020
  2. The DevXXXOps explosion DataOps DevSecOps MLOps GitOps AIOps DevDataOps DesignOps CloudOps NoOps WinOps = DevOps 2 DevTestOps
  3. • Advanced Persistent Threat Also lone wolves: Gary McKinnon – “Your security is crap” Source: Iran’s nuclear program (Stuxnet) 2010 2014 – Sony 2016 – Bangladesh Bank 2017 - WannaCry 2016 – Hilary Clinton 2019 – Venezuelan military Cybercrime – who are they? 2019 – Toyota data breach FIG (fun, ideology, and grudge) Other (errors, glitches, etc.) And why do they do it?
  4. Security Incidents – New Zealand • NZX / Metservice / Mt Ruapehu parking / …? • Lion brewery (AU) – website was changed so clients could order milk at a Sydney based consultancy firm. Lion shut down their IT systems to stop the attack which impacted their supply. • Blackbaud – US based provider of SaaS for a lot of universities worldwide, such as Auckland university. Data has been stolen, ransom has been paid and data has been ‘destroyed’. • The website of LPM Property Management - showed passports, drivers licenses, and other identity documents, of New Zealanders and other nationalities. • Contact details of people who have been in contact with New Zealand Police may have been breached. • A KiwiSaver provider, Generate, has had its computer systems breached and the personal information of 26,000 of its customers has been taken. • … • NZ Firearms register from NZ Police • Tu Ora Compass health - Up to 1 million New Zealand patients' data breached in criminal cyber hack 2019 2020
  5. “Applications are the weakest links” 53% of all breaches are caused by vulnerabilities in Applications Source: 2020 State of application security, Forrester Source: 2019 Data Breach Investigations Report, Verizon ‘Fun’ facts around data breaches Source: 2019 State of the software supply chain report, Sonatype Source: 2020 State of application security, Forrester Source: 2020 - 107 Must-Know Data Breach Statistics, Varonis Source: 2019 Cost of a data breach report, IBM Source: 2020 Top 5 cyber security stats, Cybersecurity ventures “Open source continues to infect everything” 85% of your code is sourced from external suppliers The average time to identify and contain a breach is 279 days The average total cost of a data breach is $USD 3.92 Million Cybercrime damage costs are predicted to hit US$ 6 trillion annually
  6. Source:
  7. Attack Example – 2017 Equifax data breach US DOJ Indictment: • In September 2017, credit reporting giant Equifax reported it had been hacked. • 147.9 million people were affected (40% of US population). • Names, date of births, drivers license numbers, and social security numbers were stolen plus 200k credit card numbers. • Cost Equifax 1.4 Billion. • Attributed to the People’s Liberation Army (PLA), the armed forces of the Peoples Republic of China. • Specifically, the PLA’s 54th Research Institute, also known as APT10.
  8. • Apache struts vulnerability was not identified on the online dispute portal • Attacker set up a web shell for persistence “Jquery1.3.2.min.jsp” • Attacker was not detected immediately • Individual databases were not segmented from each other • Databases contained credentials for other servers/databases US GAO Report: Attack Example – 2017 Equifax data breach (CVE-2017-5638)
  9. Attempts to exploit this vulnerability on your servers occur every day (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  10. ‘Old’ way of working Penetration testing provides assurance that a solution is secure in its current state, at the current time, however: • Any code change has the potential to introduce new vulnerabilities. • Over time new vulnerabilities will be discovered in libraries/frameworks. • A security tester has a limited budget and limited time. • It is expensive to fix issues or make design changes at the end of the SDLC. Finding & fixing security defects at the end of the SDLC How to move security earlier in the SDLC??????
  11. DevOps and security - Challenges • Continuous delivery / often deployments o and the need for continuous security attention not always match o and security architecture support for waterfall projects is not similar • DevOps teams (autonomous) may lack security knowledge • Use a lot of tooling, libraries and cloud may increase the security risks • DevOps teams need the freedom to experiment to keep improving • Empowered and autonomous team have a lot of rights
  12. How this data breach could have been prevented: Detecting Apache Struts CVE-2017-5638 • Library/Framework Vulnerability Scanning • Container Vulnerability Scanning • Static Application Security Testing • Dynamic Application Security Testing Designing systems that would be resilient to the Equifax attack • Web Application Firewall & Virtual Patching • Input Validation • Restricting internet access on servers (Firewall/Proxy) • OS/container Hardening • Network Segmentation • Secure Credential Storage (no passwords in databases) • Ephemeral Environments (CVE-2017-5638) Attack Example – 2017 Equifax data breach
  13. DevOps and security together: DevSecOps • Automated security checks can be built into the pipeline • A lot of tools are available to address security concerns • Sonarcube - SAST • OWASP ZAP - DAST • Whitesource Bolt - SCA • Microsoft Security Code • Codacy, Sonarcube, Snyk, Acunetix,, Contrast security, …. • Organisations that have mature DevOps practices are 338% more likely to integrate security across the SDLC (source: Sonatype DevSecOps community survey 2018) • Security patches and updates can be applied promptly • Transparency and continuous improvement • Long lived product teams: Security is everybody's responsibility
  14. DevSecOps manifesto Value things on the left over things on the right Leaning in over Always Saying “No” Data & Security Science over Fear, Uncertainty and Doubt Open Contribution & Collaboration over Security-Only Requirements Consumable Security Services with APIs over Mandated Security Controls & Paperwork Business Driven Security Scores over Rubber Stamp Security Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident Shared Threat Intelligence over Keeping Info to Ourselves Compliance Operations over Clipboards & Checklists Source:
  15. What can be done in the SDLC? Shift left and right Delivery team Version control Build Test Release Prod Security training Security requirements Threat modelling Architecture review Code examples OWASP Top 10 IDE plugins Fail the build SAST/DAST/IAST Configuration analysis Application module scanning Threat modelling as unit test Automated Pen testing Static code analysis Security policy testing Configuration analysis Security monitoring Configuration monitoring
  16. 1. We are all responsible So what is DevSecOps? ???? Questions 2. Engage InfoSec early and often 3. Use the right security tools right ‘Just’ DevOps….. with focus on
  17. Stay safe! We’re here to put our experience and know-how to work for you and provide you with guidance. With us it’s about collaboration and shared success. Aotearoa is our home and we’ve been supporting enterprise organisations for more than 15 years. We deliver advice and solutions that work locally. It’s critically important to us that you deliver successful outcomes because there’s a great deal riding on it! Deliver Value Faster Safer • DevOps • DevSecOps • Site Reliability Engineering Peter Bink DevOps / DevSecOps Grant Reid DevOps / SRE

Hinweis der Redaktion

  1. Japan (top 3 on the list of GDP) has a GDP of US$ 5 trillion. NZ GDP $US 205 billion
  2. Security tools in periodic table Xenialabs: OWASP ZAP Sonatype Nexus IQ CyberAk conjur Veracode App Protection Aqua security HashiCorp vault SonarCube Micro Focus Fortify SCA Synopsis Black Duck Checkmarx SAST Snort PortSwigger Burp suite