devsecops journey - cso50 conference€¦ · building software was not easy ... rugged devops =...

21
Confidential Internal Distribution | 1 DevSecOps Journey 2/28/2018

Upload: others

Post on 27-Jun-2020

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution | 1

DevSecOps

Journey

2/28/2018

Page 2: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 23/3/2018

Agenda

• DevSecOps @ Fannie Mae

o The Challenges and The Promises

o The Strategy and The Principles

o DevSecOps E2E Value Stream

o Results driven by innovation and leadership

• Lessons Learned and some of the takeaways

• Next steps and what is coming soon

• Q&A

Page 3: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 33/3/2018

Information Security

• Security assessments are performed after development and testing

• Security findings are risk accepted because there is no time to fix issues before release

• Risk acceptance is good for 12 months and then renewed

• The list of risk accepted vulnerabilities grows…

• Building software was not easy

• Production releases occurred every 9 to 18 months

• 150 deliverables

• 35 governance bodies

• 6 product quality checkpoints

Development Services

DevSecOps @ Fannie Mae – The Challenges

Page 4: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 43/3/2018

Information Security

Information Security rethinks Application Security and asks –

“How do we effectively structure the organization to develop and deliver secure applications and manage application security risk?”

Strategy

• Developer Empowerment

• Business Engagement

• Application Lifecycle security coverage

Development Services pursues DevOps Transformation and asks –

“How do we safely and quickly deliver software to meet customer demands.”

Strategy

• Shift in culture - Agile is a cultural revolution from command and control to self-organizing teams

• Change how software is built -DevOps is a maniacal focus on automation

Development Services

DevSecOps @ Fannie Mae – The Promise

Page 5: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 53/3/2018

DevSecOps @ Fannie Mae – The Strategy

Automate

Everything

Make Security

Easy

Integrate with

Culture

• Run as ONE (Security + DevOps as a singled purpose team)• Training development teams to develop Secure code

o OWASP Brown Bags and On Demand Training Courseso Secure Code Examples in GIT REPO show how to write secure code

• Empowering Developers/ Engaging Business Partnerso Verification of Fortify “Clean Scans”o Periodic “To-the-Right” Application Static and Dynamic Tests

• Tracking security issues in the same systems developers are usingo Integrated Fortify with SonarQubeo Integrated Fortify with SSCo Application Security Issues Defect Tracking (Jira)

• Integrating preventive security controls/tools in the development phaseo HP-Secure Assisto Find Security Bugso Sonatype IQ Plugin

• Automating as many security tests as possible to run alongside other testso Integrating SAST tools ( HP-SA, Find Bugs, Find Security Bugs, Fortify) o Future> Use DAST tool

• Detecting when applications are relying on libraries that have known vulnerabilitieso Integrating Sonatype with fortify to detect third party libraries that have

known vulnerabilities

Page 6: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 63/3/2018

Rugged DevOps = DevSecOps

• Rapid and agile iteration from development into operations

• Stakeholders continuously monitor, analyze, attack and proactively determine defects

• Includes people, processes, technology, and culture of the organization

o Security is a byproduct of culture

DevSecOps @ Fannie Mae – The Principles

Page 7: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 73/3/2018

DevSecOps @ Fannie Mae – End to End Value Stream

Page 8: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 83/3/2018

Delivering the Promise

• Average days to close a vulnerability improved by 74%

• Automated code quality scanning shows overall security code scores has increased by 10%

• More than 60% of application teams are performing security tests before release

• Critically vulnerable open source components (CVE 7.5+) downloaded has decreased from 18% to 6.25%

• ~ 55% of technical debt and security defects identified as a result of periodic testing have been dispositioned

• ~ 77% of older technical debt and security defects have been remediated, have a remediation plan in place, or have been addressed through managed retirements of assets

Average Days to Close a Security

Vulnerability

DevSecOps @ Fannie Mae – The Results

Page 9: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 93/3/2018

Results - Driven by innovation and leadership

Page 10: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 103/3/2018

Lessons Learned

• Acknowledge that security vulnerabilities are defects

• If processes are too cumbersome, people will go around them

• Developers typically want one tool at the IDE level

• DevOps CICD, code quality analysis is a critical need

• A single score can be misleading, automate, and measure results

• Leverage what you have while shifting left

• Recognize it is a culture shift in how work is performed

DevSecOps @ Fannie Mae

Page 11: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 113/3/2018

Coming soon…

• DAST & IAST in CI/CD

• Securing the Software Supply Chain

o Scan all eligible 3rd party libraries being used

o Ensure 3rd party vulnerabilities are tracked as defects

o Break builds when critical vulns are detected

o Continuously monitor in-use 3rd party libraries

• Application Production Testing

• Container Security

• Continued refinement of CI/CD “paved road”

o Software development teams will have end to end controlled delivery

o Enable autonomous delivery of software products quickly, safely, and consistently while ensuring adherence to quality controls

DevSecOps @ Fannie Mae

Page 12: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 123/3/2018

Questions and Comments?

