Evolve Devsecops to Manage Both Speed and Risk Agenda 2

EVOLVE DEVSECOPS TO MANAGE BOTH SPEED AND RISK AGENDA 2

1. DevSecOps in the Context of Speed

2. DevSecOps in the Context of Risk

3. DevSecOps for Both Speed and Risk DSO & SPEED What is the DevSecOps Community Talking About? 4

Source: Twitter (#DevSecOps), 2020. DevSecOps Challenges 5

► Unauthorized access to data and source code

► Unintended privilege escalation of authorized ► Secure coding and system security not users a priority ► Data modification ► Too much focus on exit criteria, thereby building technical debt ► False alerts and updates

► Testing process does not reflect ► Suppression of valid alerts production environment ► Malicious dependency insertion

► Hijacking of tools such as build servers

Source: Morales et al. “Security Impacts of Sub-Optimal DevSecOps Implementations in a Highly Regulated Environment”, 2020. DevSecOps Challenges 6

► We inherit a technology mess often not of our own making

► Organizations move into DevOps culture without addressing security

► No process or documentation for security reviews

► Haphazard security bolted on IT systems

► Cannot test all security requirements

► Adversary changes the environment

Source: D. Blum, Rational Cybersecurity for Business, https://doi.org/10.1007/978-1-4842-5952 7

Yet we still need to keep moving fast… Security Competencies 8

SECURELY PROVISION (SP) OPERATE AND MAINTAIN (OM) OVERSEE AND GOVERN (OV)

Risk Management (RSK) Software Development Data Administration Knowledge Management Exec Cyber Leadership Training, Education, and (DEV) (DTA) (KMG) (EXL) Awareness (TEA)

Systems Architecture Technology R&D (TRD) Customer Service and Systems Administration Program/Project Mgt Strategic Planning & (ARC) Technical Support (STS) (ADM) (PMA) and Acquisition Policy (SPP)

Test and Evaluation (TST) Systems Development Network Services (NET) Systems Analysis (ANA) Legal Advice and Cybersecurity (SYS) Advocacy (LGA) Management (MGT)

PROTECT AND DEFEND (PR) ANALYZE (AN) COLLECT AND OPERATE (CO)

Cyber Defense Analysis Cyber Defense Infra. Threat Analysis (TWA) Exploitation Analysis Collection Operations Cyber Operational (CDA) Support (INF) (EXP) (CLO) Planning (OPL)

Incident Response Vulnerability Assessment All-Source Analysis Targets Cyber Operations (CIR) & Management (VAM) (ASA) (TGT) (OPS)

Language Analysis (LNG)

INVESTIGATE (IN)

Cyber Investigation Digital Forensics Source: Adapted from NIST, “National Initiative for Cybersecurity Education (NICE): Cybersecurity Workforce (INV) (FOR) Framework”, 2017. Security Competencies 9

GOVERNANCE INTELLIGENCE SSDL TOUCHPOINTS DEPLOYMENT

Strategy & Metrics Attack Models Architecture Analysis Penetration Testing • Identify gate locations, gather necessary • Create a data classification scheme • Perform security feature review • Feed results to defect management and artifacts • Identify potential attackers • Define and use AA process mitigation system • Enforce gates with measurements and • Gather and use attack intelligence • Make the Software Security Group • Use penetration testing tools internally track exceptions • Build attack patterns and abuse cases available as an AA resource or mentor • Require a security sign off • Create technology specific attack Software Environment patterns Code Review • Use application input monitoring Compliance & Policy • Build an internal forum to discuss attacks • Use automated tools along with manual • Ensure host and network security • Unify regulatory pressures review • Use application behavior monitoring and • Create policy Security Features & Design • Make code review mandatory for all diagnostics • Identify PII data inventory • Build and publish security features projects • Use application containers • Implement and track controls for • Build secure-by-design middleware • Use centralized reporting to close the • Use orchestration for containers and virtualized compliance frameworks and common libraries knowledge loop and drive training environments • Include software security SLA in all • Use automated tools with tailored rules • Enhance application inventory with operations vendor contracts Standards & Requirements • Use a top N bugs list BOM • Impose policy on vendors • Translate compliance constraints to • Ensure cloud security metrics requirements Security Testing Training • Identify open source • Drive tests with security requirements Configuration Management & Vulnerability • Provide awareness training • Control open source risk • Share security results with QA Management • Include security tests in QA automation • Create or interface with incident response • Drive tests with risk analysis results • Identify software defects found in operations • Begin to build and apply adversarial monitoring and feed them back to development security tests (abuse cases) • Have emergency codebase response • Track software bugs found in operations through the fix process • Develop an operations inventory of applications Source: Koskinen. “DevSecOps: Building Security Into the Core of DevOps”, 2020. • Simulate software crises Security Best Practices 10

Prevention Response

Detection

Source: Ahmed. “DevSecOps: Enabling Security by Design in Rapid Software Development”, 2019. DSO & RISK The Risk Assessment Process 12

1 2 3 4 5 6 7

DETERMINE UNDERSTAND ELICIT VIEWS SOURCES, SELECT ANALYZE CONSEQUENCES RECORD AND FROM IDENTIFY RISK CAUSES AND BETWEEN CONTROLS AND REPORT STAKEHOLDERS DRIVERS OF OPTIONS LIKELIHOOD RISK

• Brainstorming • Checklist • Ishikawa • Bow Tie • Business Impact • Cost/Benefit • Risk Register • Delphi technique • Taxonomy Analysis Analysis Analysis • Interview • Classification • Privacy Impact • Survey • Scenario Analysis

Source: ISO. “ISO 31010: Risk Management – Risk assessment techniques”, 2019. 13

How do we integrate this with DevSecOps? Combining Speed and Risk 14 Secure coding Automated security knowledgebase and JITT CMDB or inventory list survey

Standards and Security taxonomy Frameworks & classification

Security Architecture patterns architecture traceability

Security and Traceability matrix Privacy Impact Analysis

Risk Risk Guardrail Metric NEXT STEPS Next Steps 16

Shorter Term Longer Term

► Look for areas where good practices are missing ► Align with existing IT strategy and advocate for implementing those as part of an existing security roadmap ► Look through the lens of risk across all systems, even legacy systems ► Demonstrate and teach good practices such as risk assessments and threat modeling ► Build relationships with people outside IT and Security ► Influence the business toward reducing complexity and following good practices

► Be aware that you may not have all the scenarios and answers available THANK YOU