Lean Security
-
Upload
seniorstoryteller -
Category
Technology
-
view
4.778 -
download
0
Transcript of Lean Security
#LEANSECURITY
@WICKETT // @ERNESTMUELLER // RSA 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
ERNEST MUELLER
JAMES WICKETT@wickett
@ernestmueller
THEAGILEADMIN.COM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE PRESENTATION THAT JUST MIGHT
CHANGE YOUR LIFE…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
COMPANIES ARE SPENDING A GREAT DEAL ON SECURITY, BUT WE READ OF MASSIVE COMPUTER-RELATED ATTACKS. CLEARLY SOMETHING IS
WRONG.
THE ROOT OF THE PROBLEM IS TWOFOLD: WE’RE PROTECTING
(AND SPENDING MONEY ON PROTECTING) THE WRONG THINGS, AND WE’RE HURTING PRODUCTIVITY
IN THE PROCESS.Thinking Security, Steven M. Bellovin 2015
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
AGILE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHAT IS AGILE?• INDIVIDUALS AND INTERACTIONS OVER PROCESSES AND TOOLS
• WORKING SOFTWARE OVER COMPREHENSIVE DOCUMENTATION
• CUSTOMER COLLABORATION OVER CONTRACT NEGOTIATION
• RESPONDING TO CHANGE OVER FOLLOWING A PLAN
SOURCE: THE AGILE MANIFESTO (HTTP://WWW.AGILEMANIFESTO.ORG/)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY AGILE?• 45% OF ORGANIZATIONS ARE USING AGILE ON A MAJORITY OF THEIR
TEAMSONLY 5% ARE NOT USING IT AT ALL
• AGILE RESULTS:• ACCELERATE PRODUCT DELIVERY - 59% • ENHANCE ABILITY TO MANAGE CHANGING PRIORITIES - 56% • INCREASE PRODUCTIVITY - 53% • ENHANCE SOFTWARE QUALITY - 46% • ENHANCE DELIVERY PREDICTABILITY - 44%
SOURCE: VERSIONONE NINTH ANNUAL STATE OF AGILE SURVEY (HTTPS://WWW.VERSIONONE.COM/PDF/STATE-OF-AGILE-DEVELOPMENT-SURVEY-NINTH.PDF)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHAT IS DEVOPS?DEVOPS IS THE PRACTICE OF OPERATIONS AND DEVELOPMENT ENGINEERS PARTICIPATING TOGETHER IN THE ENTIRE SERVICE LIFECYCLE, FROM DESIGN THROUGH THE DEVELOPMENT PROCESS TO PRODUCTION SUPPORT.
DEVOPS IS ALSO CHARACTERIZED BY OPERATIONS STAFF MAKING USE MANY OF THE SAME TECHNIQUES AS DEVELOPERS FOR THEIR SYSTEMS WORK.
SOURCE: THE AGILE ADMIN: WHAT IS DEVOPS? HTTP://THEAGILEADMIN.COM/WHAT-IS-DEVOPS/
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY DEVOPS?• BY 2016 “DEVOPS WILL EVOLVE FROM A NICHE TO A MAINSTREAM STRATEGY
EMPLOYED BY 25% OF GLOBAL 2000 ORGANIZATIONS” - GARTNER, MARCH 2015• BENEFITS OF DEVOPS:
• NEW SOFTWARE/SERVICES THAT WOULD OTHERWISE NOT BE POSSIBLE - 21%• A REDUCTION IN TIME SPENT FIXING AND MAINTAINING APPLICATIONS - 21%• INCREASED COLLABORATION BETWEEN DEPARTMENTS - 21%• AN INCREASE IN REVENUE - 19%• IMPROVED QUALITY AND PERFORMANCE OF OUR DEPLOYED APPLICATIONS -
19%SOURCE: CA RESEARCH REPORT—DEVOPS: THE WORST-KEPT SECRET TO WINNING IN THE APPLICATION ECONOMY
(HTTP://REWRITE.CA.COM/US/ARTICLES/DEVOPS/RESEARCH-REPORT--DEVOPS-THE-WORST-KEPT-SECRET-TO-WINNING-IN-THE-APPLICATION-ECONOMY.HTML)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
HIGH-PERFORMING IT ORGANIZATIONS EXPERIENCE 60X FEWER FAILURES AND RECOVER FROM FAILURE 168X FASTER THAN THEIR LOWER-PERFORMING PEERS. THEY ALSO DEPLOY 30X MORE FREQUENTLY WITH 200X SHORTER LEAD TIMES.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN SOFTWARE DEVELOPMENTSEVEN PRINCIPLES:
• ELIMINATE WASTE
• AMPLIFY LEARNING
• DECIDE AS LATE AS POSSIBLE
• DELIVER AS FAST AS POSSIBLE
• EMPOWER THE TEAM
• BUILD INTEGRITY IN• SEE THE WHOLE
SOURCE: LEAN SOFTWARE DEVELOPMENT: AN AGILE TOOLKIT (2003), MARY AND TOM POPPENDIECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN PRODUCT DEVELOPMENT
• BUILD-MEASURE-LEARN• BUILD – MINIMUM VIABLE PRODUCT• MEASURE – THE OUTCOME AND INTERNAL
METRICS• LEARN – ABOUT YOUR PROBLEM AND YOUR
SOLUTION• REPEAT – GO DEEPER WHERE IT’S NEEDED
SOURCE: LEAN STARTUP (2011), ERIC RIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY LEAN?• BOTH DEVOPS AND AGILE BORROW KEY
CONCEPTS FROM LEAN MANUFACTURING, SO IT'S ALL ABOUT COMMUNICATION AND OPENNESS." -INFORMATIONWEEK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHAT ARE THE CHALLENGES THATAGILE / DEVOPS /
LEAN POSE TO INFOSEC?
