Everything visible.Everything secure.

DevSecOps — How to build continuous security into IT and App Infrastructures

1

2

DevOps, CI/CD and other cool terms

Where two worlds collide (DevOps vs SecOps)

Continuous Security / Integrated Security (DevSecOps) look like

Shift Left Security & Approaches

A business case for DevSecOps

Applying DevOps security into practice

Qualys DevSecOps Solutions

Demo

Agenda

Waterfall vs. Agile Dev Methodologies

AG

ILE

RequirementsChange

Customer/MarketInfluences

TechnologyInnovation

ANALYZE PLAN DESIGN BUILD TEST DEPLOY

DEPLOYDEPLOY

SPRINT 1 SPRINT 2

ANALYZEPL

AN

PLAN

ANALYZE

DESIGNDESIGN

BUILD

BUILD

TEST TEST

WA

TERF

ALL Sequential Process

Iterative Process

•Requirem

ents Changes•

Customer/m

arket influences•

Technology innovation

…

DevOps brings significant benefits, however it’s complex

PLAN

BUIL

D

RELE

ASE

MONITOR

DEPLOYCODE

TEST

OPSDEVO

PERATE

Agility AutomationSpeed

5

Traditional Security in a DevOps World

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

SecO

ps

Pre-Production security assessments

(point in time)

Post-Production Security Assessments

(point in time)

Dev

Ops

Feedback loop between critical stages creates delays

6

A bolt-on approach to security will also lead to failure

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

Security Security

Assessment Assessment

STOP STOP STOP STOP

Bolt on Bolt on

Baked-in Security & not-Bolted on1. Integrated and

transparent as possible

2. Simple to operate even for non-security professionals

3. Easily to adapt to new challenges

Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-

2

1

3

Shift Left –Baked-in security

Shift Left

“Improve quality & security and reduce downstream disruptions by moving testing earlier in the software development lifecycle.”

Shift Left aligns with Agile Development- Do more earlier where it’s

cheaper + more effective- Continuous development/testing- Include feedback loops to

improve

9

Shift Left Security – Continuous Security

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

Continuous Integrated Security

Secure SDLCTraining

Static Code Analysis

Dynamic App Sec Testing

Build / Policy Compliance

VulnerabilityAssessment

Policy Compliance

Dynamic App Sec Testing

DevSecOps

VulnerabilityAssessment

VulnerabilityAssessment

DevOps

SecOps

10

DevOps & SecOps need to be aligned in key areas

DevOps SecOps

Processes(Scrum, Agile)

Integration & Automation(CI/CD, test-driven dev)

Tools & Technologies(Cloud, Containers)

Integrated Process(via DevOps process)

Automated Security(CI/CD pipeline, audit and verify)

Self-Service security tools for DevOps(CI/CD Plugins, APIs, Scripting)

Security selects & builds the security tooling

DevOps operationalizes & uses the security

tooling

Shift Left approaches for DevOps

Shift TimeShift security earlier into the DevOps cycle

Shift Techniques Shift Tools

Apply new techniques to help integrate security as opposite to bolting on

Use new and existing tools in different ways to support DevOps projects

Shift Left Approaches

It’s not about doing the same things earlier, but an opportunity to do different and better things earlier

Shifting Time

Shift Time

1

New agile DevOps build web app sprints

Vulnerabilities are found & fixed in same release cadence

Apply Technique

Shift Time

2

Automated regression & test-driven development

Automated regression finds patch issues faster

Apply Technique

Shift Time

3

Use containers to abstract apps from OS

OS vulnerabilities are patched separately from Apps

Apply Technique

Shifting Time

Seve

rity

4/5

Vul

nera

bilit

ies

60

Days Vulnerabilities Open

120 180

Seve

rity

4/5

Vul

nera

bilit

ies

60 120 180

Traditional Applications DevSecOps Applications

Days Vulnerabilities Open

Shifting Techniques

Shift Technique

1

Tag vulnerable libraries in source control systems

Prevent application builds that use vulnerable code

Apply Technique

Shift Technique

2

Vulnerabilities are treated the same as software defects

Create a contract between IT & Security to facilitate integrated workflows

Apply Technique

Shift Technique

3

Open vulnerabilities reported to business owners

Long held open vulnerabilities escalated to senior (CxO) management

Apply Technique

Shifting Tools

Shift Tools

1

Multiple web apps in both dev and production

Integrate the production web app security assessment tool into DevOps processes via API

Apply Technique

Shift Tools

2

Keep track of security assessments issues in the same way as software bugs

Automatically create trouble tickets to fix security issues using the same systems

Apply Technique

Shift Tools

3

Prevent security issues in production from becoming a large problem

Continuously assess web apps in both dev and production so issues are not re-introduced

Apply Technique

16

Shift Left Security reduces overall costs

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

Shift Left Continuous Security

DevSecOps

$$$$$$$$$$

$$$

Lower Costs by fixing Defects earlier

Secu

rityTraditional point

in time security assessments

1

2 Continuous security with tool consolidation

17

DevSecOps: The Business Case for Security

If bug is found during planning or requirement gathering phase of project

$100If bug is found during Q&A testing phase of a project

$1,000If bug is found in production

$10,000

COST OF A SOFTWARE BUG SECURITY ISSUE

$100,000+

18

Applying DevSecOps into practiceId

enti

fy

Next Quarter

• Integrate security into one development lifecycle

• Increase automation of standard IT/Security processes

• Measure outcomes to track progress – e.g. # vulns identified/fixed before release”Im

plem

ent

Next Year

Expa

nd

Next Month

• Take an accounting of current security tools – are they DevOps friendly?

• Identify development teams using DevOps –engage and discuss DevSecOps

• Where are your Dev environments cloud, on-premise, hybrid

• Implement self-service and API-based continuous security

• Consolidate security tools across development/production and/or across cloud, on-premise, hybrid

• Expand to more projects & make security a fundamental part of any project

• Continue to learn & improve from vendors, DevSecOps user groups, partners, etc

Qualys Solutions

How does Qualys play its part in DevSecOps

SECURING THE CLOUD INFRATSRUCTURE

SECURING THE WEB APP

SECURING THE MACHINE

SECURING THE CONTAINER

LEVERAGE API FOR SECURE AUTOMATION

Container Security (Image, Registry)

Cloud Security Assessment

Patch ManagementPM

CS

CSA

Container Runtime Security

CRS

Web Application Firewall

Web Application Scanning

WAS WAF

CI/C

D Pr

oces

s

GAI

VM

TP

CM

CA

CI/CD

SCA

PC

CI/CD

PC

CI/CD

PD

CI/CD

Qualys APIsAPI

Dev

elop

men

t Sta

ck

CI/CD

ASSET INVENTORY

VULNERABILITYMANAGEMENT

POLICYCOMPLIANCE

Use Case: Container Security across DevOps pipeline

BUILD CLOUD, HOST & APPRUNTIMEREGISTRY

Pre-Deployment Phase Post-Deployment Phase

PC Policy Compliance (Incl Secure Configuration Assessment)

VM Vulnerability Management

CS Container Security

PCPolicy Compliance (Incl Secure Configuration Assessment)

VM Vulnerability Management

WAS Web Application ScanningCS/

CRSContainer Runtime Security

CSA Cloud Security Assessments

FIM File Integrity Monitoring

EDR Endpoint Detection & Response

CS Container Security

WAS Web Application Scanning

Demo

Thank You!