Shift Left Security & Approaches a Business Case for Devsecops Applying Devops Security Into Practice Qualys Devsecops Solutions Demo

Everything visible. Everything secure.

DevSecOps — How to build continuous security into IT and App Infrastructures

1 Agenda DevOps, CI/CD and other cool terms Where two worlds collide (DevOps vs SecOps) Continuous Security / Integrated Security (DevSecOps) look like Shift Left Security & Approaches A business case for DevSecOps Applying DevOps security into practice Qualys DevSecOps Solutions Demo

2 Waterfall vs. Agile Dev Methodologies • • •

Technologyinnovation influences Customer/market Requirements Changes Sequential Process

ANALYZE PLAN DESIGN BUILD TEST DEPLOY WATERFALL

Iterative Process

DESIGN DESIGN

BUILD BUILD SPRINT 1 SPRINT 2

TEST TEST PLAN AGILE PLAN … ANALYZE DEPLOY ANALYZE DEPLOY

Requirements Customer/Market Technology Change Influences Innovation DevOps brings significant benefits, however it’s complex

CODE DEPLOY

PLAN OPERATE DEV OPS BUILD

RELEASE

TEST MONITOR

Speed Agility Automation Traditional Security in a DevOps World

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

DevOps Feedback loop between critical stages creates delays

Post-Production Pre-Production Security Assessments security assessments SecOps (point in time) (point in time)

5 A bolt-on approach to security will also lead to failure

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

Assessment Assessment

STOP STOP STOP STOP

Bolt on Bolt on

Security Security

6 2 Baked-in Security & not-Bolted 3 on 1

1. Integrated and transparent as possible

2. Simple to operate even for non-security professionals

3. Easily to adapt to new challenges

Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection- Shift Left – “Improve quality & security and reduce downstream Baked-in security disruptions by moving testing earlier in the software development lifecycle.”

Shift Left aligns with Agile Development - Do more earlier where it’s cheaper + more effective - Continuous development/testing Shift Left - Include feedback loops to improve Shift Left Security – Continuous Security

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations DevOps

DevSecOps

SecOps Continuous Integrated Security

Secure SDLC Static Code Dynamic App Build / Policy Vulnerability Policy Dynamic App Training Analysis Sec Testing Compliance Assessment Compliance Sec Testing

Vulnerability Vulnerability Assessment Assessment

9 DevOps & SecOps need to be aligned in key areas

Processes Integrated Process (Scrum, Agile) (via DevOps process)

Integration & Automated Automation Security (CI/CD, test-driven DevOps SecOps (CI/CD pipeline, dev) audit and verify)

Self-Service Tools & security tools for Technologies DevOps DevOps (Cloud, Security selects (CI/CD Plugins, Containers) operationalizes & & builds the uses the security security tooling APIs, Scripting) tooling

10 Shift Left approaches for DevOps

Shift Left Approaches

Shift Time Shift Techniques Shift Tools

Shift security earlier into the Apply new techniques to help Use new and existing tools in DevOps cycle integrate security as opposite to different ways to support bolting on DevOps projects

It’s not about doing the same things earlier, but an opportunity to do different and better things earlier Shifting Time

1 2 3

Shift Time Shift Time Shift Time New agile DevOps Automated Use containers to build web app sprints regression & test- abstract apps from driven development OS

Apply Technique Apply Technique Apply Technique

Vulnerabilities are Automated OS vulnerabilities are found & fixed in same regression finds patched separately release cadence patch issues faster from Apps Shifting Time

Traditional Applications DevSecOps Applications Severity4/5 Vulnerabilities Severity4/5 Vulnerabilities

60 120 180 60 120 180

Days Vulnerabilities Open Days Vulnerabilities Open Shifting Techniques

1 2 3

Shift Technique Shift Technique Shift Technique Tag vulnerable Vulnerabilities are Open vulnerabilities libraries in source treated the same as reported to business control systems software defects owners

Apply Technique Apply Technique Apply Technique Prevent application Create a contract Long held open builds that use between IT & Security vulnerabilities escalated vulnerable code to facilitate integrated to senior (CxO) workflows management Shifting Tools

1 2 3

Shift Tools Shift Tools Shift Tools Multiple web apps in Keep track of security Prevent security both dev and assessments issues issues in production production in the same way as from becoming a software bugs large problem

Apply Technique Apply Technique Apply Technique Integrate the production Automatically create Continuously assess web web app security trouble tickets to fix apps in both dev and assessment tool into security issues using the production so issues are DevOps processes via API same systems not re-introduced Shift Left Security reduces overall costs

PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR

Development Operations

$ $$ $$$ $$$$

Lower Costs by fixing Defects earlier 1 Traditional point in time security

assessments Security

Shift Left Continuous Security

2 Continuous security with tool DevSecOps consolidation $$$

16 DevSecOps: The Business Case for Security

SECURITY ISSUE COST OF A SOFTWARE BUG

$100,000+ $100 $1,000 $10,000

If bug is found during If bug is found during If bug is found in planning or Q&A testing phase production requirement of a project gathering phase of project

17 Applying DevSecOps into practice

Next Month Next Quarter Next Year

• Take an accounting of • Integrate security into one • Implement self-service and API- current security tools – are development lifecycle based continuous security they DevOps friendly? • • Increase automation of Consolidate security tools across • Identify development standard IT/Security development/production and/or across cloud, on-premise, hybrid teams using DevOps – processes engage and discuss • Expand to more projects & make • DevSecOps Measure outcomes to track security a fundamental part of Expand Identify progress – e.g. # vulns any project • Where are your Dev identified/fixed before Implement environments cloud, on- release” • Continue to learn & improve premise, hybrid from vendors, DevSecOps user groups, partners, etc

18 Qualys Solutions How does Qualys play its part in DevSecOps

CI/CD SECURING CI/CD CI/CD Web Web WAS Application WAF Application THE WEB APP Scanning Firewall PD

Container SECURING CA CI/CD Container CS Security (Image, CRS Runtime THE CONTAINER Registry) Security

SECURING PM Patch THE MACHINE TP PC Management

VM SCA CI/CD Process SECURING THE CSA Cloud Security Development Stack Development CLOUD Assessment INFRATSRUCTURE

LEVERAGE API CI/CD Qualys PC

FOR SECURE GAI API APIs AUTOMATION

ASSET VULNERABILITY POLICY INVENTORY MANAGEMENT COMPLIANCE Use Case: Container Security across DevOps pipeline Pre-Deployment Phase Post-Deployment Phase

BUILD REGISTRY RUNTIME CLOUD, HOST & APP

Web Application Container WAS Vulnerability Container CS/ Scanning VM CS Runtime Management Security CRS Security VM Vulnerability Policy Compliance (Incl Management PC FIM File Integrity Secure Configuration Monitoring Policy Compliance (Incl Assessment) PC Secure Configuration Container Assessment) CS Endpoint Security EDR Detection & CSA Cloud Security Response Assessments WAS Web Application Scanning Demo Thank You!