DELIVERING SECURITYIN CONTINUOUS

DELIVERY ENVIRONMENT

2

84 % OF BREACHES OCCUR AT THEAPPLICATION LAYER

HARDWARE / OS

INFRASTRUCTURE / NETWORKS

APPLICATION

84% of breaches occur at the application layer

CYBER ATTACKS

75% of mobile applications fail basic security tests

It is 30x more expensive to fix issues in production than while in project phase

43% of companies had a data breach in the past 2 years

3

Security cannot be seen simply as an add-on

5

4

Do you have a holistic approach to SDLC?

Copyright © 2017 Accenture Security. All rights reserved. 5

CONTINUOUS SECURITY IS A BUSINESS NEEDBusiness

DEVELOPMENTBUILD IT FASTER

OPERATIONSKEEP IT STABLE

SECURITYPROTECT IT

Protect | Detect | Respond | Recover

• 84% of breaches occur at the application layer

• It is up to 30x more expensive to fix issues in production than while in project phase

• Efficient DevSecOps Increase development speed by up to 30% while improving quality and reducing risk

With more and more code being built, secure development is a must

• 43% of companies identified a data breach in the past 2 years

• It takes companies on average 230 days to identify a successful attack

• Companies with mature DevSecOpsbenefit from faster and more reliable security delivery with up to 40% less security staff

Efficient security operations protects assets wherever they are and lowers the impact of security incidents

DevOps

CULTURETighter communication and integration between system engineering and development teams

PROCESSESAutomated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams

TECHNOLOGIESAdvanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc.)

Agile Development

SHORTER RELEASE CYCLESShift work “to the left” as much as possible, to ensure no major issues or defects are found late in the release cycle

SMALLER BATCH SIZESReviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered

CROSS-FUNCTIONAL TEAMSCross-functional teams is the norm, to ensure up-to-date information on project milestones and activities in agile developments

SECURITY IN AN AGILE WORLD

What does it mean for Security?

Security needs to evolve, and become a support and partner in the equation – leveraging everything DevOps has to offer – to:• Build on existing people, processes and tools

to successfully drive security requirements in solutions

• Enable development teams to succeed in creating secure application

• Secure applications from plan and design phases to on-going operations and retirement

• Embrace new technologies

Copyright © 2017 Accenture Security. All rights reserved. 6

Copyright © 2017 Accenture Security. All rights reserved. 7

ENTER DEVSECOPS

Enable developers to use security tools. Ensure that developers have direct access to selected self-service security tools, results and knowledge.

Provide IDEs integration to make security actionable. This helps developers quickly analyze results and drive remediation.

Build security champions in development teams. Make sure these champions are trained, and that they have ownership over parts of the security process.

Make security visible. Ensure a security contact is visible and accessible, and that security results are communicated transparently.

Engage Red Teams to work in combination with the DevOps team. Including testing on applications during development, in production, and as a basis for training.

Security should be a driving force of the cultural change required to make DevSecOps a reality

DEVSECOPS FROM THE SECURITY POINT OF VIEW

Configuration management and infrastructure as code. Understand what is available to automate and scale, (ab)use it.

Limit compliance pass/fail enforcement, focus on building early control mechanisms owned by the application development teams.

Be pragmatic about toolset and requirements, changing people, processes and technology is a complex undertaking.

Secure the CI/CD pipeline, and apply the right level of security testing where required.

Equip developers, share knowledge and lean in, rather than be perceived as blocking the process.

Secure the supply chain, to avoid deploying known vulnerabilities.

As security, follow these basic principles to implement DevSecOps –EVEN IF DEVOPS AND AGILE ARE NOT IN PLACE.

Copyright © 2017 Accenture Security. All rights reserved. 8

DEVSECOPS OPERATING MODEL –ACHIEVING SECURITY AT SPEED AND SCALEA well-defined DevSecOps operating model supports the optimization of processes and tools which is critical to make embedding security easier, faster, measurable, and more reliable.

PROGRAM MANAGEMENT, STRATEGY, AND GOVERNANCE

ANALYTICS & STRATEGY• KPIs• Roadmap• Risk Approach

ORG AND DEV ENABLEMENT• Education & Support• Change Management & Innovation• Communities & Evangelists

COMPLIANCE• Regulatory & Internal• Compliance models• Measurement

FOUNDATIONAL ENABLERS

• Automation• Security frameworks & trusted libraries• On demand security services• Job relevant security enablement and self-service tools• Secure CI/CT/CD

Focus on building enabling assets that will allow for DevSecOps at scale and speed

PRODUCT DEVELOPMENT

• Threat Modelling• Vulnerability Scanning• Static Testing• Dynamic Testing• Penetration Testing• Security Remediation

Focuses on integrating security requirements into the SDLC, with intentional testing & remediation

OPERATIONS

• Security Validation• Environment Hardening• I&AM • SecOps Enablement• Red Teaming• Threat Intelligence• Security use cases

Focuses on securing ongoing operations

Copyright © 2017 Accenture Security. All rights reserved. 9

Copyright © 2017 Accenture Security. All rights reserved. 10

RESPONSIBLE DISCLOSURE

Have a method to handle vulnerability disclosures

Automating Security Testing in DevSecOps Pipelines

DEMO

TOOLS USED

• Sample node.js project (OWASP NodeGoat)• Jenkins • Git• SonarQube• OWASP Dependency Check (Jenkins plugin)• SonarQube Scanner (Jenkins plugin)• Zed Attack Proxy (Jenkins plugin)

SCENARIO

1. Developer pushes code to version control (Git)2. A Jenkins build is triggered from a Git hook3. OWASP Dependency Check and ZAP is run. Both reports are

generated in the source folder.4. Project source code is pushed and analyzed with SonarQube5. Code quality and security results can be viewed from SonarQube

itself

THE BIG PICTURE

Easy setupEverything is automated, minimal effort for the developersInstant feedbackCritical bugs are found in an early phaseBetter code quality over time from a security perspective

Develop

Push Trigger

Start automated security tests

ReportingContinuous development

• Security in a continuous delivery environment is usually considered difficult and time-consuming. This is why it is important to integrate security with the development and operations as early in the delivery as possible.

• By following this principle, you’ll end up with a delivery including less bugs and much better code quality over time.

• Integrating security as part of DevOps raises security awareness not only amongst the developers, but the whole project.

• We used only a couple of open source tools as an example for this demo, this stack might or might not fit in your environment. A wrong approach might lead to many false positives, which is a big burden for the whole project.

• Automating security testing does not however compensate manual work. A human brain cannot be replaced.• Think about your current processes and SDLC workflow, without proper planning security testing might become

overwhelming.

FURTHER THOUGHTSSecurity testing in a continuous delivery environment shouldn’t require too much effort – it should be educational and work as a guideline for all developers.