devops and security: it’s happening. right now

DevOps and Security: It’s Happening. Right Now.

Helen BravoDirector of Product Management at CheckmarxHelen.bravo@checkmarx.com

• Intro to DevOps

• Integrating security within DevOps

– Problems with traditional controls

– Steps to DevOps security

Agenda

What is DevOps About?

An unstoppable deployment process… in small chunks of time

DevOps is Happening

Companies that have adopted DevOps

Can TRADITIONAL

web application

security controls fit

in…

… a DevOps environment?!

Traditional Web Application Security Controls

• Penetration Testing

• WAF (Web Application Firewall)

• Code Analysis

Penetration Testing- Takes Time!

Penetration Testing

– 300 pages report

– 3 weeks assessment time

– 2 weeks to get it into development

Web Application Firewall (WAF)

Thinking Continuous

Deployment?

Think Continuous

Configuration!

Code Analysis

• Setup time

• Running time

• Analysis time

… just too slow!

… Do Nothing?

Required: A New Secure SDLC Approach

Step by Step

Step 1: Plan for Security

• Identify unsecured APIs and frameworks

• Map security sensitive code portions. E.g. password

changes mechanism, user authentication

mechanism.

• Anticipate regulatory problems, plan for it.

Step 1: Plan for Security

Step 2: Engage the Developers.And Be Engaged

• Connect developers to security– Going to OWASP? Bring a developer with you!

• Is your house on fire? Share the details with your developers.

• Have an open door approach

• Set up an online collaboration platform E.g. Jive, Confluence etc.

Step 2: Engage the Developers. And Be Engaged

Step 3: Arm the Developers

• Secure frameworks:

– Use a secure framework such as Spring Security, JAAS, Apache

Shiro, Symfony2

– ESAPI is a very useful OWASP security framework

• SCA tools that can provide security feedback on pre-commit stage.

– Rapid response

– Small chunks

Step 3: Arm the Developer

Step 3: Automate the Process

• Integrate within your build (Jenkins, Bamboo, TeamCity, etc.)– SAST– DAST

• Fail the build if security does not pass the bar.

Step 3: Automate the Process

Develop Code Commit

Source Control

Build Trigger

Unit Tests

Deploy to

ProductionDeploy to Test Env

Report& Notify

Publish to release repository

Continuous Deployment

Develop Code Commit

Source Control

Build Trigger

Tests

Deploy to

ProductionDeploy to

Test Env

Report&

Notify

Publish to release

repository

Automatic security

testSCA Test

Security within Continuous Deployment

Step 5: Use Old Tools Wisely

Step 5: Use Old Tools Wisely

• Periodic pen testing

• WAF on main functions

• Code review for security sensitive code portions.

Summary

• DevOps is happening. Right Now.

– During the time of this talk, Amazon has released

75 features and bug fixes.

• Security should not be compromised

• Don’t be overwhelmed. Start small

Summary

The 3 Takeaways

1. Plan from the ground

2. Engage with your developers

3. Integrate security into automatic build process.

Questions?

Thank you

Helen.bravo@checkmarx.com