WRONG QUESTION!
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
INSTEAD, EXAMINE HOW ADOPTING THESE
STRATEGIES CAN HELP YOU WIN
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
LEAN SECURITY IS FOR WINNERS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE SIX-FOLD PATH OF LEAN SECURITY
(AND HOW TO WIN)
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#1 SECURITY IS JUST BEANCOUNTING
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WE TRADED ENGINEERING FOR ACTUARIAL DUTIES
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND
THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED
SECURITY WORK”
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
A SECURITY MANAGEMENT SYSTEM PROVIDES OPTIMAL VALUE TO THE ORGANIZATION IF IT:
• ACTIVELY SUPPORTS ACHIEVING THE BUSINESS AND COMPLIANCE OBJECTIVES OF THE ORGANIZATION (THE VARIABLE PART)
• IS AN EFFICIENT, AGILE AND INTEGRATED PROCESS, CAPABLE OF DEALING WITH A DYNAMIC THREAT ENVIRONMENT
• CONSUMES MINIMAL TIME AND RESOURCES• RESULTS IN ADEQUATELY MANAGED SECURITY RISK, IN LINE
WITH THE RISK APPETITE OF THE ORGANIZATION• PROVIDES ONLY THE NECESSARY, YET ADEQUATE, USER
FRIENDLY, EFFICIENT AND MEASURABLE SECURITY CONTROLS
SOURCE: JOHAN BAKKER, LEAN SECURITY MANAGEMENT WHITE PAPER
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
UNDERSTAND THE VALUE YOUR ORGANIZATION
WANTS FROM YOU
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#2SECURITY IS A BOTTLENECK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE AVERAGE TIME TO DELIVER CORPORATE IT
PROJECTS HAS INCREASED FROM ~8.5 MONTHS TO OVER
10 MONTHS IN THE LAST 5 YEARS
Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WHY ARE COMPANIES SO SLOW?
THE GROWTH OF CONTROL AND RISK MANAGEMENT FUNCTIONS WHICH IS TOO OFTEN POORLY
COORDINATED… [RESULTING IN] A PROLIFERATION OF NEW TASKS IN
THE AREAS OF COMPLIANCE, PRIVACY AND DATA PROTECTION.
Revving up your Corporate RPMs, Fortune Magazine, Feb 1, 2016
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
THE THREE WASTES• MUDA - WORK WHICH ABSORBS RESOURCE
BUT ADDS NO VALUE• MURI - UNREASONABLE WORK THAT IS
IMPOSED ON WORKERS AND MACHINES• MURA - WORK COMING IN DRIBS AND
DRABS WITH SUDDEN PERIODS OF RUSH RATHER THAN A CONSTANT OR REGULAR FLOW, UNEVENNESS.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY WASTEMUDA COMES IN SEVEN FORMS:• EXCESS INVENTORY - DUMPING YOUR THOUSAND PAGE PDF OF
VULNERABILITIES ON A BUSY TEAM. PRIORITIZE AND LIMIT WORK IN PROGRESS (WIP)
• OVERPRODUCTION - SECURITY CONTROLS STEMMING FROM FUD OR MISALIGNMENT WITH BUSINESS NEEDS (NOT DEMANDED BY ACTUAL CUSTOMERS) - CF. PHOENIX PROJECT
• EXTRA PROCESSING - FOR EXAMPLE, RELYING ON COMPLIANCE TESTING RATHER THAN DESIGNING THE PROCESS TO ELIMINATE PROBLEMS - HELP IT GET BUILT RIGHT FIRST
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY WASTE• HANDOFFS - LEVERAGE THE KNOWLEDGE OF THE TEAMS DOING
THE WORK AND COLLABORATE WITH THEM TO BUILD SECURITY IN, INSTEAD OF THAT BEING SOME OTHER TEAM’S JOB
• WAITING - LAG BETWEEN VALUE STEPS WAITING FOR APPROVALS OR ANALYSES OR TICKET HANDLING - USE SELF SERVICE AUTOMATION INSTEAD
• TASK SWITCHING - THE THOUSAND PAGE PDF AGAIN - WORK WITH THEIR WORK INTAKE PROCESS NOT AGAINST IT
• DEFECTS - FALSE POSITIVES AND FALSE NEGATIVES AND JUST PLAIN UNIMPORTANT FINDINGS YOU REPORT CAUSING ZERO-VALUE REWORK
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
UNDERSTAND THE WASTE THAT YOU
GENERATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#3SECURITY IS
INVISIBLE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY PROFESSIONALS ARE
QUICK TO SAY SECURITY IS EVERYONE’S JOB
