Scale security for a dollar or less
2 likes702 views
The document discusses the importance of integrating security into DevOps through a practice called DevSecOps, highlighting the need for organizations to adapt quickly to changing technologies while maintaining reliability and compliance. It emphasizes core values such as collaboration, automating security, and embedding security early in the development process, as well as utilizing open-source tools for implementation. The conclusion reinforces that significant investments are not necessary for implementing DevSecOps, as it can be achieved with free and open-source tools.
Scale security for a dollar or less
- 1. Scale security in a dollar or less @secfigoɂ www.teachera.io secfi[email protected] DevSecOps London Meetup
- 2. 2 Mohammed A. Imran Senior Security Engineer # whoami Author, Speaker and Community Leader. Trainer at Blackhat, AppSec EU, Pycon, Nullcon etc., Organizer of DevSecOps Track in OSS 2018. Project Leader for OWASP DevSecOps Studio, DevSlop, Integra and Awesome-Fuzzing projects. Organised around 100 monthly security meetings and about 50 workshops. SCJP, OSCP, OSCE. Reachable on @secfigo
- 3. Agile and DevOps 1
- 4. Long Long time ago Trivia: how is this related to Singapore ?
- 5. 5 Traditional SDLC Requirements Gather Requirements from the client/customer Implementation Implement the design agreed upon Maintain Maintain of the software in production Deploy Deploy the software to the production Design Design the software according to the requirements
- 7. 7 Enter the change Agile Everything changed after agile, much shorter development cycles and faster deploys to production. Speed with which changes are being made is beyond security’s (operations) 🚨 reach. Then Agile Happened
- 8. Developers Operations Wall of confusion
- 9. 9 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu DevOps Development (Software Engineering) Operations (Quality Assurance) DevOps
- 10. D 10 Plan & Create Plan and implement the code using source code management (SCM) A Monitor Create Verify Package Release Configure DevOps Verify Test and verify the code does, what business wants. B Package Package the code in a deployable artifact & test it in staging environment C Release Release the artefact as production ready after change/release approvals Configure Configure the application/ stack using configuration management E Monitor Monitor the application for its performance, security and compliance F DevOps Cycle
- 12. DevOps Security Wall of compliance
- 13. DevOps Security Wall of compliance
- 15. 15 Security is Outnumbered! Dev / Ops / Security 100 / 10 / 1
- 16. 16 DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality - Bass, Weber, and Zhu By definition, security is part of DevOps. DevSecOps Development (Software Engineering) Security (Quality Assurance) Operations DevSecOps
- 17. 17 Flexibility With ever changing technology, businesses have to be flexible and fast to deliver value to their customers otherwise they risk losing the business. Reliability Customers need more reliable & available systems. DevOps reduces failure rates and provides faster feedback Resilience DevOps helps organisations in designing and implementing resilient systems. Automation Automation helps to reduce complexity of modern systems and can scale as per needs Speed Speed is competitive advantage and DevOps helps to go to market faster. Development Security (Quality Assurance) Operations DevSecOps DevSecOps Benefits
- 18. 18 Culture DevOps is about breaking down barriers between teams; without culture other practices fail C A M S Measurement Measuring activities in CI/CD helps in informed decision making among teams Automation Often mistaken as DevOps itself but a very important aspect of the initiative. Sharing Sharing tools, best practices etc., among the teams/organization improves confidence for collaboration. How to DevSecOps ? Core Values of DevOps
- 19. Build bridges, not walls!
