???????We DevOps’d – Experience and Lessons Learned Securing the SDLC
Sherly Abraham, PhD., Excelsior College
Medical Science and Computing, LLC
???Sherly Abraham, Ph.D.
? Excelsior College
? Program Director for Cybersecurity
? Research Interests
? Software Security
? Information Security Training ? Corporate Governance
?????? Software Security
Presentation Objectives
? Challenges in enterprise software security
? What is DevOps
? DevOps Foundations
? Relevance of DevOps to Secuirty
?Lessonslearned fromapplicationof DevOps
? Recommendations and Resources
???2014-2015 Software Bugs
? Heart Bleed ? Shellshock ? Poodle
? Gotofail
??Growth Software Vulnerabilities
Number of Vulnerabilities caused by Software Flaws
Source: National Vulnerability Database
???Software Security Issues
? Defects ? Bugs
? Eg. Buffer overflow ? Design Flaws
? Inconsistent error handling ? Maintenance Hooks
? Backdoors
???????Software Development Security
? Requires a “holistic” and “proactive” approach
Educating Developers and users
Software Security
Build Secure
Design Secure
Testing for Security
????Software Development Life Cycle
Reference: WikiCommons, commons.wikimedia.org/wiki/File:SDLC_-_Software_Development_Life_Cycle.jpg
???Software Development Models
? Linear Sequential ? Waterfall model
? Incremental ? Prototyping
? Iterative
? Spiral ? Agile
? Teamwork, Iterative and Incremental
???Challenges: Enterprise Software Security
? Security not built-in
? Disconnect between developers, business
owners, end users and quality assurance
? Configuration Management
? No established metrics and continuous improvement
? Complexity and diversity of development tools, programming languages, and platforms
???What is DevOps
? Lean and Agile methods
? Narrow the disconnect between
development and business drivers
? Strong collaboration between developers, operations, business, security, and quality assurance teams
? Continuously incorporate feedback from customers and business owners
???Foundations of DevOps
? Shift Left Concept
? Address operational issues earlier
? Test with systems that behave like production
? Agile and Iterative Approach
? Continuous, automated deployment and testing
? Metrics and evaluation of quality
? Measure and test effectiveness earlier in the
development cycle
? Facilitate feedback from all stakeholders
? Enable all stakeholders to communicate and provide feedback
???DevOps Focus
? Rapid incorporation of customer feedback ? Faster Delivery Process
? Collaboration between disparate teams
? Continuous release and deployment
? Continuous testing ? Ongoing evaluation
???????????????DevOps Architecture
• Ongoing integration
• Ongoing testing
• Ongoing monitoring
Shift Left- Operational, Security and End user input
???What DevOps is not
? Another Software development model
? Everything runs and tested in production
? Blurs the line between developers, system administrators, security
? Tool specific
? A specific job title for DevOps
???Relevance of DevOps to Security
? Integration of security in the early stages of development
? Security testing in early stages of development
? Strong Cross functional integration
? Configuration management
???Din Cox, Ph.D
? Medical Science and Computing, LLC ? Application Security Focus
? Research Interests
? Mobile and Application Security ? Biometrics
? Machine Learning
? SynAck Red Team Security Researcher ? Bug hunter
?????State of Affairs
https ://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
Key Findings
? Companies with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals.
? IT performance improves with DevOps maturity, and strongly correlates with well-known DevOps practices.
? Culture matters. The cultural practices of DevOps are predictive of organizational performance.
? Job satisfaction is the No. 1 predictor of performance against organizational goals.
???Organizational Context
? Current Project – Rugged DevOps
? Integrate and promote secure coding practices in SDLC across the organization – Agile, Waterfall.
? 700+ developers – Geographically dispersed
? Multiple languages and frameworks (Java, PHP, Django, Python, Angular, ColdFusion, Ruby, etc.) + Mobile (iOS, Android)
? Training and Education
???Success Factors
? Cultural change – i.e. view of software security
? Clear repeatable processes
? Software must be scanned before going to
? Policy alignment – remediation timeframe
? Fault detection automation
? Continuous integration – automating unit testing and deployment of software
???Success Factors
? Security standard adoption for software development
? Ability to balance security risks with software development agility.
? Improve effectiveness of public facing applications
? Usage patterns, break/fix
????????????DevOps Tools
????Secure SDLC
? Security requirements need to be defined as early as possible during the SDLC
? Agile Testing (security)
? Secure Coding + Operations + Collaboration
? Developer training and education
? Rapid communication on vulnerability intelligence
? Quicker patch cycles/remediation of vulnerabilities
? Collaboration between Development and Operation
???Security Automation
? SAST (Static Application Security Testing)
? Source code, byte code or application binaries for conditions
indicative of a security vulnerability
? Leverage tools – statics analysis, etc.
? DAST (Dynamic Application Security Testing)
? Black-box (Functional and non-functional), White-box, and
Defect-based tests.
? Examine application at runtime to identify vulnerabilities
? Robustness testing (i.e. fuzz testing) or fault-injection
? Integrate with build and code repositories ? GIT, Bamboo, Jenkins, etc.
???Realized Benefits
? Identify problems early
? Continuous integration
? Infrastructure automation
? System stability and uptime ? Monitoring
? Deployment
? Continuous delivery – testing
? Misaligned tools and processes
? Competing interests (development vs
? Infighting – who’s at fault when something happens
? Documentation
? Varying views of security and roles
???Lessons Learned
? Require resources – People
? Cannot be done in a vacuum, dynamic
? Align IT with the business
? Leverage internal talent
? Visibility of applications – Customer experience, including components (server, DB, etc.)
? Training and education
? Start at the Top
? Organization buy-in and support
? Measure Success – metrics ? Deployment frequency
? Mean time to recover (MTTR)
? Identify system failures / waste
? Automate where possible (puppet, etc.)
? Decompose system components into modules
???? Identify a champion in each department ? Establish a center of excellence
? www.rackspace.com/blog/enterprise-cloud-forum- recap-prepare-for-devops-success/
? www.isaca.org/knowledge- center/research/researchdeliverables/pages/devops- overview.aspx
? puppetlabs.com/2013-state-of-devops-infographic
? puppetlabs.com/sites/default/files/2014-state-of- devops-report.pdf

Categories: News