AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party...
Transcript of AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party...
![Page 1: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/1.jpg)
© 2016 VERACODE INC. 1© 2016 VERACODE INC.
AppSec in a
DevOps WorldPeter Chestna, Director of Developer Engagement
![Page 2: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/2.jpg)
© 2016 VERACODE INC. 2
Who am I?
• 25 Years Software Development Experience
• 10+ Years Application Security Experience
• Certified Agile Product Owner and Scrum
Master
• At Veracode since 2006
• From Waterfall to Agile to DevOps
• From Monolith to MicroService
• Consultant on DevSecOps best practices
• Fun Fact: I love whiskey!@PeteChestna
![Page 3: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/3.jpg)
© 2016 VERACODE INC. 3
Goals
• Why is AppSec important?
• How is DevOps changing application development?
• How is AppSec traditionally done?
• What needs to change?
– What to build
– What to measure
– How to help
![Page 4: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/4.jpg)
© 2016 VERACODE INC. 4
Applications are as risky as ever
of all applications used some kind of hard-coded
password
of all applications use broken or risky
cryptographic algorithms
of all applications were vulnerable to open redirect
attacks
of all applications mix trusted and untrusted data
in the same data structure or message
![Page 5: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/5.jpg)
© 2016 VERACODE INC. 5
Majority of internally developed
applications fail OWASP
![Page 6: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/6.jpg)
© 2016 VERACODE INC. 6
Lack of App Security is
Damaging Companies
![Page 7: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/7.jpg)
© 2016 VERACODE INC. 7
High Profile Breaches
All attacked through the app layer
![Page 8: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/8.jpg)
© 2016 VERACODE INC. 8
Business Mandate
![Page 9: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/9.jpg)
© 2016 VERACODE INC. 9
Compressed Timelines
Waterfall Agile DevOps
1-4 Releases
Per Year
12-24 Releases
Per Year
100+ Releases
Per Year
![Page 10: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/10.jpg)
© 2016 VERACODE INC. 10
Definition of DevOps
![Page 11: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/11.jpg)
© 2016 VERACODE INC. 11
Basic development cycle
![Page 12: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/12.jpg)
© 2016 VERACODE INC. 12
Time
Waterfall
Agile
DevOps
At Scale
Not so different after all
Requirements
Analysis
Design
Coding
Testing
Acceptance
![Page 13: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/13.jpg)
© 2016 VERACODE INC. 13© 2016 VERACODE INC.
DevOps
Plan Dev QA Ops
Business Intent
App Knowledge
Ops Knowledge
Business Intent
App Knowledge
Ops Knowledge
Continuity
Waterfall
! ! !! = Handoff
Agile
!
![Page 14: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/14.jpg)
© 2016 VERACODE INC. 14
Agile - Process
Copyright 2005, Mountain Goat Software
![Page 15: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/15.jpg)
© 2016 VERACODE INC. 15
Waterfall
Transformation - Technology
Agile
DevOps
![Page 16: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/16.jpg)
© 2016 VERACODE INC. 16
Is this your current AppSec program?
![Page 17: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/17.jpg)
© 2016 VERACODE INC. 17
They/We know it’s coming…
![Page 18: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/18.jpg)
© 2016 VERACODE INC. 18
Which outcome do you see?
![Page 19: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/19.jpg)
© 2016 VERACODE INC. 19
DevOps – Process: Where is security?
Security
![Page 20: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/20.jpg)
© 2016 VERACODE INC. 20
Strategy
• Integration &
Automation
• 3-legged barstool:
– Training
– Remediation Coaching
– Scan early & often
![Page 21: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/21.jpg)
© 2016 VERACODE INC. 21
CI
CD
1
Develop
4
Check in
StaticAnalysis
3
Build
& Test
2
Backlog
Strategy –
Integration & Automation
Pass?
7
SynchronizeNo Yes
7
Deploy to
QA/Stage
6
Static
Analysis
6
Unit
Tests
8
Dynamic
Analysis
8
Regression
Testing
Pass?
Yes
Stage
then
Prod
PerCheck-in
5
Build
CI/CDPipeline
![Page 22: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/22.jpg)
© 2016 VERACODE INC. 22
Strategy - Training
• Security teams can help developers by providing training, either through eLearning or in-person Instructor Led Training
• Think about targeted training based on policy violations
![Page 23: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/23.jpg)
© 2016 VERACODE INC. 23
Get smart on
DevOps
Train beyond your walls
![Page 24: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/24.jpg)
© 2016 VERACODE INC. 24
Strategy - Remediation Coaching
For applications that used remediation coaching, development teams fixed more than 2.5x the
average # of flaws per megabyte
![Page 25: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/25.jpg)
© 2016 VERACODE INC. 25
Strategy –
Measurement (Scan early, scan often)
Applications that
used sandbox had
an average fix rate
of 59%, or a 2x
improvement in fix
rate
![Page 26: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/26.jpg)
© 2016 VERACODE INC. 26
Training(eLearning, instructor led, metadata driven)
Static Application Security Testing + 3rd Party Risk Analysis
Remediation and Mitigation GuidanceSecure Code Reviews
Manual Penetration TestingRed Team Activities
Runtime Application Self Protection
Dynamic Application Security Testing
Plan Code Build Test Stage Deploy Monitor
Threat ModelingSecurity Grooming
Secure Design
DevOps – Pervasive Security
![Page 27: AppSec in a DevOps World - OWASP · 20/04/2017 · Static Application Security Testing + 3rd Party Risk Analysis Remediation and Mitigation Guidance Secure Code Reviews Manual Penetration](https://reader036.fdocuments.in/reader036/viewer/2022063007/5fba4d55909bbe03e54a6aab/html5/thumbnails/27.jpg)
© 2016 VERACODE INC. 27
Thank You!
© 2016 VERACODE INC.