Everything visible. Everything secure. DevSecOps — How to build continuous security into IT and App Infrastructures 1 Agenda DevOps, CI/CD and other cool terms Where two worlds collide (DevOps vs SecOps) Continuous Security / Integrated Security (DevSecOps) look like Shift Left Security & Approaches A business case for DevSecOps Applying DevOps security into practice Qualys DevSecOps Solutions Demo 2 Waterfall vs. Agile Dev Methodologies • • • Technology innovation Technology Customer/market influences Changes Requirements Sequential Process ANALYZE PLAN DESIGN BUILD TEST DEPLOY WATERFALL Iterative Process DESIGN DESIGN BUILD BUILD SPRINT 1 SPRINT 2 TEST TEST PLAN AGILE PLAN … ANALYZE DEPLOY ANALYZE DEPLOY Requirements Customer/Market Technology Change Influences Innovation DevOps brings significant benefits, however it’s complex CODE DEPLOY PLAN OPERATE DEV OPS BUILD RELEASE TEST MONITOR Speed Agility Automation Traditional Security in a DevOps World PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR Development Operations DevOps Feedback loop between critical stages creates delays Post-Production Pre-Production Security Assessments security assessments SecOps (point in time) (point in time) 5 A bolt-on approach to security will also lead to failure PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR Development Operations Assessment Assessment STOP STOP STOP STOP Bolt on Bolt on Security Security 6 2 Baked-in Security & not-Bolted 3 on 1 1. Integrated and transparent as possible 2. Simple to operate even for non-security professionals 3. Easily to adapt to new challenges Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection- Shift Left – “Improve quality & security and reduce downstream Baked-in security disruptions by moving testing earlier in the software development lifecycle.” Shift Left aligns with Agile Development - Do more earlier where it’s cheaper + more effective - Continuous development/testing Shift Left - Include feedback loops to improve Shift Left Security – Continuous Security PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR Development Operations DevOps DevSecOps SecOps Continuous Integrated Security Secure SDLC Static Code Dynamic App Build / Policy Vulnerability Policy Dynamic App Training Analysis Sec Testing Compliance Assessment Compliance Sec Testing Vulnerability Vulnerability Assessment Assessment 9 DevOps & SecOps need to be aligned in key areas Processes Integrated Process (Scrum, Agile) (via DevOps process) Integration & Automated Automation Security (CI/CD, test-driven DevOps SecOps (CI/CD pipeline, dev) audit and verify) Self-Service Tools & security tools for Technologies DevOps DevOps (Cloud, Security selects (CI/CD Plugins, Containers) operationalizes & & builds the uses the security security tooling APIs, Scripting) tooling 10 Shift Left approaches for DevOps Shift Left Approaches Shift Time Shift Techniques Shift Tools Shift security earlier into the Apply new techniques to help Use new and existing tools in DevOps cycle integrate security as opposite to different ways to support bolting on DevOps projects It’s not about doing the same things earlier, but an opportunity to do different and better things earlier Shifting Time 1 2 3 Shift Time Shift Time Shift Time New agile DevOps Automated Use containers to build web app sprints regression & test- abstract apps from driven development OS Apply Technique Apply Technique Apply Technique Vulnerabilities are Automated OS vulnerabilities are found & fixed in same regression finds patched separately release cadence patch issues faster from Apps Shifting Time Traditional Applications DevSecOps Applications Severity4/5 Vulnerabilities Severity4/5 Vulnerabilities 60 120 180 60 120 180 Days Vulnerabilities Open Days Vulnerabilities Open Shifting Techniques 1 2 3 Shift Technique Shift Technique Shift Technique Tag vulnerable Vulnerabilities are Open vulnerabilities libraries in source treated the same as reported to business control systems software defects owners Apply Technique Apply Technique Apply Technique Prevent application Create a contract Long held open builds that use between IT & Security vulnerabilities escalated vulnerable code to facilitate integrated to senior (CxO) workflows management Shifting Tools 1 2 3 Shift Tools Shift Tools Shift Tools Multiple web apps in Keep track of security Prevent security both dev and assessments issues issues in production production in the same way as from becoming a software bugs large problem Apply Technique Apply Technique Apply Technique Integrate the production Automatically create Continuously assess web web app security trouble tickets to fix apps in both dev and assessment tool into security issues using the production so issues are DevOps processes via API same systems not re-introduced Shift Left Security reduces overall costs PLAN CODE TEST RELEASE PACKAGE DEPLOY OPERATE MONITOR Development Operations $ $$ $$$ $$$$ Lower Costs by fixing Defects earlier 1 Traditional point in time security assessments Security Shift Left Continuous Security 2 Continuous security with tool DevSecOps consolidation $$$ 16 DevSecOps: The Business Case for Security SECURITY ISSUE COST OF A SOFTWARE BUG $100,000+ $100 $1,000 $10,000 If bug is found during If bug is found during If bug is found in planning or Q&A testing phase production requirement of a project gathering phase of project 17 Applying DevSecOps into practice Next Month Next Quarter Next Year • Take an accounting of • Integrate security into one • Implement self-service and API- current security tools – are development lifecycle based continuous security they DevOps friendly? • • Increase automation of Consolidate security tools across • Identify development standard IT/Security development/production and/or across cloud, on-premise, hybrid teams using DevOps – processes engage and discuss • Expand to more projects & make • DevSecOps Measure outcomes to track security a fundamental part of Expand Identify progress – e.g. # vulns any project • Where are your Dev identified/fixed before Implement environments cloud, on- release” • Continue to learn & improve premise, hybrid from vendors, DevSecOps user groups, partners, etc 18 Qualys Solutions How does Qualys play its part in DevSecOps CI/CD SECURING CI/CD CI/CD Web Web WAS Application WAF Application THE WEB APP Scanning Firewall PD Container SECURING CA CI/CD Container CS Security (Image, CRS Runtime THE CONTAINER Registry) Security CM SECURING PM Patch THE MACHINE TP PC Management VM SCA CI/CD Process SECURING THE CSA Cloud Security Development Stack Development CLOUD Assessment INFRATSRUCTURE LEVERAGE API CI/CD Qualys PC FOR SECURE GAI API APIs AUTOMATION ASSET VULNERABILITY POLICY INVENTORY MANAGEMENT COMPLIANCE Use Case: Container Security across DevOps pipeline Pre-Deployment Phase Post-Deployment Phase BUILD REGISTRY RUNTIME CLOUD, HOST & APP Web Application Container WAS Vulnerability Container CS/ Scanning VM CS Runtime Management Security CRS Security VM Vulnerability Policy Compliance (Incl Management PC FIM File Integrity Secure Configuration Monitoring Policy Compliance (Incl Assessment) PC Secure Configuration Container Assessment) CS Endpoint Security EDR Detection & CSA Cloud Security Response Assessments WAS Web Application Scanning Demo Thank You!.