delivering security in continuous delivery environment · tools used • sample node.jsproject...
Post on 04-Jun-2018
219 Views
Preview:
TRANSCRIPT
2
84 % OF BREACHES OCCUR AT THEAPPLICATION LAYER
HARDWARE / OS
INFRASTRUCTURE / NETWORKS
APPLICATION
84% of breaches occur at the application layer
CYBER ATTACKS
75% of mobile applications fail basic security tests
It is 30x more expensive to fix issues in production than while in project phase
43% of companies had a data breach in the past 2 years
Copyright © 2017 Accenture Security. All rights reserved. 5
CONTINUOUS SECURITY IS A BUSINESS NEEDBusiness
DEVELOPMENTBUILD IT FASTER
OPERATIONSKEEP IT STABLE
SECURITYPROTECT IT
Protect | Detect | Respond | Recover
• 84% of breaches occur at the application layer
• It is up to 30x more expensive to fix issues in production than while in project phase
• Efficient DevSecOps Increase development speed by up to 30% while improving quality and reducing risk
With more and more code being built, secure development is a must
• 43% of companies identified a data breach in the past 2 years
• It takes companies on average 230 days to identify a successful attack
• Companies with mature DevSecOpsbenefit from faster and more reliable security delivery with up to 40% less security staff
Efficient security operations protects assets wherever they are and lowers the impact of security incidents
DevOps
CULTURETighter communication and integration between system engineering and development teams
PROCESSESAutomated deployment pipeline integrated with security reviews and testing with strong feedback loop to operations and development teams
TECHNOLOGIESAdvanced combination of open source and commercial tools assessing various aspects of application (requirements, code, deployment, etc.)
Agile Development
SHORTER RELEASE CYCLESShift work “to the left” as much as possible, to ensure no major issues or defects are found late in the release cycle
SMALLER BATCH SIZESReviews and tests should be able to evaluate small portions of the application while ensuring all dependencies are also covered
CROSS-FUNCTIONAL TEAMSCross-functional teams is the norm, to ensure up-to-date information on project milestones and activities in agile developments
SECURITY IN AN AGILE WORLD
What does it mean for Security?
Security needs to evolve, and become a support and partner in the equation – leveraging everything DevOps has to offer – to:• Build on existing people, processes and tools
to successfully drive security requirements in solutions
• Enable development teams to succeed in creating secure application
• Secure applications from plan and design phases to on-going operations and retirement
• Embrace new technologies
Copyright © 2017 Accenture Security. All rights reserved. 6
Copyright © 2017 Accenture Security. All rights reserved. 7
ENTER DEVSECOPS
Enable developers to use security tools. Ensure that developers have direct access to selected self-service security tools, results and knowledge.
Provide IDEs integration to make security actionable. This helps developers quickly analyze results and drive remediation.
Build security champions in development teams. Make sure these champions are trained, and that they have ownership over parts of the security process.
Make security visible. Ensure a security contact is visible and accessible, and that security results are communicated transparently.
Engage Red Teams to work in combination with the DevOps team. Including testing on applications during development, in production, and as a basis for training.
Security should be a driving force of the cultural change required to make DevSecOps a reality
DEVSECOPS FROM THE SECURITY POINT OF VIEW
Configuration management and infrastructure as code. Understand what is available to automate and scale, (ab)use it.
Limit compliance pass/fail enforcement, focus on building early control mechanisms owned by the application development teams.
Be pragmatic about toolset and requirements, changing people, processes and technology is a complex undertaking.
Secure the CI/CD pipeline, and apply the right level of security testing where required.
Equip developers, share knowledge and lean in, rather than be perceived as blocking the process.
Secure the supply chain, to avoid deploying known vulnerabilities.
As security, follow these basic principles to implement DevSecOps –EVEN IF DEVOPS AND AGILE ARE NOT IN PLACE.
Copyright © 2017 Accenture Security. All rights reserved. 8
DEVSECOPS OPERATING MODEL –ACHIEVING SECURITY AT SPEED AND SCALEA well-defined DevSecOps operating model supports the optimization of processes and tools which is critical to make embedding security easier, faster, measurable, and more reliable.
PROGRAM MANAGEMENT, STRATEGY, AND GOVERNANCE
ANALYTICS & STRATEGY• KPIs• Roadmap• Risk Approach
ORG AND DEV ENABLEMENT• Education & Support• Change Management & Innovation• Communities & Evangelists
COMPLIANCE• Regulatory & Internal• Compliance models• Measurement
FOUNDATIONAL ENABLERS
• Automation• Security frameworks & trusted libraries• On demand security services• Job relevant security enablement and self-service tools• Secure CI/CT/CD
Focus on building enabling assets that will allow for DevSecOps at scale and speed
PRODUCT DEVELOPMENT
• Threat Modelling• Vulnerability Scanning• Static Testing• Dynamic Testing• Penetration Testing• Security Remediation
Focuses on integrating security requirements into the SDLC, with intentional testing & remediation
OPERATIONS
• Security Validation• Environment Hardening• I&AM • SecOps Enablement• Red Teaming• Threat Intelligence• Security use cases
Focuses on securing ongoing operations
Copyright © 2017 Accenture Security. All rights reserved. 9
Copyright © 2017 Accenture Security. All rights reserved. 10
RESPONSIBLE DISCLOSURE
Have a method to handle vulnerability disclosures
TOOLS USED
• Sample node.js project (OWASP NodeGoat)• Jenkins • Git• SonarQube• OWASP Dependency Check (Jenkins plugin)• SonarQube Scanner (Jenkins plugin)• Zed Attack Proxy (Jenkins plugin)
SCENARIO
1. Developer pushes code to version control (Git)2. A Jenkins build is triggered from a Git hook3. OWASP Dependency Check and ZAP is run. Both reports are
generated in the source folder.4. Project source code is pushed and analyzed with SonarQube5. Code quality and security results can be viewed from SonarQube
itself
THE BIG PICTURE
Easy setupEverything is automated, minimal effort for the developersInstant feedbackCritical bugs are found in an early phaseBetter code quality over time from a security perspective
Develop
Push Trigger
Start automated security tests
ReportingContinuous development
• Security in a continuous delivery environment is usually considered difficult and time-consuming. This is why it is important to integrate security with the development and operations as early in the delivery as possible.
• By following this principle, you’ll end up with a delivery including less bugs and much better code quality over time.
• Integrating security as part of DevOps raises security awareness not only amongst the developers, but the whole project.
• We used only a couple of open source tools as an example for this demo, this stack might or might not fit in your environment. A wrong approach might lead to many false positives, which is a big burden for the whole project.
• Automating security testing does not however compensate manual work. A human brain cannot be replaced.• Think about your current processes and SDLC workflow, without proper planning security testing might become
overwhelming.
FURTHER THOUGHTSSecurity testing in a continuous delivery environment shouldn’t require too much effort – it should be educational and work as a guideline for all developers.
top related