© 2016 VERACODE INC. 1© 2016 VERACODE INC.

AppSec in a

DevOps WorldPeter Chestna, Director of Developer Engagement

© 2016 VERACODE INC. 2

Who am I?

• 25 Years Software Development Experience

• 10+ Years Application Security Experience

• Certified Agile Product Owner and Scrum

Master

• At Veracode since 2006

• From Waterfall to Agile to DevOps

• From Monolith to MicroService

• Consultant on DevSecOps best practices

• Fun Fact: I love whiskey!@PeteChestna

© 2016 VERACODE INC. 3

Goals

• Why is AppSec important?

• How is DevOps changing application development?

• How is AppSec traditionally done?

• What needs to change?

– What to build

– What to measure

– How to help

© 2016 VERACODE INC. 4

Applications are as risky as ever

of all applications used some kind of hard-coded

password

of all applications use broken or risky

cryptographic algorithms

of all applications were vulnerable to open redirect

attacks

of all applications mix trusted and untrusted data

in the same data structure or message

© 2016 VERACODE INC. 5

Majority of internally developed

applications fail OWASP

© 2016 VERACODE INC. 6

Lack of App Security is

Damaging Companies

© 2016 VERACODE INC. 7

High Profile Breaches

All attacked through the app layer

© 2016 VERACODE INC. 8

Business Mandate

© 2016 VERACODE INC. 9

Compressed Timelines

Waterfall Agile DevOps

1-4 Releases

Per Year

12-24 Releases

Per Year

100+ Releases

Per Year

© 2016 VERACODE INC. 10

Definition of DevOps

© 2016 VERACODE INC. 11

Basic development cycle

© 2016 VERACODE INC. 12

Time

Waterfall

Agile

DevOps

At Scale

Not so different after all

Requirements

Analysis

Design

Coding

Testing

Acceptance

© 2016 VERACODE INC. 13© 2016 VERACODE INC.

DevOps

Plan Dev QA Ops

Business Intent

App Knowledge

Ops Knowledge

Business Intent

App Knowledge

Ops Knowledge

Continuity

Waterfall

! ! !! = Handoff

Agile

!

© 2016 VERACODE INC. 14

Agile - Process

Copyright 2005, Mountain Goat Software

© 2016 VERACODE INC. 15

Waterfall

Transformation - Technology

Agile

DevOps

© 2016 VERACODE INC. 16

Is this your current AppSec program?

© 2016 VERACODE INC. 17

They/We know it’s coming…

© 2016 VERACODE INC. 18

Which outcome do you see?

© 2016 VERACODE INC. 19

DevOps – Process: Where is security?

Security

© 2016 VERACODE INC. 20

Strategy

• Integration &

Automation

• 3-legged barstool:

– Training

– Remediation Coaching

– Scan early & often

© 2016 VERACODE INC. 21

CI

CD

1

Develop

4

Check in

StaticAnalysis

3

Build

& Test

2

Backlog

Strategy –

Integration & Automation

Pass?

7

SynchronizeNo Yes

7

Deploy to

QA/Stage

6

Static

Analysis

6

Unit

Tests

8

Dynamic

Analysis

8

Regression

Testing

Pass?

Yes

Stage

then

Prod

PerCheck-in

5

Build

CI/CDPipeline

© 2016 VERACODE INC. 22

Strategy - Training

• Security teams can help developers by providing training, either through eLearning or in-person Instructor Led Training

• Think about targeted training based on policy violations

© 2016 VERACODE INC. 23

Get smart on

DevOps

Train beyond your walls

© 2016 VERACODE INC. 24

Strategy - Remediation Coaching

For applications that used remediation coaching, development teams fixed more than 2.5x the

average # of flaws per megabyte

© 2016 VERACODE INC. 25

Strategy –

Measurement (Scan early, scan often)

Applications that

used sandbox had

an average fix rate

of 59%, or a 2x

improvement in fix

rate

© 2016 VERACODE INC. 26

Training(eLearning, instructor led, metadata driven)

Static Application Security Testing + 3rd Party Risk Analysis

Remediation and Mitigation GuidanceSecure Code Reviews

Manual Penetration TestingRed Team Activities

Runtime Application Self Protection

Dynamic Application Security Testing

Plan Code Build Test Stage Deploy Monitor

Threat ModelingSecurity Grooming

Secure Design

DevOps – Pervasive Security

© 2016 VERACODE INC. 27

Thank You!

© 2016 VERACODE INC.