???????We DevOps’d – Experience and Lessons Learned Securing the SDLC
Sherly Abraham, PhD., Excelsior College
Din Cox, PhD., CISSP, ISSAP, ISSMP, CSSLP, CISA, CISM, CRISC, CEH, etc.,
Medical Science and Computing, LLC
???Sherly Abraham, Ph.D.
? Excelsior College
? Program Director for Cybersecurity
? Research Interests
? Software Security
? Information Security Training ? Corporate Governance
?????? Software Security
Presentation Objectives
? Challenges in enterprise software security
? What is DevOps
? DevOps Foundations
? Relevance of DevOps to Secuirty
?Lessonslearned fromapplicationof DevOps
? Recommendations and Resources
???2014-2015 Software Bugs
? Heart Bleed ? Shellshock ? Poodle
? Gotofail
??Growth Software Vulnerabilities
Number of Vulnerabilities caused by Software Flaws
Source: National Vulnerability Database
???Software Security Issues
? Defects ? Bugs
? Eg. Buffer overflow ? Design Flaws
? Inconsistent error handling ? Maintenance Hooks
? Backdoors
???????Software Development Security
? Requires a “holistic” and “proactive” approach
Educating Developers and users
Software Security
Build Secure
Design Secure
Testing for Security
????Software Development Life Cycle
Reference: WikiCommons, commons.wikimedia.org/wiki/File:SDLC_-_Software_Development_Life_Cycle.jpg
???Software Development Models
? Linear Sequential ? Waterfall model
? Incremental ? Prototyping
? RAD
? Iterative
? Spiral ? Agile
? Teamwork, Iterative and Incremental
???Challenges: Enterprise Software Security
? Security not built-in
? Disconnect between developers, business
owners, end users and quality assurance
? Configuration Management
? No established metrics and continuous improvement
? Complexity and diversity of development tools, programming languages, and platforms
???What is DevOps
? Lean and Agile methods
? Narrow the disconnect between
development and business drivers
? Strong collaboration between developers, operations, business, security, and quality assurance teams
? Continuously incorporate feedback from customers and business owners
???Foundations of DevOps
? Shift Left Concept
? Address operational issues earlier
? Test with systems that behave like production
? Agile and Iterative Approach
? Continuous, automated deployment and testing
? Metrics and evaluation of quality
? Measure and test effectiveness earlier in the
development cycle
? Facilitate feedback from all stakeholders
? Enable all stakeholders to communicate and provide feedback
???DevOps Focus
? Rapid incorporation of customer feedback ? Faster Delivery Process
? Collaboration between disparate teams
? Continuous release and deployment
? Continuous testing ? Ongoing evaluation
???????????????DevOps Architecture
Development
Testing
Production
• Ongoing integration
• Ongoing testing
• Ongoing monitoring
Shift Left- Operational, Security and End user input
???What DevOps is not
? Another Software development model
? Everything runs and tested in production
? Blurs the line between developers, system administrators, security
? Tool specific
? A specific job title for DevOps
???Relevance of DevOps to Security
? Integration of security in the early stages of development
? Security testing in early stages of development
? Strong Cross functional integration
? Configuration management
???Din Cox, Ph.D
? Medical Science and Computing, LLC ? Application Security Focus
? Research Interests
? Mobile and Application Security ? Biometrics
? Machine Learning
? SynAck Red Team Security Researcher ? Bug hunter
?????State of Affairs
https ://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
??puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
??
???Results
Key Findings
? Companies with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals.
? IT performance improves with DevOps maturity, and strongly correlates with well-known DevOps practices.
? Culture matters. The cultural practices of DevOps are predictive of organizational performance.
? Job satisfaction is the No. 1 predictor of performance against organizational goals.
puppetlabs.com/2014-devops-report
???www.s-sa.co.uk
???Organizational Context
? Current Project – Rugged DevOps
? Integrate and promote secure coding practices in SDLC across the organization – Agile, Waterfall.
? 700+ developers – Geographically dispersed
? Multiple languages and frameworks (Java, PHP, Django, Python, Angular, ColdFusion, Ruby, etc.) + Mobile (iOS, Android)
? Training and Education
???Success Factors
? Cultural change – i.e. view of software security
? Clear repeatable processes
? Software must be scanned before going to
production
? Policy alignment – remediation timeframe
? Fault detection automation
? Continuous integration – automating unit testing and deployment of software
???Success Factors
? Security standard adoption for software development
? Ability to balance security risks with software development agility.
? Improve effectiveness of public facing applications
? Usage patterns, break/fix
????????????DevOps Tools
???
????Secure SDLC
? Security requirements need to be defined as early as possible during the SDLC
???Accomplishments
? Agile Testing (security)
? Secure Coding + Operations + Collaboration
? Developer training and education
? Rapid communication on vulnerability intelligence
? Quicker patch cycles/remediation of vulnerabilities
? Collaboration between Development and Operation
???Security Automation
? SAST (Static Application Security Testing)
? Source code, byte code or application binaries for conditions
indicative of a security vulnerability
? Leverage tools – statics analysis, etc.
? DAST (Dynamic Application Security Testing)
? Black-box (Functional and non-functional), White-box, and
Defect-based tests.
? Examine application at runtime to identify vulnerabilities
? Robustness testing (i.e. fuzz testing) or fault-injection
? Integrate with build and code repositories ? GIT, Bamboo, Jenkins, etc.
???Realized Benefits
? Identify problems early
? Continuous integration
? Infrastructure automation
? System stability and uptime ? Monitoring
? Deployment
? Continuous delivery – testing
???Challenges
? Misaligned tools and processes
? Competing interests (development vs
operation)
? Infighting – who’s at fault when something happens
? Documentation
? Varying views of security and roles
???Lessons Learned
? Require resources – People
? Cannot be done in a vacuum, dynamic
? Align IT with the business
? Leverage internal talent
? Visibility of applications – Customer experience, including components (server, DB, etc.)
? Training and education
???Recommendations
? Start at the Top
? Organization buy-in and support
? Measure Success – metrics ? Deployment frequency
? Mean time to recover (MTTR)
? Identify system failures / waste
? Automate where possible (puppet, etc.)
? Decompose system components into modules
???? Identify a champion in each department ? Establish a center of excellence
???????????Resources
? www.rackspace.com/blog/enterprise-cloud-forum- recap-prepare-for-devops-success/
? www.isaca.org/knowledge- center/research/researchdeliverables/pages/devops- overview.aspx
? puppetlabs.com/2013-state-of-devops-infographic
? puppetlabs.com/sites/default/files/2014-state-of- devops-report.pdf
Categories: News