- 20. Build guard rails, not gates! Embed security early and often
- 21. Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. “
- 23. 23 CI/CD CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting
- 24. Agile Development Continuous Integration Continuous Delivery Continuous Deployment DevOps/DevSecOps CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository
- 25. Scale security with DevOps 3
- 26. 26 DevSecOps Implementation So far we have looked at Principles and Ideas behind DevSecOps but how do we start implementing DevSecOps ? We can use the techniques ( see towards your right hand side) discussed in this course to implement a full blown security pipeline. Everything as Code(EAC Compliance as Code and hardening via configuration management systems Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security Self Service Gives developers and operations visibility into security activities Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
- 27. 1. Shift Security left Use CI/CD pipeline to embed security early on
- 28. CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitorArtefact Repository Functional req. Non Functional req. Design Code Branching Third party components Hooks Compile Basic tests Lint(Analyze) Package Security Integration Performance Security Test on staging Release Schedule Configuration Inventory Infrastructure Metrics Monitoring Alerting DevOps: Typical Activities
- 29. Threat Modelling ASVS Git secrets Dependency Scanning Dependency Scanning Code Analysis(SAST) Security Unit Tests Docker security Testing Git secrets scanning Component scanning ZAP testing - baseline Container Scanning Modsecurity CRS Docker/Third Party SSL scanning Nikto/dirbuster WPScan/JoomScan ZAP + selenium + python Component scanning Docker Benchmark System Hardening Application Hardening Compliance as code SOC with ELK Verify Controls CODEPLAN BUILD TEST RELEASE Deploy OPERATE Requirements Code Repository CI Server Integration Testing CD Orchestration MonitoringArtefact Repository DevOps: Typical Security Activities
- 30. 2. Self Service Gives developers and operations visibility into security activities
- 33. 3. Security as Code (EaC) Compliance as Code and hardening via configuration management systems
- 34. 4. Secure by default Use secure by default frameworks and services
- 35. DevSecOps Maturity Model 4
- 36. DevSecOps Maturity Model (DSOMM) Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
- 37. DevSecOps Maturity Model (DSOMM) Static Depth: How deep is static code analysis ? Dynamic Depth: How deep are dynamic scans executed ? Intensity: How intense are the majority of the executed attacks ? Consolidation: How complete is the process of handling findings ? Source: https://www.slideshare.net/cschneider4711/hackpra-2015-security-devops-free-pentesters-time-to-focus-on-highhanging-fruits
- 38. 38 Security Tools in CI/CD 1. Anything which takes more than 10 minutes (me being optimistic), isn’t fit for CI/CD 2. SAST/DAST without creating custom rules/tweaks is of not huge benefit down the line. 3. Create separate jobs for easy debugging later. 4. Roll out tools in phases. 5. Fail builds when critical/high severity issues are found (after you have given devs/ops enough time to learn and get used to the security tools) 6. Link wiki in the scan outputs if someone needs some answers. 7. Tools which provide APIs are huge wins but make sure you at least have a CLI 8. See if your tools does incremental/baseline scans. 9. Some Ability to control the scope and false positives locally is nice (see brakeman/zap/dependency checker). 10. When in doubt ask Developers/QA for the help. 11. Everything as Code (EaC). Auditable, measurable and secure
- 39. ≈ç Let’s see DevSecOps pipeline in Action DEMO
- 40. 40 DevSecOps Studio is a virtual environment to learn and teach DevSecOps concepts. Its easy to get started and is mostly automatic. It takes lots of efforts to setup a DevSecOps environment for training/demos and more often, its error prone when done manually. OWASP DevSecOps Studio https://github.com/teacheraio/DevSecOps-Studio/
- 41. 41 Easy to setup Takes only few mins to setup and start using with just one command A Reproducible The aim of this project is to setup reproducible DevSecOps Lab environment for learning and testing different tools. B Free & Open Source Software This project is a free and open software to help more people learn about DevSecOps C DevSecOps Studio Benefits
- 42. 42 Our Setup for On-Premise GITLABDeveloper(s) > > >Gitlab CI/CD RUNNER PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production
- 43. 43 Our Setup for On-Premise Developer(s) > > >JEnkins CI/CD JENKINS SLAVE PROD SERVER > Push Code to git repo Triggers Build Run tests Deploys to Production GITLAB
- 44. 44 Python security tools Security Test Tool SAST Bandit DAST ZAP Baseline Hardening Ansible Compliance Inspec Git Secrets Trufflehog
- 45. 45 Conclusion In conclusion, we don't need large sums of money to implement DevSecOps. We can use free and open source tools to showcase the benefits and value DevSecOps provides to the organization(s). Go on, embed security as part of CI/CD Everything as Code(EAC Use Configuration management (IaC) to implement Security as Code Secure by Default Use secure by default frameworks and services Shift Security Left Use CI/CD pipeline to embed security early on Self Service Give developers and operations visibility into security activities/tools Security Champions Encourage security champions to pick security tasks. Use maturity models Use DevSecOps Maturity Models to improve further
- 46. Thank you! You folks are awesome. @secfigoɂ www.teachera.io secfi[email protected]