Shift Left Building Security into the Application Development Lifecycle · 2019-03-19 · testing...
21
Shift Left – Building Security into the Application Development Lifecycle Rob Aragao, CISSP Chief Security Strategist
Transcript of Shift Left Building Security into the Application Development Lifecycle · 2019-03-19 · testing...
Shift Left – Building Security into the Application Development LifecycleRob Aragao, CISSPChief Security Strategist
2 Source: IDC – Worldwide CISO Influence Survey 2018, n=1003
The world is feeling the economic pressures
3
Rising cyber dependency due to increasing digital interconnection of people, things and organizations
2015Attack on Ukraine’s power
grid shut down 30 substations, interrupting power to 230,000 people
2016SWIFT attack led to the
theft of US$81 million from the central bank of
Bangladesh
TodayEuropean Aviation Safety Agency has stated their
systems are subject to an average of 1,000 attacks
each month
Global interconnections continue to increase the attack surface
Top 10 risks in terms of likelihood
#3 – Cyber attacks
Source: World Economic Forum – The Global Risks Report 2018, 13th Edition
Aligning Cyber Oriented Risk to Business
• Enterprise Risk
• Brand
• Revenue Impact
• Consumer Confidence (B2B / B2C)
• Litigation Costs (Due to Breaches)
• Regulatory Compliance
• Privacy Concerns
• Investor Confidence
5
Key Elements to consider as part of an Enterprise Cyber Risk Program
Understanding & Protecting your
Data
Ensuring Appropriate
Access
Securing your Applications
Identifying & Responding to
Incidents
CYBER RISK PROGRAM ELEMENTS
FORTIFY
Why Application Security
FORTIFY
Businesses today need faster innovation…and faster innovation increases risk
2020+2010 2015Release FrequencyNumber of Applications
Releases with Critical Vulnerabilities
Source: 2017 Micro Focus Application Security Research Update7
FORTIFY8
Application security is more important than everThe majority of security breaches today are from application vulnerabilities
Source: 1. U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT); 2. 2017 Application Security Research Update” by the Fortify Software Security Research team, 2017
90%of security incidents from exploits against defects in the design or code of software.1
Data
Network
Perimeter
Endpoint
Application
FORTIFY
Web & mobile applications are vulnerable
of mobile applications had at least one critical or high-severity issue (vs. 66% last year)
Source: 2018 Application Security Research Update, Micro Focus® Fortify Software Security Research Team9
79% 89%of web applications had at least one critical or high severity issue (vs. 80% last year)
FORTIFY
Regulatory compliance is a good start, but is not enoughStandards leave out critical vulnerabilities
90%
58%
74%
63%
49%
20% 21%25%
OWASP Top 10 NIST PCI DSS GDPR - logical
% of tested applications with issues NOT covered by regulatory mapping
at least one issue critical or high severity issues
20% to 50% of apps have critical or high vulnerabilities not covered by the regulatory mapping of top standards (OWASP Top 10, NIST, PCI DSS, or GDPR).
Source: 2018 Application Security Research Update, Micro Focus® Fortify Software Security Research Team10
FORTIFY
Developers have traditionally resisted security for a reason
11
▪ Traditionally, static or dynamic scans are run before releasing the app.
▪ …so developers get issues to fix in a very short time or release the app with these issues.
▪ Development teams are growing at an 80:1 ratio to security teams.
▪ When scans are initiated, developers don’t get results in days, or in some cases, weeks.
▪ Scanning the entire code base and auditing can take time.
▪ Developers get security issues way later than they would like.
▪ Auditing is still the #1 bottleneck for application security efforts.
▪ Even if scans are completed in minutes, human auditors work using FIFO queues and they’re outnumbered.
▪ Audit results are challenged by developers and cause friction/time loss.
Security is Pulled in late in the SDLC… if at all
Scans Take Too Much TimeAudit Process Slows us Down
12
Companies are adopting DevOps for rapid development… but security is often outside of the process
Source: Micro Focus 2017 Application Security Research Update
Security?
