A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati SecDevOps A Discussion Primer Andy Willingham March 28, 2017 OWASP Cincinnati

Overview What is DevOps? What is SecDevOps? Different Views Why it matters to you?

What Is DevOps? Collaboration and Cooperation between Dev, QA, and IT Ops Involves the Build, Test, and Delivery aspects of a SDLC Impacts software delivery and infrastructure changes Often involves "imbedding" members of one function into the other functions. Goal is to improve the speed of delivery and the quality of the delivered product Term "Continuous Delivery" is often used in conjunction One problem (depending on your viewpoint) is that it can and does increase the number of defects released into production. This is considered acceptable because in most cases the fix is coming in a release or two (and for high performing teams that may be later today)

The intersection of 3 Key domains DevOps Ven Diagram Or a better way to look at it……. The intersection of 3 Key domains

Think of SecDevOps as a set of best What Is SecDevOps? SecDevOps is about using the wonders of automation to tackle security-related problems including composition analysis, configuration management, selecting approved images/containers, use of immutable servers, and other techniques to address security challenges facing operations teams. It also helps to eliminate certain classes of attacks. For instance immutable servers in a security zone which blocks port 22 can prevent both hackers and administrators from logging in. (Securosis) What about Rugged DevOps? Rugged is about bashing your code prior to production, to ensure it holds up to external threats once it gets into production, and using runtime code to help applications protect themselves. Be as mean to your code as attackers will, and make it resilient against attacks. (Securosis) In simplest terms, Rugged DevOps is more developer-focused, while SecDevOps is more operations-focused. (Securosis) Think of SecDevOps as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches

In English This Time Think of SecDevOps—sometimes called “Rugged DevOps” or “security at speed”—as a set of best practices designed to help organizations implant secure coding deep in the heart of their DevOps development and deployment processes. The goal is to automate secure coding and security tests and fixes within the workflow, making secure software an inherent outcome of DevOps approaches

What’s in a Name DevOpsSec? SecDevOps? DevSecOps? Rugged DevOps Is there a difference or is it a SEIM SIEM thing?

Different Views Integrating Security into DevOps (Securing DevOps) Integrating DevOps into Security Ops (Applying DevOps to SecOps) https://www.linkedin.com/pulse/devsecops-secdevops-difference-kumar-mba- msc-cissp-mbcs-citp DevOpsSec - Name implies no change. Security is still last SecDevOps - Name implies Security FIRST!!!!!! Isn’t always practical but maybe one day. DevSecOps - Name implies that Security is in the middle. Could even imply that we are in the middle of EVERYTHING! http://www.csoonline.com/article/3132078/security/devopssec-secdevops- devsecops-whats-in-a-name.html

Why It Matters Cost The cost to fix a found, unexploited security vulnerability far outweighs the cost to prevent it. The cost of a successful exploit of the vulnerability increases by orders of magnitude The cost of lost time that could be spent writing new code over rewriting old code Brand and Reputational cost can decrease marketshare. People are more forgiving in brick and mortar and even online. Less so in Mobile. Increases Time to Market when done right Quicker testing Testing smaller chunks of code more often and more throughly Quicker fixes Mitigates vulnerabilities faster (think of how long it used to take from discovery to release fix) Quicker fixes improves brand image (responsiveness, takes security seriously, cares about ME)

Common Sense IT JUST MAKES SENSE Why adopt DevOps in the first place only to encounter last-minute changes to meet security requirements down the road? SecDevOps’ promised payoff of more secure applications created more quickly seems compelling enough to get increasing numbers of organizations to do just that. SecDevOps, in contrast, automates the secure coding component of development to satisfy the needs of the security team to establish and maintain software that is immediately secure in production.

By The Numbers Time and Cost to Fix www.securityinnovationeurope.com/the-business-case-for-security-in-the-software-development-lifecycle-sdlc

SecDevOps - The Marriage of DevOps and SecOps High performers - 30X frequent deployments and doing so 200X faster High Performers - 60X more successful & fix problems 168X faster High Performers - 2X more likely to exceed profit, market share, and productivity goals & have a 50% higher market cap growth over 3 years

Appendix

ISC2 CyberTrends Report 2017 Only a small minority of organizations consider themselves at the cutting edge of application security (6%) or mature, with all critical application security controls in place (18%). The plurality of organizations feels only somewhat mature (41%) with key application security controls missing or just touching the surface (30%). Q: Where do you think your company is in terms of the maturity of your application security strategy? 6% On the cutting edge – We follow a Secure SDLC or framework like OpenSAMM; even trying new approaches 18% Mature - We have all of the pieces in place 30% Somewhat mature - Some aspects not fully developed or deployed 41% Just touching the surface – Some testing of apps before deployment 5% Not doing anything More reason for getting stuff done early on. Lack of Skills 46% Lack of Budget 45% What if you could replace 3 IS staff with one who is better qualified b/c that person understands what needs to be done early on and makes it happen. Then you don’t have to fix and SecOps becomes less necessary? (Think this through)

OWASP Rugged DevOps https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Pipeline_Design_Patterns

Links and More Info https://blog.threatstack.com/the-12-days-of-secdevops https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/ https://www.brighttalk.com/webcast/12663/188897?utm_campaign=webcasts- search-results-feed&utm_content=SecDevOps&utm_source=brighttalk- portal&utm_medium=web https://securityintelligence.com/secdevops-embracing-the-speed-of-devops- and-continuous-delivery-in-a-secure-environment/ http://www.csoonline.com/article/3132078/security/devopssec-secdevops- devsecops-whats-in-a-name.html https://securosis.com/blog/the-difference-between-secdevops-and-rugged- devops Gene Kim Book "The Phoenix Project"