This document discusses succeeding in the marriage of cybersecurity and DevOps. It outlines five keys to a successful marriage: 1) establish a common process framework; 2) commit to collaboration; 3) design for security from inception; 4) strive to automate security processes; and 5) continuously learn and innovate. The document provides examples of how tools like Espial can help automate and integrate security testing into the development pipeline to enable continuous detection and faster remediation of vulnerabilities.

1. Rajiv Kadayam
© 2016 eGlobalTech. All rights reserved.
Succeeding in the Marriage of
Cybersecurity and DevOps

2. 2
About Rajiv & eGT
 Executive Technologist
 Product Owner
 Agile Manager/Coach
 Solutions Architect
 Sr. Director, Technology
Strategy
 Dad / Hubby
• Established in 2004
• Agile Development & DevOps
• Cloud Migration & Enablement
• Cybersecurity & Information
Assurance
• eGT Labs – skunk works !
• 30+ federal agencies

3. Best of times…and Worst of times..
3
Businesses need to deliver faster and be more responsive
Align organizational units to rally behind one common goal
Continuously assess, monitor, prevent, and counter security risks and issues
Leverage technology, automation and agile practices to achieve all of the above
• E-Commerce Transactions to pass $1.5 Trillion/year
• Era of Digital & Connected Lives – mobile, cloud, wearables, social
• B2B ecommerce predicted to hit $6.7T/year by 2020
• 47% of American adults had their personal information stolen by hackers
• Cyber crime costs businesses $400+ Billion/year - McAfee, 2014

4. Stone Age IT
4
Development OperationsCybersecurity QA and TestingEnterprise
Architecture
 Messages lost in translation
 Slow & unwieldy
 Too much finger pointing
 Ultimately business suffers and people too…
Initiation & Planning Requirements
Definition
Design Development Testing Implementation
Operations &
Maintenance

5. Enter Agile Development Methodology
5
Automated
Deployment
Continuous
Integration
Automated
Code Review
Product / Release Backlog
Sprint Backlog
System
Releases
Continuous feedback loop
Production
Development
Testing/Demo
Test
Driven
Development
Iterative
Development
& Testing
 Scrum
 Kanban
 Lean
 SAFe
Initiation & Planning Requirements
Definition
Design Development Testing Implementation
Operations &
Maintenance
Agile as a means to develop solutions faster, release
frequently and incorporate feedback continuously

6. Gradual Agile Transformation
6
Development
Operations
Cybersecurity
QA and Testing
Enterprise
Architecture
Other
Stakeholders
More and more
federal agencies
are adopting agile
Some agencies
have adopted
DevOps
Very few agencies are
truly performing blue-
green deployments
Need to break walls and build a tighter trust circle
Agile Software
Development
&
DevOps
Agencies are
plagued with
security
concerns –
preventing
DevOps
transformation

7. DevOps + Cybersecurity  DevOpsSec
 Yes, but what about Testing, Users, Requirements, EA ?
 ReqEADevTestingSecOps ?
 DevOps => More than just “Development” and
“Operations”
 Philosophy , Culture, Process, Automation, Tools &
Continuous Learning
 By Practitioners - For Practitioners
7

8. DevOps & Cybersecurity – Flipping Resistance  Results
8
Challenges
• Organizational hierarchies
• Lack of domain understanding
• RMF, NIST Controls
• Emerging / Open Source Tech
• Different tools and processes
• Different objectives –
• DevOps: Deliver Faster vs Security:
Protect Information
Opportunities
Secure Designs, Robust Solutions,
Reduced $Costs$
Integrate and automate delivery
pipeline – Accelerate time to
Market
Respond faster to business
Enhanced Transparency, Visibility
and Accountability

9. Keys to a Successful Marriage of DevOps & Cybersecurity
9

10. #1 – Come together - Establish Common Process Framework
• Integrate and Align SDLC and RMF
• Concurrently execute lifecycle phases
• Peer review and validate work products
• Reinforce security mindset in every step of the process.
• Universal visibility, transparency, and accountability
10
NIST Risk
Management
Framework
Software
Development
Lifecycle
+
Categorize
Information
System
Select
Security
Controls
Implement
Security
Controls
Assess
Security
Controls
Authorize
Information
System
Monitor
Security
Controls
Initiation
&
Planning
Requirements
Design
Development
Testing
Implementation
Operations
&
Maintenance

11. DevOps Factory
11
Machine enforced
governance
and compliance established
by fully automated CI/CD
process expressed in code

12. #2 – Be kind to your partner - Commit to Collaborate
12
DevOpsCybersecurity
Target solution
must properly
address all
required NIST
security controls !
• Truly bring disparate teams together to work towards common goals and objectives
• Learn, understand and appreciate each other’s concern
• Instead of “No, not possible” – explore and provide alternate approaches
• Leverage effective collaboration tools
Here is how and
what needs to be
done to certify new
technologies for
secure acceptable
use
 Common Goals
 Invested in Shared
Success
 Continuous
Communication
I want to adopt the
latest and greatest
open source
technology Is this
implementation
approach secure
and compliant ?

