DevOps Security-Part1An insight into S-SDLC

SUMAN SOURAV

Agenda

DevOps Security –Introduction

Software Security Toll Gates in DevOps

An inside story of continuous security

testing implementation

Challenges

Disclaimer

Not endorsing any tools

About me Software Security Professional having 10+ years of

experience

Specialize in Secure SDLC implementation

Threat Modeling/Secure Code Review/Penetration Testing/DevOps Security

Secure Coding Trainer, SecurityQA Testing Trainer, Speaker

What next for me ?

IoT Security

SmartCity Security

DevOps-Introduction

Faster Release Cycle

Shortened Delivery Time

Unified Tools and Process

Integration between different teams

Secure-SDLC

Security Requirements

• Requirements

Threat Modeling

• Design

Secure Code Review

• Development

Vulnerability Scanning/PT

• Deployment

Monitoring

• Operation

Time to complete these activities ?

DevOps Security: Pre-Staging

Source : Kaspersky

Continuous Integration

Security Automation

Right Process, People, Tools

Collaboration & Sharing

Metrics and Data Analytics

Security Failures in DevOps

Dev Risk

DEVELOPMENT BUILD AND DEPLOY

STAGINGREQUIREMENTS

External

Repositorie

s

Common Components

DESIGN

Repository

SCM Tools

Security Test Automation

Threat Modeling

SCA Tools/IDE Plugins

VS/PT/IASTComponents Monitoring

Production

Monitoring

Third Party Libraries- Security Report

Collaboration

Product 1

Product 3

Product 2

Product 4 Product 5 Product 6 Product 7 Product 8

Product 9Security Champions

Requirements

Security Questionnaire

Automated Score Calculation

Provide guidance for component

selection

Design

Threat Modeling (Demo)

Automated

Approach

Development

Source Code Management

1. Branching

2. Ownerships

Secure Code Review-IDE Plugins

(Demo)

Develop and Test

Takes couple of mins to generate

vulnerability report

Vulnerability Coverage

• Detect most obvious

vulnerabilities

• Quickly Provide

Security posture of

the applications

Merging Reports

• Keep eyes of new issues

and fixed issues

• Less time in false positive

analysis

Build & Deployment

CI Tools

Jenkins

Hudsons

TeamCity etc

CI Tools Integration

Third Party libraries analysis

Static Analysis

Security Unit test Cases

Dynamic Analysis

QA Role- in DevOps Security

Security Review of

Requirements & Design

Documents

Security Static Code

Analysis Results Review

Dynamic Security Analysis

Penetration testing

including Fuzz Testing

Third Party Components

Review

QARole

Security Unit Test Cases (Demo)

CI Integration-DAST

Unit Test Cases Browsers Scanners Reports

Reference:

http://www.hindsightsoftware.com/blog/security-

testing-with-selenium-and-the-zed-attack-proxy-zap

Static Analysis Integration

BuildEnvironment

FixVulnerabilities

IntegrateWith Build

Upload toServer

ExecuteScan

Generatereport

SA

Developers

ReportingServer

Audit andRe-upload

Login

Interactive Application Security

Testing (IAST)

Accuracy without false positive

Testing is fast

Indifferent to the underlying

framework.

Vulnerability Management &

Hybrid Analysis

Static Analysis

Dynamic

Analysis

SecurityQA

VA/PT/IAST

Priority Fix

Security Metrics & Data Analytics

10

20

30

40

110

85

71

20

0

20

40

60

80

100

120

Release 1 Release 2 Release 3 Release 4

Training Index Bug Index

Bug Tracking System

Keep track of issue remediation

Workflow to Automate issues

creation & assigning ownership

Automated email alert to

respective product owners

Limitations & Challenges

All manual tests cant be automated

Test automations are not sequenced

Stay Tuned……..

DevOps Security-Part 2

--An insight into Security Operation

Suman Sourav@SumanS0urav

https://sg.linkedin.com/in/sumansourav