devsecops journey - cso50 conference · devsecops journey 2/28/2018. 3/3/2018 confidential...
TRANSCRIPT
Confidential – Internal Distribution | 1
DevSecOps
Journey
2/28/2018
Confidential – Internal Distribution 23/3/2018
Agenda
• DevSecOps @ Fannie Mae
o The Challenges and The Promises
o The Strategy and The Principles
o DevSecOps E2E Value Stream
o Results driven by innovation and leadership
• Lessons Learned and some of the takeaways
• Next steps and what is coming soon
• Q&A
Confidential – Internal Distribution 33/3/2018
Information Security
• Security assessments are performed after development and testing
• Security findings are risk accepted because there is no time to fix issues before release
• Risk acceptance is good for 12 months and then renewed
• The list of risk accepted vulnerabilities grows…
• Building software was not easy
• Production releases occurred every 9 to 18 months
• 150 deliverables
• 35 governance bodies
• 6 product quality checkpoints
Development Services
DevSecOps @ Fannie Mae – The Challenges
Confidential – Internal Distribution 43/3/2018
Information Security
Information Security rethinks Application Security and asks –
“How do we effectively structure the organization to develop and deliver secure applications and manage application security risk?”
Strategy
• Developer Empowerment
• Business Engagement
• Application Lifecycle security coverage
Development Services pursues DevOps Transformation and asks –
“How do we safely and quickly deliver software to meet customer demands.”
Strategy
• Shift in culture - Agile is a cultural revolution from command and control to self-organizing teams
• Change how software is built -DevOps is a maniacal focus on automation
Development Services
DevSecOps @ Fannie Mae – The Promise
Confidential – Internal Distribution 53/3/2018
DevSecOps @ Fannie Mae – The Strategy
Automate
Everything
Make Security
Easy
Integrate with
Culture
• Run as ONE (Security + DevOps as a singled purpose team)• Training development teams to develop Secure code
o OWASP Brown Bags and On Demand Training Courseso Secure Code Examples in GIT REPO show how to write secure code
• Empowering Developers/ Engaging Business Partnerso Verification of Fortify “Clean Scans”o Periodic “To-the-Right” Application Static and Dynamic Tests
• Tracking security issues in the same systems developers are usingo Integrated Fortify with SonarQubeo Integrated Fortify with SSCo Application Security Issues Defect Tracking (Jira)
• Integrating preventive security controls/tools in the development phaseo HP-Secure Assisto Find Security Bugso Sonatype IQ Plugin
• Automating as many security tests as possible to run alongside other testso Integrating SAST tools ( HP-SA, Find Bugs, Find Security Bugs, Fortify) o Future> Use DAST tool
• Detecting when applications are relying on libraries that have known vulnerabilitieso Integrating Sonatype with fortify to detect third party libraries that have
known vulnerabilities
Confidential – Internal Distribution 63/3/2018
Rugged DevOps = DevSecOps
• Rapid and agile iteration from development into operations
• Stakeholders continuously monitor, analyze, attack and proactively determine defects
• Includes people, processes, technology, and culture of the organization
o Security is a byproduct of culture
DevSecOps @ Fannie Mae – The Principles
Confidential – Internal Distribution 73/3/2018
DevSecOps @ Fannie Mae – End to End Value Stream
Confidential – Internal Distribution 83/3/2018
Delivering the Promise
• Average days to close a vulnerability improved by 74%
• Automated code quality scanning shows overall security code scores has increased by 10%
• More than 60% of application teams are performing security tests before release
• Critically vulnerable open source components (CVE 7.5+) downloaded has decreased from 18% to 6.25%
• ~ 55% of technical debt and security defects identified as a result of periodic testing have been dispositioned
• ~ 77% of older technical debt and security defects have been remediated, have a remediation plan in place, or have been addressed through managed retirements of assets
Average Days to Close a Security
Vulnerability
DevSecOps @ Fannie Mae – The Results
Confidential – Internal Distribution 93/3/2018
Results - Driven by innovation and leadership
Confidential – Internal Distribution 103/3/2018
Lessons Learned
• Acknowledge that security vulnerabilities are defects
• If processes are too cumbersome, people will go around them
• Developers typically want one tool at the IDE level
• DevOps CICD, code quality analysis is a critical need
• A single score can be misleading, automate, and measure results
• Leverage what you have while shifting left
• Recognize it is a culture shift in how work is performed
DevSecOps @ Fannie Mae
Confidential – Internal Distribution 113/3/2018
Coming soon…
• DAST & IAST in CI/CD
• Securing the Software Supply Chain
o Scan all eligible 3rd party libraries being used
o Ensure 3rd party vulnerabilities are tracked as defects
o Break builds when critical vulns are detected
o Continuously monitor in-use 3rd party libraries
• Application Production Testing
• Container Security
• Continued refinement of CI/CD “paved road”
o Software development teams will have end to end controlled delivery
o Enable autonomous delivery of software products quickly, safely, and consistently while ensuring adherence to quality controls
DevSecOps @ Fannie Mae
Confidential – Internal Distribution 123/3/2018
Questions and Comments?