Page 13: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 13

Fannie Mae’sDevSecOps Journey

Thank you!

Page 14: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 14

Appendix

Page 15: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 153/3/2018

DevSecOps @ Fannie Mae Overview

1) Integrated Cyber Security with DevOps Culture

Stakeholders from Development, Operations/Business Partners and Cyber Security monitor, analyze, test,

and identify, and fix vulnerabilities earlier and faster

Ownership and accountability of security defects is shared among executives, program managers, developers

and information security personnel

- Developers are performing testing alongside InfoSec, allowing developers to tackle new security

vulnerabilities while developing code

- Accountability for the disposition of older security defects resides with Business Partners (i.e., determining

what to fix, risk accept, retire, etc.)

- Cyber Security performs periodic risk-based security testing against select assets. As a part of the ongoing

risk disposition process, Business Partners disposition newly identified defects

Page 16: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 163/3/2018

2) Make Security Easy to Understand and Use

Steps were taken to make security activities and checks seamless

- Developer tools were optimized with cyber security plugins

- Cyber security test results were made available via developer tools and dashboards

- Cyber security roadshows delivered to development community and Operations/Business Partners

- Consistent cyber security reporting and outreach Operations/Business Partners

DevSecOps @ Fannie Mae Overview

Page 17: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 173/3/2018

DevSecOps @ Fannie Mae Overview

3) Automate Everything

- Many security tests and activities were automated (i.e. leveraging security plugins) or were designed to

occur alongside other development phase and CI/CD tests

- Multiple tools that have been setup, configured, integrated, automated, and are now being maintained

to produce actionable information for developers, security personnel, and business partners

▪ Secure Assist

▪ Find bugs

▪ Find security bugs

▪ CAST

▪ Sonatype

Page 18: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 183/3/2018

DevOps Handbook Recommendations

1. Training development teams to develop Secure code

2. Tracking security issues in the same tracking system that developers are using

3. Integrating preventive security controls/tools in the development phase

4. Automating as many security tests as possible to run upon code commit/build

5. Detecting when applications are relying on libraries that have known vulnerabilities

6. Placing monitoring controls in place to ensure that production instances match known good state

Information Security Journey

Page 19: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 193/3/2018

Information Security Journey

Application Security Strategy breakdown

Developer Empowerment = Tools + Training + Remediation support

▪ Developer self-service tools – Fortify, security assist, find security bugs plugin, find bugs plugin, Sonatype IQ IDE plugin, Nexus Repository Manager with Firewall

▪ OWASP Top Ten Brown Bags

▪ Secure Code Examples in GIT REPO show how to write secure code

▪ OnDemand Training Courses

▪ Remediation Support

Business Engagement = Reporting + Risk conversations

▪ Monthly reporting to application owners

▪ Monthly executive reporting

▪ Risk strategies (risk acceptance, remediation plans) developed by application owners

Lifecycle coverage

▪ To-the-left work with development teams to proactively test applications

▪ To-the-right InfoSec tests applications delivers results to app owners for risk disposition

Page 20: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 203/3/2018

Development Services Journey

“I am rugged and, more importantly, my code is rugged.I recognize that software has become a foundation of our modern world.I recognize the awesome responsibility that comes with the foundational role.I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was every intendedI recognize that my code will be attached by talented and persistent adversaries who threaten our physical, economic and national security.

I recognize these things – and I choose to be rugged.

I am rugged because I refuse to be a source of vulnerability or weakness.I am rugged because I assure my code will support its missionI am rugged because my code can face these challenges and persist in spite of them.I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.”

- The Rugged Manifesto

Page 21: DevSecOps Journey - CSO50 Conference€¦ · Building software was not easy ... Rugged DevOps = DevSecOps ... “I am rugged and, more importantly, my code is rugged. I recognize

Confidential – Internal Distribution 213/3/2018

Development Services Journey

Development Services DevOps Breakdown

• Accelerate the build and release of software with Quality

• Left shift the development experience by empowering the developer

• Governance is a necessity; transparency and empowerment are key

• Build a Lean, developer experience – think Software Supply Chain

• Eliminate delays, automate hand-offs

• Automate to remove toil work

• Automate measurement & monitoring