Join the conversation #devseccon

AppSec DevOps Automation

Real World Cases

Ofer MaorDirector of Security Strategy

@OferMaor

linkedin.com/in/ofermaor

ofer.maor @gmail.com

Speaker

• Security Strategy at Synopsys• Over 20 Years in Cybersecurity• Hacker at Heart• Longtime OWASPer• Pioneer of IAST• Avid Photographer

Sunset over Hamnøy, Lofoten Islands, Norway

Too MuchData Security by

Developers

Short Cycles Rapid Delivery

PrioritizingRisk

Understandingthe Pain

The Agile Security Challenge

AutomationAutomated, Continuous, Practical Testing

People Getting People Involved (DevOps, Sec, R&D)

Process

Technology

Adapting to Existing Process (CI, Issue, etc.)

The Right Technology (IAST)

Case I

Insurance Company Starting Out DevOps

Case IThe Challenge

Insurance CompanyAgile Maturity: In TransitionDevOps Maturity: StartingAppSec Maturity: Medium

• Insurance Company. Home grown apps• ~15 different systems (Customer/Agent/Internal)• Varying level of DevOps maturity & Agile transformation• Focus on “Agile Transformation” – new systems• Limited security background for developers• Limited security resources • Insufficient test automation (coverage)

Case IThe Solution

Insurance CompanyAgile Maturity: In TransitionDevOps Maturity: StartingAppSec Maturity: Medium

• R&D/DevOps/Sec cooperation & committee • Security visibility into R&D bugs • R&D Training (Basic!)• Fully integrated into CI (Jenkins) • Fully integrated with manual/automated testing• Risk Policy (adapting risks, only “High” blocks) • Multiple output channels (tickets, reports, etc.)

Case II

Retailer, Established Agile Shop

Case IIThe Challenge

RetailerAgile Maturity: HighDevOps Maturity: HighAppSec Maturity: Low

• eCommerce Platform (with “flavors”) • Response to an incident (minimal existing security) • Very small security team • No security background for developers • No existing process between security and R&D • “Run of the mill” Agile/DevOps shop (with very strict enforcement) • Dynamic environments orchestration

Case IIThe Solution

RetailerAgile Maturity: HighDevOps Maturity: HighAppSec Maturity: Low

• Process driven by R&D & DevOps, with security supervision• Automatic orchestration of dedicated security testing environment• Integration with Jenkins, Selenium & JIRA• Security “workflow” created, testing once a week over 3 weeks sprint• Tests on weeks 1 & 2 for fixing, week 3 for verification• Breaking (medium or higher) on verification - Feature Removed• HTML & PDF reports for auditing and integration

Join the conversation #devseccon

Thank You!

Questions?

@OferMaor

linkedin.com/in/ofermaor

ofer.maor @gmail.com