Confidential – Internal Distribution 13
Fannie Mae’sDevSecOps Journey
Thank you!
Confidential – Internal Distribution 14
Appendix
Confidential – Internal Distribution 153/3/2018
DevSecOps @ Fannie Mae Overview
1) Integrated Cyber Security with DevOps Culture
Stakeholders from Development, Operations/Business Partners and Cyber Security monitor, analyze, test,
and identify, and fix vulnerabilities earlier and faster
Ownership and accountability of security defects is shared among executives, program managers, developers
and information security personnel
- Developers are performing testing alongside InfoSec, allowing developers to tackle new security
vulnerabilities while developing code
- Accountability for the disposition of older security defects resides with Business Partners (i.e., determining
what to fix, risk accept, retire, etc.)
- Cyber Security performs periodic risk-based security testing against select assets. As a part of the ongoing
risk disposition process, Business Partners disposition newly identified defects
Confidential – Internal Distribution 163/3/2018
2) Make Security Easy to Understand and Use
Steps were taken to make security activities and checks seamless
- Developer tools were optimized with cyber security plugins
- Cyber security test results were made available via developer tools and dashboards
- Cyber security roadshows delivered to development community and Operations/Business Partners
- Consistent cyber security reporting and outreach Operations/Business Partners
DevSecOps @ Fannie Mae Overview
Confidential – Internal Distribution 173/3/2018
DevSecOps @ Fannie Mae Overview
3) Automate Everything
- Many security tests and activities were automated (i.e. leveraging security plugins) or were designed to
occur alongside other development phase and CI/CD tests
- Multiple tools that have been setup, configured, integrated, automated, and are now being maintained
to produce actionable information for developers, security personnel, and business partners
▪ Secure Assist
▪ Find bugs
▪ Find security bugs
▪ CAST
▪ Sonatype
Confidential – Internal Distribution 183/3/2018
DevOps Handbook Recommendations
1. Training development teams to develop Secure code
2. Tracking security issues in the same tracking system that developers are using
3. Integrating preventive security controls/tools in the development phase
4. Automating as many security tests as possible to run upon code commit/build
5. Detecting when applications are relying on libraries that have known vulnerabilities
6. Placing monitoring controls in place to ensure that production instances match known good state
Information Security Journey
Confidential – Internal Distribution 193/3/2018
Information Security Journey
Application Security Strategy breakdown
Developer Empowerment = Tools + Training + Remediation support
▪ Developer self-service tools – Fortify, security assist, find security bugs plugin, find bugs plugin, Sonatype IQ IDE plugin, Nexus Repository Manager with Firewall
▪ OWASP Top Ten Brown Bags
▪ Secure Code Examples in GIT REPO show how to write secure code
▪ OnDemand Training Courses
▪ Remediation Support
Business Engagement = Reporting + Risk conversations
▪ Monthly reporting to application owners
▪ Monthly executive reporting
▪ Risk strategies (risk acceptance, remediation plans) developed by application owners
Lifecycle coverage
▪ To-the-left work with development teams to proactively test applications
▪ To-the-right InfoSec tests applications delivers results to app owners for risk disposition
Confidential – Internal Distribution 203/3/2018
Development Services Journey
“I am rugged and, more importantly, my code is rugged.I recognize that software has become a foundation of our modern world.I recognize the awesome responsibility that comes with the foundational role.I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was every intendedI recognize that my code will be attached by talented and persistent adversaries who threaten our physical, economic and national security.
I recognize these things – and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.I am rugged because I assure my code will support its missionI am rugged because my code can face these challenges and persist in spite of them.I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.”
- The Rugged Manifesto
Confidential – Internal Distribution 213/3/2018
Development Services Journey
Development Services DevOps Breakdown
• Accelerate the build and release of software with Quality
• Left shift the development experience by empowering the developer
• Governance is a necessity; transparency and empowerment are key
• Build a Lean, developer experience – think Software Supply Chain
• Eliminate delays, automate hand-offs
• Automate to remove toil work
• Automate measurement & monitoring