Devops: Security's big opportunity by Peter Chestna
1 like•272 views
This document discusses how DevOps presents both opportunities and challenges for application security. It describes how release timelines and team sizes have changed from waterfall to agile to DevOps approaches. It advocates for security teams to build relationships with developers, share accountability for security, provide training and remediation coaching. It also recommends strategies like appointing security champions, integrating right-sized security practices into the DevOps pipeline through techniques like static analysis, and adjusting security programs to the faster pace of DevOps.
Devops: Security's big opportunity by Peter Chestna
- 1. © 2016 VERACODE INC. 1© 2016 VERACODE INC. DevOps – Security’s Big Opportunity Peter Chestna, Director of Developer Engagement Veracode/CA
- 2. © 2016 VERACODE INC. 2 Who am I? • 25+ Years Software Development Experience • 10+ Years Application Security Experience • Certified Agile Product Owner and Scrum Master • At Veracode since 2006 • From Waterfall to Agile to DevOps • From Monolith to MicroService • Consultant on DevSecOps best practices • Fun Fact: I love whiskey! • Tell me where to drink local whiskey @PeteChestna
- 3. © 2016 VERACODE INC. 3 Lack of App Security is Damaging Companies
- 4. © 2016 VERACODE INC. 4 High Profile Breaches All attacked through the app layer
- 5. © 2016 VERACODE INC. 5 Is this your current AppSec program? @PeteChestna
- 6. © 2016 VERACODE INC. 6 Which outcome do you see? @PeteChestna
- 7. © 2016 VERACODE INC. 7© 2016 VERACODE INC. Times have changed
- 8. © 2016 VERACODE INC. 8 Release Timelines & Team Sizes Waterfall Agile DevOps 1-4 Releases Per Year 12-24 Releases Per Year 100+ Releases Per Year 50+ people 6-12 people 6-12 people @PeteChestna
- 9. © 2016 VERACODE INC. 9© 2016 VERACODE INC. DevOps Plan Dev QA Ops Business Intent App Knowledge Ops Knowledge Business Intent App Knowledge Ops Knowledge Continuity Waterfall ! ! ! ! = Handoff Agile ! @PeteChestna
- 10. © 2016 VERACODE INC. 10 Waterfall Technology Agile DevOps @PeteChestna
- 11. © 2016 VERACODE INC. 11 Agile - Process Copyright 2005, Mountain Goat Software @PeteChestna
- 12. © 2016 VERACODE INC. 12© 2016 VERACODE INC. What is DevOps?
- 13. © 2016 VERACODE INC. 13 Definition of DevOps @PeteChestna
- 14. © 2016 VERACODE INC. 14 What’s a DevOps Team? DevOps Team @PeteChestna
- 15. © 2016 VERACODE INC. 15 DevOps – Process: Where is security? Security @PeteChestna
- 16. © 2016 VERACODE INC. 16 Strategy • Relationship & Accountability • Training & Remediation Coaching • Security Champions & Right-sized testing @PeteChestna
- 17. © 2016 VERACODE INC. 17 Strategy - Relationships • Who is your peer in development? • Do you understand how they are goaled? • What are their struggles? • How often do you meet with them? • Are they sympathetic to your goals and struggles? @PeteChestna
- 18. © 2016 VERACODE INC. 18 Strategy - Accountability • Shared between development and security • Part of annual goals for both teams • Measured and reported regularly @PeteChestna
- 19. © 2016 VERACODE INC. 19 Strategy - Training • Security teams can help developers by providing training, either through eLearning or in-person instructor-led training • Think about targeted training based on policy violations @PeteChestna
- 20. © 2016 VERACODE INC. 20 Strategy - Training
- 21. © 2016 VERACODE INC. 21 Strategy - Remediation Coaching For applications that used remediation coaching, development teams fixed more than 2.5x the average # of flaws per megabyte @PeteChestna
- 22. © 2016 VERACODE INC. 22 • Eyes and ears of security • Specialized training • Basic security concepts • Threat modeling • Grooming guidelines • Secure code review training • Security controls • CTF Exercises • Escalate when necessary Strategy – Security Champions @PeteChestna
- 23. © 2016 VERACODE INC. 23 Training (eLearning, instructor led, metadata driven) Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration Testing Red Team Activities Runtime Application Self Protection Dynamic Application Security Testing Plan Code Build Test Stage Deploy Monitor Threat Modeling Security Grooming Secure Design Strategy – Right-sized Security @PeteChestna
- 24. © 2016 VERACODE INC. 24 CI CD 1 Develop 4 Check in Static Analysis 3 Build & Test 2 Backlog Strategy – Right-sized testing: protect the pipeline Pass? 7 Synchronize No Yes 7 Deploy to QA/Stage 6 Static Analysis 6 Unit Tests 8 Dynamic Analysis 8 Regression Testing Pass? Yes Stage then Prod Per Check-in 5 Build CI/CD Pipeline 3a Manual Testing* @PeteChestna
- 25. © 2016 VERACODE INC. 25 Conclusions • DevOps is inevitable – learn it • Relationships and shared accountability is key to securing apps • Train developers and help them fix what they find • Adjust to the speed of DevOps and right-size your security requirements @PeteChestna
- 26. © 2016 VERACODE INC. 26 Questions? @PeteChestna