Secure DevOPS Implementation Guidance

1. Secure DevOps Awareness & a Guide to Practical Implementation BSides 2018 01 June 30, 2019 Merlin International, Inc.

2. Merlin International June 30, 2019 2 Tej Luthra VP Engineering CyberSecurity and Security Analytics At Merlin International, Tej Luthra is building and leading a development team responsible for the integration of existing technologies and the development of new solutions that address organizations’ most pressing cybersecurity challenges. Devesh Arora Dir. Engineering Software Development & Web Services At Merlin International, Devesh Arora is leading a team responsible for development of front-end & microservices along with the secure DevOps strategy and implementation.

3. June 30, 2019 3 Agenda

4. Opportunity June 30, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.Opportunity January 16, 2019 4 Secure DevOps Continuous Information Assurance Cloud native and rapid adoption of cloud platforms Use of CI/CD - Continuous Integration/Continuous Deployment Deliver secure code by integrating security practices into the pipeline Benefits Protect your systems, data and business Reputation, brand, profits Reduce Risk Customer Confidence Reduce Costs By 2019 only 10% of DevOps initiatives will have achieved the level of security automation required to be considered fully DevSecOps, up from less than 5% in 2017. By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016. By 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.

5. What is DevOPS June 30, 2019 5 Secure DevOps DevOps is agile on steroids As a methodology to build software fast Accelerates the velocity with which products are deployed to customers DevOps begins with all things continuous • Continuous Integration (CI) is the principle that code changes are checked into the source code repository in small batches • Continuous delivery and deployment are principles for how the results of testing are reviewed, and system automatically makes decision as to what to do with the build • Continuous Testing, Quality, Security, Governance, and so on …

6. Why DevOPS June 30, 2019 6 Secure DevOps Businesses need to accelerate the delivery of applications Focuses on quickly moving new features out to the customers Give Dev teams capability to deploy quickly and continuously … and the responsibility to support code in production Tear down the traditional silos of IT, namely between development and operations Puppet Labs 200x increase in speed from code commit to deploy 30x more frequent deployments 60% fewer production failures Bank of America 6x reduction in production defects Ticket Master Reduced Mean Time to Repair by 90% Source: https://www.slideshare.net/AndersLundsgrd/the-devops-journey-in-an-enterprise-scania-swisscom-software-day-2016

7. The Ying and the Yang June 30, 2019 7 Secure DevOps Challenges organizations face • Adoption of DevOps practices introduces complications • Auditing standardized security controls • Constantly changing assets with CD • Segregation of duties • Tracking cloud assets, extreme virtualization • DHCP logging or NAC/802,1x • Especially when controlled by 3rd party And there are opportunities • Focus on fast deployment, continual improvement, and automation • Naturally forces collaboration with teams • Avoids last-minute manual audits • Continuously TVM Shift Left • Security teams engaged early • Design, Deploy, Security Reviews • Ability to influence future heartburns • Deploy small changes • With reduced risk • Enforces standardized configurations • Logging, alerting and security metrics

8. The full end-to-end product lifecycle June 30, 2019 8 Secure DevOps

9. Build & Unit Tests Containerize Package Code Commit Code quality Scan Continuous Integration Frequent Code Check-ins Focus on Code Quality Automated Tests Find & Fix Bugs/Issues Soon Continuous Integration Secure DevOps June 30, 2019

10. Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod C o d e P r o m o t i o n Manual Continuous Delivery Release Management Logging & Monitoring Secure DevOps June 30, 2019

11. Build & Unit Tests Container Package Code Commit Code quality Scan Continuous Integration git Artifact Repository Tests Functional | Integration | Performance | UAT | Smoke D e p l o y m e n t Test Staging Prod A u t o m a t e d C o d e P r o m o t i o n Continuous Deployment Release Management Logging & Monitoring Secure DevOps June 30, 2019

12. Route to Secure DevOPS 6/30/2019 12 Secure DevOps Why • Criminals & hackers focus on weakness • A part of your security strategy • Constantly Evaluate Business Risks • Federal, State, Local, Regulatory Challenges • Believed too costly • Split between Functionality and Speed • Private / Behind a firewall • Find and Fix • Tools and Resources Considerations • Risk Assessments • Policy – Procedures – Processes • Regulatory – PCI, HIPAA, FISMA • Physical Infrastructure • Methodology • Data Strategy • Threat Modeling • Testing Source: https://www.cisecurity.org/webinar/foundations-of-an-application-security-program/

