everything visible. everything secure
TRANSCRIPT
Everything visible.Everything secure.
DevSecOps — How to build continuous security into IT and App Infrastructures
1
2
DevOps, CI/CD and other cool terms
Where two worlds collide (DevOps vs SecOps)
Continuous Security / Integrated Security (DevSecOps) look like
Shift Left Security & Approaches
A business case for DevSecOps
Applying DevOps security into practice
Qualys DevSecOps Solutions
Demo
Agenda
Waterfall vs. Agile Dev Methodologies
AG
ILE
RequirementsChange
Customer/MarketInfluences
TechnologyInnovation
ANALYZE PLAN DESIGN BUILD TEST DEPLOY
DEPLOYDEPLOY
SPRINT 1 SPRINT 2
ANALYZEPL
AN
PLAN
ANALYZE
DESIGNDESIGN
BUILD
BUILD
TEST TEST
WA
TERF
ALL Sequential Process
Iterative Process
•Requirem
ents Changes•
Customer/m
arket influences•
Technology innovation
…
DevOps brings significant benefits, however it’s complex
PLAN
BUIL
D
RELE
ASE
MONITOR
DEPLOYCODE
TEST
OPSDEVO
PERATE
Agility AutomationSpeed
5
Traditional Security in a DevOps World
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
SecO
ps
Pre-Production security assessments
(point in time)
Post-Production Security Assessments
(point in time)
Dev
Ops
Feedback loop between critical stages creates delays
6
A bolt-on approach to security will also lead to failure
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
Security Security
Assessment Assessment
STOP STOP STOP STOP
Bolt on Bolt on
Baked-in Security & not-Bolted on1. Integrated and
transparent as possible
2. Simple to operate even for non-security professionals
3. Easily to adapt to new challenges
Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-
2
1
3
Shift Left –Baked-in security
Shift Left
“Improve quality & security and reduce downstream disruptions by moving testing earlier in the software development lifecycle.”
Shift Left aligns with Agile Development- Do more earlier where it’s
cheaper + more effective- Continuous development/testing- Include feedback loops to
improve
9
Shift Left Security – Continuous Security
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
Continuous Integrated Security
Secure SDLCTraining
Static Code Analysis
Dynamic App Sec Testing
Build / Policy Compliance
VulnerabilityAssessment
Policy Compliance
Dynamic App Sec Testing
DevSecOps
VulnerabilityAssessment
VulnerabilityAssessment
DevOps
SecOps
10
DevOps & SecOps need to be aligned in key areas
DevOps SecOps
Processes(Scrum, Agile)
Integration & Automation(CI/CD, test-driven dev)
Tools & Technologies(Cloud, Containers)
Integrated Process(via DevOps process)
Automated Security(CI/CD pipeline, audit and verify)
Self-Service security tools for DevOps(CI/CD Plugins, APIs, Scripting)
Security selects & builds the security tooling
DevOps operationalizes & uses the security
tooling
Shift Left approaches for DevOps
Shift TimeShift security earlier into the DevOps cycle
Shift Techniques Shift Tools
Apply new techniques to help integrate security as opposite to bolting on
Use new and existing tools in different ways to support DevOps projects
Shift Left Approaches
It’s not about doing the same things earlier, but an opportunity to do different and better things earlier
Shifting Time
Shift Time
1
New agile DevOps build web app sprints
Vulnerabilities are found & fixed in same release cadence
Apply Technique
Shift Time
2
Automated regression & test-driven development
Automated regression finds patch issues faster
Apply Technique
Shift Time
3
Use containers to abstract apps from OS
OS vulnerabilities are patched separately from Apps
Apply Technique
Shifting Time
Seve
rity
4/5
Vul
nera
bilit
ies
60
Days Vulnerabilities Open
120 180
Seve
rity
4/5
Vul
nera
bilit
ies
60 120 180
Traditional Applications DevSecOps Applications
Days Vulnerabilities Open
Shifting Techniques
Shift Technique
1
Tag vulnerable libraries in source control systems
Prevent application builds that use vulnerable code
Apply Technique
Shift Technique
2
Vulnerabilities are treated the same as software defects
Create a contract between IT & Security to facilitate integrated workflows
Apply Technique
Shift Technique
3
Open vulnerabilities reported to business owners
Long held open vulnerabilities escalated to senior (CxO) management
Apply Technique
Shifting Tools
Shift Tools
1
Multiple web apps in both dev and production
Integrate the production web app security assessment tool into DevOps processes via API
Apply Technique
Shift Tools
2
Keep track of security assessments issues in the same way as software bugs
Automatically create trouble tickets to fix security issues using the same systems
Apply Technique
Shift Tools
3
Prevent security issues in production from becoming a large problem
Continuously assess web apps in both dev and production so issues are not re-introduced
Apply Technique
16
Shift Left Security reduces overall costs
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
Shift Left Continuous Security
DevSecOps
$$$$$$$$$$
$$$
Lower Costs by fixing Defects earlier
Secu
rityTraditional point
in time security assessments
1
2 Continuous security with tool consolidation
17
DevSecOps: The Business Case for Security
If bug is found during planning or requirement gathering phase of project
$100If bug is found during Q&A testing phase of a project
$1,000If bug is found in production
$10,000
COST OF A SOFTWARE BUG SECURITY ISSUE
$100,000+
18
Applying DevSecOps into practiceId
enti
fy
Next Quarter
• Integrate security into one development lifecycle
• Increase automation of standard IT/Security processes
• Measure outcomes to track progress – e.g. # vulns identified/fixed before release”Im
plem
ent
Next Year
Expa
nd
Next Month
• Take an accounting of current security tools – are they DevOps friendly?
• Identify development teams using DevOps –engage and discuss DevSecOps
• Where are your Dev environments cloud, on-premise, hybrid
• Implement self-service and API-based continuous security
• Consolidate security tools across development/production and/or across cloud, on-premise, hybrid
• Expand to more projects & make security a fundamental part of any project
• Continue to learn & improve from vendors, DevSecOps user groups, partners, etc
How does Qualys play its part in DevSecOps
SECURING THE CLOUD INFRATSRUCTURE
SECURING THE WEB APP
SECURING THE MACHINE
SECURING THE CONTAINER
LEVERAGE API FOR SECURE AUTOMATION
Container Security (Image, Registry)
Cloud Security Assessment
Patch ManagementPM
CS
CSA
Container Runtime Security
CRS
Web Application Firewall
Web Application Scanning
WAS WAF
CI/C
D Pr
oces
s
GAI
VM
TP
CM
CA
CI/CD
SCA
PC
CI/CD
PC
CI/CD
PD
CI/CD
Qualys APIsAPI
Dev
elop
men
t Sta
ck
CI/CD
ASSET INVENTORY
VULNERABILITYMANAGEMENT
POLICYCOMPLIANCE
Use Case: Container Security across DevOps pipeline
BUILD CLOUD, HOST & APPRUNTIMEREGISTRY
Pre-Deployment Phase Post-Deployment Phase
PC Policy Compliance (Incl Secure Configuration Assessment)
VM Vulnerability Management
CS Container Security
PCPolicy Compliance (Incl Secure Configuration Assessment)
VM Vulnerability Management
WAS Web Application ScanningCS/
CRSContainer Runtime Security
CSA Cloud Security Assessments
FIM File Integrity Monitoring
EDR Endpoint Detection & Response
CS Container Security
WAS Web Application Scanning