13. #3 – Build Trust Early - Design for Security From Inception
13
• Detect basic security issues early and prevent downstream friction
• Include security issues (POAMS, etc) as part of the product backlog
and prioritize collectively
• Keep pace with new technology insertion and refreshes
• Address security controls early in the architecture and design
phase Develop System &
Software Architecture
and Design
Test for compliance with
required NIST controls

14. #4 – Simplify Life - Strive to Automate
14
Security Docs
Security Testing,
Monitoring &
Compliance
Automation &
Orchestration
• Aggressively exploit opportunities to automate security processes
• Automate -
• FISMA / FedRAMP documentation
• Security Penetration/Vulnerability Testing
• Security Compliance and Monitoring
• Intrusion Detection & Data Breaches
• Threat Management
SaaS / PaaS /
IaaS
SDLC
Activities

15. Security Policy and Compliance “as code”
15
• Replace opinionated human compliance checkers with machines –
Compliant or Non-Compliant
describe port(80) do
it { should_not be_listening }
end
describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
• BDD-Security , Gauntlt – security test code expressed in plain English
• Treat like any other code – source control, versions, peer review
• Provides a time-machine view into security evolution
• Produces valuable raw data for historical and trend analytics
Short detour for a specific use case /demo…

16. Web Application Security Vulnerabilities Survey Results
16
86% of websites and web-apps contain at least one serious
vulnerability
Make vulnerability remediation process faster and easier
Visibility, Accountability and Empowerment
More secure software, NOT more security software

17. What is OWASP ?
17
Make software security visible, so that individuals and
organizations are able to make informed decisions
100s of Projects..
OWASP Top 10 security flaws

18. Agile Development & OWASP Testing is Disconnected
18
Source
Control
Release
Candidate
Build
Testing
• Unit
• Functional
• Static Code Scan
• Performance, etc
Staging /
Production
Iterative / Agile Development
Security
Penetration
Testing
Backlog
Multiple daily/weekly iterations
Push security testing
left of the process
 Web App Penetration testing conducted very late in the process
 Developers have limited visibility and less time to remediate issues
 Security vulnerabilities leak through into production

19. Espial – Automate & Integrate Penetration Testing
19
Jenkins
Source
Control
Automated
Build
Automated Testing
• Unit
• Functional, etc.
• Espial Plugin
Automated
Deployment
deploy
execute tests &
collect results
Build Quality Report
- Code Quality
- Test Execution Results
- Espial - Security
Vulnerabilities
- Metrics
output
orchestrate
Vagrant
Docker
image
Dev/Test Env
Apps
Prod Env
Apps
Apps
A mechanism that automates and integrates security vulnerability tests as part of
your existing Jenkins-based CI/CD process
Continuous Detection  Faster Remediation

20. Espial Video
20
https://vimeo.com/170149154

21. Espial – Key Benefits
21
• Platform and programming language agnostic.
• Any web-app
• Out of the box integration with Jenkins
• Developers have clear visibility of security vulnerabilities
• Comprehensive – crawls all end-points automatically
• Eliminates risk of vulnerabilities creeping in

22. #5 – Keep the spark alive - Continuously Learn & Innovate
22
• Evaluate emerging tools & technologies for adoption
• Identify opportunities to innovate and evolve
• Threat Management
• Security Data Analytics
• Interactive Application Security Testing
• Promote industry and community relationships
• Cultivate Labs – Ideas to Reality
• Promote innovation
• Experiment and Prototype
• Productize
• Rinse and Repeat

23. Questions ?
Rajiv Kadayam
Senior Director, Technology Strategy
rajiv.kadayam@eglobaltech.com
https://www.linkedin.com/in/rajivkadayam
http://www.eglobaltech.com
http://www.cloudamatic.com
23
Thank You !
Keep Innovating…