Security teams can’t keep up as development teams are growing at an 80:1 ratio
PlanningApp
DevelopmentApp Testing App release
Release decision
Bu
sin
ess
Dem
and
Deployed App
Increase Automation Reduce Latency Increase Visibility
13
The only way to keep up is to “build it in”
Source: “10 Things to Get Right for Successful DevSecOps,” Gartner, Inc., 2017
SecStatic Code Analysis
Dynamic ApplicationSecurity Testing
Real-Time Application Self Protection
Create Plan
Verify Preprod
Prevent Detect
Predict Respond
ContinuousIntegration
ContinuousMonitoring
Monitoringand
Analytics
Monitoringand
Analytics
ContinuousImprovement
ContinuousDeployment
ContinuousConfiguration
ContinuousLearning
Continuous Delivery
Dev Ops
13
FORTIFY
Application Security needs to be seamless to keep up with the pace of development
14
Run-time ProtectionProtect software running in production
3
Security TestingEmbed scalable security testing into the development tool chain
2
Secure DevelopmentProvide continuous feedback on the developer’s desktop at DevOps speed
1
Continuous MonitoringContinuously monitor applications
4
Application Security Testing Glossary:Static (SAST) - analyzes the codeDynamic (DAST) – tests a functional (pre-production) appMobile (MAST) – tests a mobile appRealtime Application Self-Protection (RASP) – detects vulnerabilities and protects from execution CAM – continuous application monitoring
FORTIFY
Achieve speed AND accuracy
15
faster development of applications with fewer production risks
Note: survey of Fortify customers comparing to competing solutions
1 “Continuous Delivery of Business Value with Fortify” – June 2017, 2 Fortify Internal Assessments – June 2017
Automated Scans
Scan Results Triaging Remediation
95% reduction in
false positives reported
40% improvementin repeat code vulnerabilities
2x more vulnerabilities
identified
Up to 25% savings in
development time
Establishing an AppSecProgram
Goals & Benefits of an Application Security Program
The mitigation of application security risks is not a one time exercise; rather it is an ongoing activity that requires paying close attention to emerging threats and planning ahead for the deployment of new security measures to mitigate these new threats. This includes the planning for the adoption of new application security activities, processes, controls and training.
A successful application security program needs to:
▪ Map security priorities to business priorities
▪ Assess the current state and target state using a maturity model
▪ Seamlessly integrate into development processes and tool chains
17
Source: “Application Security Guide for CISOs,” OWASP, 2013
Adaptive Protection
Continuous Monitoring
Runtime Protection
Service Orchestration
Adaptive Response
Active Engagement
(Proactive and Reactive)
Evolution of Capability for Application Security
PolicyCompliance
Custom Reports
Security Defect Prioritization
Critical Defect Remediation
Data Summary Reporting
Initial Metrics
Risk Mitigation
Continuous Delivery Integration
Secure SDLC Monitoring
Historical Correlation
Custom Report Enhancement
Security Defect Trending
Release Management Integration
Best Practices & Actionable
Controls
Risk Identification
Dynamic Security Testing
Static Security Testing
Regulatory Compliance
Risk Prevention
Education
Awareness campaigns
Continuous Testing
Analysis in Depth
Operational Metrics and KPIs
Compliance enforcement
Security Defect Eradication
Secure Reusable Components
Secure Repositories
Basic Advanced
Measure to demonstrate success
– % of security defects identified by sprint/phase
– % of security defects whose risk has been accepted vs. % fixed
– % of security defects per project over time (between quarter to quarter)
– Vulnerability density (security defects/LOC)
– Average time required to fix/close security defects during design, coding, and testing
– Average time to fix security defects by defect type
– Average time to fix security defects by application size/code complexity
Best practices for integrating security w/DevOpsSecurity should be part of the DNA of DevOps
• Make security part of the value stream
• Identify skilled early adopters
• Work in small consumable steps
• Standardize on toolset
• Early visible wins
• Focus more on the process than defect totals
• Begin with a loose security policy and tighten as process matures
• Mark builds as unstable but don’t fail builds until process is mature
20
Thank You.
