Post on 22-May-2020
APPSEC BEHAVIORS FOR DEVOPS BREED SECURITY CULTURE CHANGE
Copyright©SecurityJourney,2017
AboutChrisRomeo
• CEO/Co-Founder/SecurityCultureHacker@SecurityJourney
• Experience
• 20yearsinthesecurityworld,CISSP,CSSLP
• 10 yearsatCisco,leadingtheCiscoSecurityNinjaprogram &CSDL
• SpeakeratRSA,AppSecUSA,AppSecEU,&ISC2SecurityCongress
• Co-hostofthe#AppSec PodCast
• OwnerofaDevOpsbuildpipeline;consultingwithcompaniestryingtofigureoutAppSec +DevOps @edgeroute
Copyright©SecurityJourney,2017
Behaviorsàmindset,skillsà skillsets
Agenda
• TheStateofDevOpsandSecurity• DevOpsCulture• SecurityComponentsforDevOps• CreatingaDevOps+SecurityCulture• SecurityBehaviorsandHabits• ConclusionandKeyTakeaways
ADevOps
DevOpsaccordingtoDevOpsBorat
Allthingscontinuous
Continuous
Integration Delivery Deployment Security? SecurityTest?
SoWhat?
WhydoesPSIRTcare?
5thingspeopleHATEaboutDevOps
1. Everyonethinksit'sallaboutAutomation.
2. "True"DevOpsapparentlyhavenoprocesses- becauseDevOpstakescareofthat.
3. TheEmergenceofthe"DevOps'DevOp",apseudointellectualloudlyspewingtheoriesaboutdistantlyunrelatedfieldsthatareentirelyirrelevantandspeakingatconferences.
4. PeopleconstantlypointingtoEtsy,Facebook&NetflixasDevOps.Let'spromotethestoriesofcompaniesthatbetterrepresentthemarketatlarge.
5. LackoffitforanyonewhoisnotinaDevorOpsrole.
ADevOpsculture
1. Thingsmovefast
2. Smallpiecesofworkcheckedinoften
3. Autonomousteamswithtransparency;Nosilos
4. Buildingqualityintothedevelopmentprocess
5. Feedback/eliminateblame/embracefailure
6. Automation
Namingrights
Securitycomponentstogofast
Security best practices
Threat modeling Static analysis
Security code review
Dynamic analysis
Vulnerability scanning
3rd Party SW / Dependency
checkerRed Teaming PSIRT
ADevOps+SecuritySecuritybestpracticesThreatmodeling
Staticanalysis
Securitycodereview
Dynamicanalysis
Vulnerabilityscanning
3rd PartySW/Dependencychecker PSIRTRedTeaming
Securityculture
“Whathappens{withsecurity}whenpeoplearelefttotheirown
devices.”--TimFerriss
1. Applicationsecurityisaboutthepeople.
2. Thepeopleintroducethevulnerabilities.
3. SecurityinDevOpsmustchangethepeople.
Definingfeaturesofasustainable DevOpssecurity
culture
Deliberateand
disruptive
EliminateSecurityBlame
BuildingQualityANDSecurityIn
SecurityTransparency
Nosecuritysilo
CultureHacking Community Automation
Howdoweembedacultureofsecurity?
Lightweight
Welldefined
Clearstartandfinishpoint
WhyandROI
Easilyrepeatable
Securitybehavior
Security Behavior – a manner of behaving that
decreases danger, risk, or threat
Securitybehaviorvs.securityprocess
Step 1 Step 2 Step 3
Securityhabits
Routine
Reward
Reminder
Buildsecurityin
Securitybestpractices
DesiredOutcome HabitGeneration
• Awidespreadattitude/culturechange
• Considerationofsecuritybestpracticesearly
• ExplainWHYtheyshouldcare
• Demonstratehowbestpracticesaredone
• Understandthenegativecase,ornotdoingthem
Uncoverdesignsecurityproblems
Threatmodeling
DesiredOutcome HabitGeneration
• Choosethedesigndecisionthatprotectstheconfidentialityandintegrityofcustomerdata
• Showdevelopershowtocreateathreatmodel
• Quicklymovetothreatmodelinganactivedesignonwhichtheyareworking
• Enablethesecuritylightbulb
Reacttoautomatedsecuritybugs
Dynamicanalysis
DesiredOutcome HabitGeneration
• Interpretautomatedsecuritynotificationsasagiftandnotacurse
• Positiontheinterruptionasclosetothedevaspossible(IDEbasedSA)
• Aggressivelylimitfalsepositives– donotscanforeverythinginthebeginning
Staticanalysis Vulnerabilityscanning
Detectsecurityflawsinother’scode
Securitycodereview
DesiredOutcome HabitGeneration
• Findtheerrorsinthecodethatcouldbeexploitediftheyreachproduction(thosemissedbyautomatedscans)
• Forceasecuritycodereviewinthecodecommitprocess
• Requireasecurity+1foreachcheck-in
• Teachyourdevelopersthefundamentalsecuritylessonsoftheirlanguages,andhowtofindthoseissuesincode
Eradicate3rd partysoftwarevuln’s
3rd PartySW/DependencyChecking
DesiredOutcome HabitGeneration
• Eliminateknownvulnerablecomponentsatdeploytime
• Breakthebuildonadependencycheckerfailure
Bemeantoyourcode
RedTeaming
DesiredOutcome HabitGeneration
• Uncoverflawsusingactivetesting,fixthoseflaws,andpushthefixestoproductionasfastaspossible.
• Instilltheideathatyourcodewillbeattacked
• Providethetimeandtoolsforeveryonetospendtimeattacking
Respondinatimelyandorganizedfashion
PSIRT
DesiredOutcome HabitGeneration
• PartnershipbetweendevandPSIRTtoalleviateanysecuritybugsintheshortestamountoftimepossible
• TalktoandeducatedevelopersaboutthePSIRTmission
Summary
Security Behaviors for DevOps
Build Security In
Uncover design security problems
React to automated security bugs
Detect security flaws in other’s code
Eradicate 3rd party software vuln’s
Be mean to your code
Respond in a timely and organized fashion
Securitybehaviorsthroughsecuritycommunity
People MonthlyTraining
SecurityDays
InternalCapturethe
FlagConferences
Buildasecurity[advocate,guild,champion]program
ApplyWhatYouHaveLearnedToday
■ Nextweek:– AssessyourorganizationalDevOpsandsecurityculture– SurveyDevOpspopulationtogaugeresponsetosecurity
■ Inthefirstthreemonths:
– Prioritizesecuritybehaviorsandformaplan– Focusonthesecuritybehaviorthatisyourtoppriorityandinvestinmakingitsuccessful
■ Withinsixmonths:
– Branchouttoyourtopthreesecuritybehaviorsandfocusin■ Withinoneyear:
– Rolloutallthesecuritybehaviors
Keytakeaways
1. JustcallitDevOpsandfocusonmakingsecurityanaturalpartofbuildingstuff.
2. Securitybehaviorsembedsecuritywithoutalltheoverhead.
3. Securitycommunitybolsterssecuritybehavior.
Resourcestolearnmore
https://techbeacon.com/contributors/chris-romeo
Q+AandThankyou!
ChrisRomeo,CEO/Co-Founder
chris_romeo@securityjourney.com
www.securityjourney.com
@edgeroute,@SecurityJourney