13. Security lifecycle in DevOPS June 30, 2019 14 Common action items including static & dynamic code analysis, vulnerability scanning, antivirus scans, and other similar integrity functions The results from the security scans are provided to project management and the Chief Information Security Officer (CISO) within the organization Secure DevOps NIST 800-115: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

14. Common Requirements June 30, 2019 15 Access Control Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Security Assessment System & Comm. Protection System & Information Integrity Secure DevOps

15. Guidance June 30, 2019 16 Secure DevOps Refine information security objectives for adoption Integrate continuous security assurance seamlessly into CI/CD toolchain Perfect security is impossible. Zero risk is impossible The entire DevOps life cycle needs to be secured Address Risk with continuous run time assessment, augment with existing cybersecurity framework

16. June 30, 2019 17 Secure DevOps Identify known vulnerabilities Use of reusable libraries and frameworks The amount of custom code is reducing considerably Open-source software (OSS) presents a unique challenge

17. Secure Configurations for HW & SW June 30, 2019 18 Known vulnerabilities Use custom hardened system images Center for Internet Security (CIS) CICD Tools simplify process of rolling out Secure DevOps

18. Automated Deployment of Infrastructure and Software June 30, 2019 19 Use blue-green deployment scenario Same principles apply to “infrastructure as code” Early adopter scenarios Secure DevOps

19. Continuous Vulnerability Assessment and Remediation June 30, 2019 20 Secure DevOps Keep up with new Vulnerabilities Reuse of Automation Framework AB Testing and Blue Green Deployment Scanning during Development 37 Vulnerabilities Return time 15 ms # errros/1000: 300 Visits / user 50 2 Vulnerabil ities Return time 25 ms # errros/1000 : 100 Visits / user 150 Patch Set A: Patch Set B:

20. Application Software Security June 30, 2019 21 Vulnerabilities found in 98% of apps Security assessments CICD Tools Advantages Run Additional Test in Staging in parallel Secure DevOps Trustwave Global Security Report

21. Controlled Use of Administrative Privileges June 30, 2019 22 The DevOps model Controlling administrative credentials becomes even more important In an “infrastructure as code” environment, the code itself acts as a privileged user Other systems provide ways to manage their own secrets Lack more advanced features Secure DevOps

22. OWASP Top 10 Project Guidelines June 30, 2019 23 Secure DevOps •Threat modeling scenarios SQL injection Cross-site scripting Cross-site request forgery Broken authentication and session management Unsecure direct object references Security misconfiguration Foundational security hygiene Embedded keys or credentials in the application System patching Target high value assets

23. Tooling that can help June 30, 2019 24 Identify actual and potential coding issues, including those identified in OWASP YASCA, HP Fortify, IBM AppScan, VisualCodeGrepper, Nessus, OpenSCAP, Black Duck, SonarQube …. Secure DevOps BlackDuck • scans and manages opensource software • supports mixed LDAP/DB auth, • good UI LAPSE • OWASP Security Scanner • Java EE Nessus • system vulnerabilities • missing patches • non- compliant system configurations OpenScap • utilizes XCCDF • system configurations for the operating system against an established checklist profile ClamAV • antivirus scanner for Linux operating systems Windows Defender • antivirus scanner for Windows operating systems Note: This is not an endorsement of any tools. The reader is encouraged to evaluate each tool independently.

24. Recommendations June 30, 2019 25 Adopt an immutable Infrastructure Mindset Integrate security and compliance testing seamlessly into DevSecOps Scan for and remove known vulnerabilities and misconfigurations Scale your information security team into DevOps Treat all automation scripts, templates, images and blueprints with the same level of assurance Train individuals and establish good communication Identify and report on Business Risks Create a culture of Security, incorporate Static and Dynamic Testing Secure DevOps

25. Conclusion June 30, 2019 26 Security is not an afterthought Integrating security into DevOps requires changing mindsets Information security must adapt to development processes and tools Regulated environment, DevOPS needs to evolve quickly Host of new security tools adapted for DevOps environments There is need for Best Practices Secure DevOps

26. Thank You tluthra@merlin-intl.com darora@merlin-intl.com

Secure DevOPS Implementation Guidance

Secure DevOPS Implementation Guidance

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Similar a Secure DevOPS Implementation Guidance

Similar a Secure DevOPS Implementation Guidance(20)

Último

Último(20)

Secure DevOPS Implementation Guidance

Hinweis der Redaktion