Everything visible. Everything secure.
DevSecOps — How to build continuous security into IT and App Infrastructures
1 Agenda DevOps, CI/CD and other cool terms Where two worlds collide (DevOps vs SecOps) Continuous Security / Integrated Security (DevSecOps) look like Shift Left Security & Approaches A business case for DevSecOps Applying DevOps security into practice Qualys DevSecOps Solutions Demo
2 Waterfall vs. Agile Dev Methodologies • • •
Technologyinnovation influences Customer/market Requirements Changes Sequential Process
ANALYZE PLAN DESIGN BUILD TEST DEPLOY WATERFALL
Iterative Process
DESIGN DESIGN
BUILD BUILD SPRINT 1 SPRINT 2
TEST TEST PLAN AGILE PLAN … ANALYZE DEPLOY ANALYZE DEPLOY
Requirements Customer/Market Technology Change Influences Innovation DevOps brings significant benefits, however it’s complex
CODE DEPLOY
PLAN OPERATE DEV OPS BUILD
RELEASE
TEST MONITOR
Speed Agility Automation Traditional Security in a DevOps World
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
DevOps Feedback loop between critical stages creates delays
Post-Production Pre-Production Security Assessments security assessments SecOps (point in time) (point in time)
5 A bolt-on approach to security will also lead to failure
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
Assessment Assessment
STOP STOP STOP STOP
Bolt on Bolt on
Security Security
6 2 Baked-in Security & not-Bolted 3 on 1
1. Integrated and transparent as possible
2. Simple to operate even for non-security professionals
3. Easily to adapt to new challenges
Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection- Shift Left – “Improve quality & security and reduce downstream Baked-in security disruptions by moving testing earlier in the software development lifecycle.”
Shift Left aligns with Agile Development - Do more earlier where it’s cheaper + more effective - Continuous development/testing Shift Left - Include feedback loops to improve Shift Left Security – Continuous Security
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations DevOps
DevSecOps
SecOps Continuous Integrated Security
Secure SDLC Static Code Dynamic App Build / Policy Vulnerability Policy Dynamic App Training Analysis Sec Testing Compliance Assessment Compliance Sec Testing
Vulnerability Vulnerability Assessment Assessment
9 DevOps & SecOps need to be aligned in key areas
Processes Integrated Process (Scrum, Agile) (via DevOps process)
Integration & Automated Automation Security (CI/CD, test-driven DevOps SecOps (CI/CD pipeline, dev) audit and verify)
Self-Service Tools & security tools for Technologies DevOps DevOps (Cloud, Security selects (CI/CD Plugins, Containers) operationalizes & & builds the uses the security security tooling APIs, Scripting) tooling
10 Shift Left approaches for DevOps
Shift Left Approaches
Shift Time Shift Techniques Shift Tools
Shift security earlier into the Apply new techniques to help Use new and existing tools in DevOps cycle integrate security as opposite to different ways to support bolting on DevOps projects
It’s not about doing the same things earlier, but an opportunity to do different and better things earlier Shifting Time
1 2 3
Shift Time Shift Time Shift Time New agile DevOps Automated Use containers to build web app sprints regression & test- abstract apps from driven development OS
Apply Technique Apply Technique Apply Technique
Vulnerabilities are Automated OS vulnerabilities are found & fixed in same regression finds patched separately release cadence patch issues faster from Apps Shifting Time
Traditional Applications DevSecOps Applications Severity4/5 Vulnerabilities Severity4/5 Vulnerabilities
60 120 180 60 120 180
Days Vulnerabilities Open Days Vulnerabilities Open Shifting Techniques
1 2 3
Shift Technique Shift Technique Shift Technique Tag vulnerable Vulnerabilities are Open vulnerabilities libraries in source treated the same as reported to business control systems software defects owners
Apply Technique Apply Technique Apply Technique Prevent application Create a contract Long held open builds that use between IT & Security vulnerabilities escalated vulnerable code to facilitate integrated to senior (CxO) workflows management Shifting Tools
1 2 3
Shift Tools Shift Tools Shift Tools Multiple web apps in Keep track of security Prevent security both dev and assessments issues issues in production production in the same way as from becoming a software bugs large problem
Apply Technique Apply Technique Apply Technique Integrate the production Automatically create Continuously assess web web app security trouble tickets to fix apps in both dev and assessment tool into security issues using the production so issues are DevOps processes via API same systems not re-introduced Shift Left Security reduces overall costs
PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR
Development Operations
$ $$ $$$ $$$$
Lower Costs by fixing Defects earlier 1 Traditional point in time security
assessments Security
Shift Left Continuous Security
2 Continuous security with tool DevSecOps consolidation $$$
16 DevSecOps: The Business Case for Security
SECURITY ISSUE COST OF A SOFTWARE BUG
$100,000+ $100 $1,000 $10,000
If bug is found during If bug is found during If bug is found in planning or Q&A testing phase production requirement of a project gathering phase of project
17 Applying DevSecOps into practice
Next Month Next Quarter Next Year
• Take an accounting of • Integrate security into one • Implement self-service and API- current security tools – are development lifecycle based continuous security they DevOps friendly? • • Increase automation of Consolidate security tools across • Identify development standard IT/Security development/production and/or across cloud, on-premise, hybrid teams using DevOps – processes engage and discuss • Expand to more projects & make • DevSecOps Measure outcomes to track security a fundamental part of Expand Identify progress – e.g. # vulns any project • Where are your Dev identified/fixed before Implement environments cloud, on- release” • Continue to learn & improve premise, hybrid from vendors, DevSecOps user groups, partners, etc
18 Qualys Solutions How does Qualys play its part in DevSecOps
CI/CD SECURING CI/CD CI/CD Web Web WAS Application WAF Application THE WEB APP Scanning Firewall PD
Container SECURING CA CI/CD Container CS Security (Image, CRS Runtime THE CONTAINER Registry) Security
CM
SECURING PM Patch THE MACHINE TP PC Management
VM SCA CI/CD Process SECURING THE CSA Cloud Security Development Stack Development CLOUD Assessment INFRATSRUCTURE
LEVERAGE API CI/CD Qualys PC
FOR SECURE GAI API APIs AUTOMATION
ASSET VULNERABILITY POLICY INVENTORY MANAGEMENT COMPLIANCE Use Case: Container Security across DevOps pipeline Pre-Deployment Phase Post-Deployment Phase
BUILD REGISTRY RUNTIME CLOUD, HOST & APP
Web Application Container WAS Vulnerability Container CS/ Scanning VM CS Runtime Management Security CRS Security VM Vulnerability Policy Compliance (Incl Management PC FIM File Integrity Secure Configuration Monitoring Policy Compliance (Incl Assessment) PC Secure Configuration Container Assessment) CS Endpoint Security EDR Detection & CSA Cloud Security Response Assessments WAS Web Application Scanning Demo Thank You!