Continuous securityKim van Wilgen | Schuberg Philis

nl.linkedin.com/kimvanwilgen

kimvanwilgen@gmail.com

www.kimvanwilgen.com

@kimvanwilgen

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Customer director Schuberg Philis20

18

Head of software development ANVA

2017

Head of IT KlaverbladVerzekeringen

2014

Hello world1980

Schuberg Philis

3

Mission criticaldigital transformations

Financiallyindependent

Started in2001

300team members (Dec 2018)

EUR 60mrevenue

Market Quality leaderin Business Critical IT Outsourcing

Single KPI100% customer satisfaction

Our customers

4

6

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Why focus on security?

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Agile

Continuous

delivery

Containers

Immutable

infrastructuresPipelines

Test automationT shaped

peopleYou build it

You run it

DevOps

Microservices and

serverless architectures

Self-

organization

War for talent

Exploration and rapid

protoyping

Emerging architectures

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Focus shifted to speed…and nothing else

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Shifting panels

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Autonomy, self organization and key shaped people

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Source: State of the cybersecurity report 2017

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Security roleplay

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Security all-in

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Security should support delivery of value

@kimvanwilgen | www.kimvanwilgen.comContinuous security

“I never once spoke with the security team at Google. Not because they weren’t doingtheir job, but exactly because they weredoing their job. They encoded theirexpertise into self-service tools andlibraries, and we just used them ourselves”

Randy Shoup, WeWork

@kimvanwilgen | www.kimvanwilgen.comContinuous security

XContinuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Wikipedia, 2017

@kimvanwilgen | www.kimvanwilgen.comContinuous security

XContinuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and confidentiality to applications in production. Continuous security is essential for delivering Continuous Delivery.

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Let’s play!

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Have security champions

Don’t eliminate all risk

Driven by DevOps teams

Identify and remove first

Context adaption

Eliminate known vulnerabilities

Immutable infrastructure

Detection of changes

Security tests are source code

Train for the basics

Gartner DevSecOps Top 10

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#1: Have security champions

@kimvanwilgen | www.kimvanwilgen.comContinuous security

SecLeads and SecBuddies

Source: Rooske Eerden (de Tekenaar)

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Security Satellite team

5 dev(1 architect2 devs2 testers)

3 ops

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#2: Don’t eliminate all risk

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Risk and cost based securitySecurity is Confidentiality, Integrity and Availability

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Alignment of security and business value

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Integration in the pipeline

#3:DevOps driven

@kimvanwilgen | www.kimvanwilgen.comContinuous security

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Shift left on security

VS

@kimvanwilgen | www.kimvanwilgen.comContinuous security

DevSecOps, SecDevOps, DevOpS

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Automate first

• SAST

• DAST

• Proxy tools

• Dependency checks

• Custom scripts

Integration in the pipelines

@kimvanwilgen | www.kimvanwilgen.comContinuous security

SAST: sourcecode testing for security vulnerabilities

Leaders: Checkmarx, Veracode, Appscan, fortify, PT application inspector, covarity

We use SonarQube and Jfrog XRAY

+ Find problems early in lifecycle, detailed feedback, scalable

- Limited scope, configuration out of scope, false positives & negatives

SASTStatic Analyses Security Testing

@kimvanwilgen | www.kimvanwilgen.comContinuous security

DAST: running state security testing, simulates attacks against an application or system (typically web-enabled applications and services), analyzes results and, thus, determines whether it is vulnerable.

Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7

We use ZAP

+ Tests the application at runtime, realistic view

- More complex, harder to track, needs a running instance (late feedback, limitedly scalable, slow)

DASTDynamic Application Security Testing

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Security by design

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#4: Identify and remove: start small

@kimvanwilgen | www.kimvanwilgen.comContinuous security

I’ve added over a 100 security rules in SonarQube and sent the top X screwups to theteam. They are more aware and will solve theirown issues.

Dominik, member of the ANVA security satellite team

@kimvanwilgen | www.kimvanwilgen.comContinuous security

I enabled the dependency check. We had hundreds of vulnerabilities. We solved them within a day with critical upgrades and the removal of obsolete dependencies.

Dominik, member of the ANVA security satellite team

@kimvanwilgen | www.kimvanwilgen.comContinuous security

I ran Docker Bench. We found privileges were too high and corrected them.

Dominik, member of the ANVA security satellite team

@kimvanwilgen | www.kimvanwilgen.comContinuous security

I’ve set up our internal learning platform with webgoat. We can now practice attacks and grow awareness and knowledge of defences.

Michiel, member of the ANVA security satellite team

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#5: Context adaption

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Learn and adapt first before you break the build

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Application Security Verification Standard

Unrelevant / Sast / Dast / RAST / other

Train for risks we can’tautomate

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Evil user stories

As a Malicious Hacker, I want to gain

access to this web application’s Cloud

Hosting account so that I can lock out

the legitimate owners and delete the

servers and their backups, to destroy

their entire business.

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#6: Fix your vulnerabilities

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Owasp dependency checkEliminate known vulnerabilities

62

550 vulnerabilities

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#7: Immutable infrastructure

@kimvanwilgen | www.kimvanwilgen.comContinuous security

XOne of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability—or never-changing—and applying least-privilege principles that limit what a container can do.

Tsvi Korren - Chief Solutions Architect at Aqua Security

@kimvanwilgen | www.kimvanwilgen.comContinuous security

• Patches are code changes and follow the pipeline

• Use systematic workload re-provisioning – difficult to persist across

rebuilds

• Scan infrastructure security scripts against the security policy

• Apply pervasive visibility

Immutable infrastructure mindset

Source: Gartner report on cloud security

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#8: Detection of changes

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#9: Treat security tests as source code

@kimvanwilgen | www.kimvanwilgen.comContinuous security

#10: Train for the basics

Automate security

features and scan against

bugs and vulnerabilities

Check for logical flaws

manually, educate and

raise context awareness

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Infrastructure alone won’t keep you safe

10.6% of passwords

is a top 20 password

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Security bootcamps

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Context awareness

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Hack yourself first too

Chaos Engineering: make rare

events regular

@kimvanwilgen | www.kimvanwilgen.comContinuous security

“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”

Troy Hunt, MVP for developer

security and creator of ‘Have I

been PWNED”

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Red teaming

“Did you check the cake for hard and sharp

objects before bringing this inside?”

@kimvanwilgen | www.kimvanwilgen.comContinuous security

Have security champions

Don’t eliminate all risk

Driven by DevOps teams

Identify and remove first

Context adaption

Eliminate known vulnerabilities

Immutable infrastructure

Detection of changes

Security tests are source code

Train for the basics

Gartner DevSecOps Top 10

@kimvanwilgen | www.kimvanwilgen.comContinuous security

@kimvanwilgen | www.kimvanwilgen.com

References and questions

www.kimvanwilgen.com

@kimvanwilgen

kimvanwilgen@gmail.com

@kimvanwilgen | www.kimvanwilgen.comContinuous security

https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/

https://cybersecurity.isaca.org/static-assets/documents/State-of-Cybersecurity-part-

2-infographic_res_eng_0517.pdf

https://www.sans.org/reading-room/whitepapers/critical/continuous-security-

implementing-critical-controls-devops-environment-36552

10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371

https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb

https://www.thoughtworks.com/radar/techniques

https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/MMC-

Cyber-Handbook_2016-web-final.pdf

Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World,

Gartner, 2018

Sources