APPSEC BEHAVIORS FOR DEVOPS BREED SECURITY CULTURE CHANGE

Copyright©SecurityJourney,2017

AboutChrisRomeo

• CEO/Co-Founder/SecurityCultureHacker@SecurityJourney

• Experience

• 20yearsinthesecurityworld,CISSP,CSSLP

• 10 yearsatCisco,leadingtheCiscoSecurityNinjaprogram &CSDL

• SpeakeratRSA,AppSecUSA,AppSecEU,&ISC2SecurityCongress

• Co-hostofthe#AppSec PodCast

• OwnerofaDevOpsbuildpipeline;consultingwithcompaniestryingtofigureoutAppSec +DevOps @edgeroute

Copyright©SecurityJourney,2017

Behaviorsàmindset,skillsà skillsets

Agenda

• TheStateofDevOpsandSecurity• DevOpsCulture• SecurityComponentsforDevOps• CreatingaDevOps+SecurityCulture• SecurityBehaviorsandHabits• ConclusionandKeyTakeaways

ADevOps

DevOpsaccordingtoDevOpsBorat

Allthingscontinuous

Continuous

Integration Delivery Deployment Security? SecurityTest?

SoWhat?

WhydoesPSIRTcare?

5thingspeopleHATEaboutDevOps

1. Everyonethinksit'sallaboutAutomation.

2. "True"DevOpsapparentlyhavenoprocesses- becauseDevOpstakescareofthat.

3. TheEmergenceofthe"DevOps'DevOp",apseudointellectualloudlyspewingtheoriesaboutdistantlyunrelatedfieldsthatareentirelyirrelevantandspeakingatconferences.

4. PeopleconstantlypointingtoEtsy,Facebook&NetflixasDevOps.Let'spromotethestoriesofcompaniesthatbetterrepresentthemarketatlarge.

5. LackoffitforanyonewhoisnotinaDevorOpsrole.

ADevOpsculture

1. Thingsmovefast

2. Smallpiecesofworkcheckedinoften

3. Autonomousteamswithtransparency;Nosilos

4. Buildingqualityintothedevelopmentprocess

5. Feedback/eliminateblame/embracefailure

6. Automation

Namingrights

Securitycomponentstogofast

Security best practices

Threat modeling Static analysis

Security code review

Dynamic analysis

Vulnerability scanning

3rd Party SW / Dependency

checkerRed Teaming PSIRT

ADevOps+SecuritySecuritybestpracticesThreatmodeling

Staticanalysis

Securitycodereview

Dynamicanalysis

Vulnerabilityscanning

3rd PartySW/Dependencychecker PSIRTRedTeaming

Securityculture

“Whathappens{withsecurity}whenpeoplearelefttotheirown

devices.”--TimFerriss

1. Applicationsecurityisaboutthepeople.

2. Thepeopleintroducethevulnerabilities.

3. SecurityinDevOpsmustchangethepeople.

Definingfeaturesofasustainable DevOpssecurity

culture

Deliberateand

disruptive

EliminateSecurityBlame

BuildingQualityANDSecurityIn

SecurityTransparency

Nosecuritysilo

CultureHacking Community Automation

Howdoweembedacultureofsecurity?

Lightweight

Welldefined

Clearstartandfinishpoint

WhyandROI

Easilyrepeatable

Securitybehavior

Security Behavior – a manner of behaving that

decreases danger, risk, or threat

Securitybehaviorvs.securityprocess

Step 1 Step 2 Step 3

Securityhabits

Routine

Reward

Reminder

Buildsecurityin

Securitybestpractices

DesiredOutcome HabitGeneration

• Awidespreadattitude/culturechange

• Considerationofsecuritybestpracticesearly

• ExplainWHYtheyshouldcare

• Demonstratehowbestpracticesaredone

• Understandthenegativecase,ornotdoingthem

Uncoverdesignsecurityproblems

Threatmodeling

DesiredOutcome HabitGeneration

• Choosethedesigndecisionthatprotectstheconfidentialityandintegrityofcustomerdata

• Showdevelopershowtocreateathreatmodel

• Quicklymovetothreatmodelinganactivedesignonwhichtheyareworking

• Enablethesecuritylightbulb

Reacttoautomatedsecuritybugs

Dynamicanalysis

DesiredOutcome HabitGeneration

• Interpretautomatedsecuritynotificationsasagiftandnotacurse

• Positiontheinterruptionasclosetothedevaspossible(IDEbasedSA)

• Aggressivelylimitfalsepositives– donotscanforeverythinginthebeginning

Staticanalysis Vulnerabilityscanning

Detectsecurityflawsinother’scode

Securitycodereview

DesiredOutcome HabitGeneration

• Findtheerrorsinthecodethatcouldbeexploitediftheyreachproduction(thosemissedbyautomatedscans)

• Forceasecuritycodereviewinthecodecommitprocess

• Requireasecurity+1foreachcheck-in

• Teachyourdevelopersthefundamentalsecuritylessonsoftheirlanguages,andhowtofindthoseissuesincode

Eradicate3rd partysoftwarevuln’s

3rd PartySW/DependencyChecking

DesiredOutcome HabitGeneration

• Eliminateknownvulnerablecomponentsatdeploytime

• Breakthebuildonadependencycheckerfailure

Bemeantoyourcode

RedTeaming

DesiredOutcome HabitGeneration

• Uncoverflawsusingactivetesting,fixthoseflaws,andpushthefixestoproductionasfastaspossible.

• Instilltheideathatyourcodewillbeattacked

• Providethetimeandtoolsforeveryonetospendtimeattacking

Respondinatimelyandorganizedfashion

PSIRT

DesiredOutcome HabitGeneration

• PartnershipbetweendevandPSIRTtoalleviateanysecuritybugsintheshortestamountoftimepossible

• TalktoandeducatedevelopersaboutthePSIRTmission

Summary

Security Behaviors for DevOps

Build Security In

Uncover design security problems

React to automated security bugs

Detect security flaws in other’s code

Eradicate 3rd party software vuln’s

Be mean to your code

Respond in a timely and organized fashion

Securitybehaviorsthroughsecuritycommunity

People MonthlyTraining

SecurityDays

InternalCapturethe

FlagConferences

Buildasecurity[advocate,guild,champion]program

ApplyWhatYouHaveLearnedToday

■ Nextweek:– AssessyourorganizationalDevOpsandsecurityculture– SurveyDevOpspopulationtogaugeresponsetosecurity

■ Inthefirstthreemonths:

– Prioritizesecuritybehaviorsandformaplan– Focusonthesecuritybehaviorthatisyourtoppriorityandinvestinmakingitsuccessful

■ Withinsixmonths:

– Branchouttoyourtopthreesecuritybehaviorsandfocusin■ Withinoneyear:

– Rolloutallthesecuritybehaviors

Keytakeaways

1. JustcallitDevOpsandfocusonmakingsecurityanaturalpartofbuildingstuff.

2. Securitybehaviorsembedsecuritywithoutalltheoverhead.

3. Securitycommunitybolsterssecuritybehavior.

Resourcestolearnmore

https://techbeacon.com/contributors/chris-romeo

Q+AandThankyou!

ChrisRomeo,CEO/Co-Founder

chris_romeo@securityjourney.com

www.securityjourney.com

@edgeroute,@SecurityJourney