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY COULD LEARN FROM WEB PERFORMANCE
CIRCA 2008
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
PERFORMANCE• BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND
PERFORMANCE PROBLEMS• RESEARCH SHOWING PERFORMANCE TO REVENUE
CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS• CONFERENCES COMBINING FRONT END DEVS AND SYS
ADMINS• COMMITMENT TO INSTRUMENT AND GRAPH ALL THE
THINGS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY• BROWSER EXTENSIONS FOR DEVS TO UNDERSTAND
SECURITY PROBLEMS• RESEARCH SHOWING SECURITY TO REVENUE
CORRELATION • SEARCHABLE LOGS EMITTING STATSD METRICS• CONFERENCES COMBINING DEVS OPS AND SECURITY• COMMITMENT TO INSTRUMENT AND GRAPH ALL THE
THINGS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SEE THE WHOLE• KEEP MEANINGFUL METRICS, MAKE THOSE
METRICS VISIBLE - IN CONTEXT OF WORKERS’ TOOLCHAIN
• “LEAST PRIVILEGE” NEEDS TO BE UNLEARNED SOMEWHAT IN MODERN ORGANIZATIONS TO ALLOW EFFECTIVE INFORMATION SHARING
• GET IN BUSINESS OF SHARING AND ADDING VISIBILITY TO DEV AND TO OPS.
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
VISUALIZE SECURITY SO
EVERYONE CAN SEE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#4SECURITY IS ALWAYS
TOO LATE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
BUILD INTEGRITY IN• “CEASE DEPENDENCE ON MASS
INSPECTION TO ACHIEVE QUALITY. IMPROVE THE PROCESS AND BUILD QUALITY INTO THE PRODUCT IN THE FIRST PLACE." — W. EDWARDS DEMING
• INTEGRATE INTO CONTINUOUS INTEGRATION AND USE TEST DRIVEN DEVELOPMENT (TDD) TO RECTIFY ISSUES AT THE LOWEST WASTE POINT
SOURCE: THE THREE WAYS OF DEVOPS, GENE KIM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
NEEDED A WAY TO BE MEAN TO YOUR CODE
EARLIER IN THE DEVELOPMENT PROCESS
ENTER GAUNTLT…
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@slow @finalFeature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://localhost:8008 | When I launch an "arachni" attack with: """ arachni —check=xss* <url> """ Then the output should contain "0 issues were detected."
Given
When
Then
What?
AN ATTACK LANGUAGE FOR DEVOPS
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
http://theagileadmin.com/2015/06/09/pragmatic-security-and-rugged-devops/
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
GENERATE SECURITY FEEDBACK IN EACH
VALUE STEP
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#5 SECURITY IS ALWAYS IN
THE WAY
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
ARE YOU “THAT GUY?”
• YOU ALREADY KNOW YOU CAN’T MAKE THINGS SECURE BY YOURSELF
• YOU NEED EVERYONE ELSE TO PITCH IN - BUT IT SEEMS LIKE THE THINGS YOU DO JUST ANGER THEM
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
EMPOWER THE TEAM• UNDERSTAND HUMAN
MOTIVATION• NETFLIX AUTOMATION
CREATED SAFE PATHS AS THE DEFAULT
• REMOVES EMOTIONAL CHARGE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SELF SERVICE AUTOMATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
#6SECURITY IS PERFECTIONIST
AND IS THEREFORE UNREALISTIC
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
SECURITY IS YOUR PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
BUILD-MEASURE-LEARN
• DELIVER MINIMAL VIABLE SECURITY ACROSS EVERYTHING
• FOCUS ON DETECTION/METRIC GATHERING• ITERATE FROM THERE• REMEMBER THE WEAKEST LINK WINS• OVERLAP SMALLER SOLUTIONS - SEE JOSH MORE’S
OWASP 2012 “LEAN SECURITY 101” PRESENTATION
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
MANAGE YOUR PRODUCT
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
WE’VE BEEN THERE
@WICKETT // @ERNESTMUELLER // #LEANSECURITY
ERNEST MUELLER
JAMES WICKETT@wickett
@ernestmueller
THEAGILEADMIN.COM