Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools •...

transcript

We came, we saw, we kicked its ass!Kim van Wilgen

@kimvanwilgennl.linkedin.com/kimvanwilgen

kimvanwilgen@gmail.comwww.kimvanwilgen.com

About me Kim van WilgenHead of development at ANVA

Former head of IT at Klaverblad

Business background

Managing since 2005

Programming since 2018

@kimvanwilgen

nl.linkedin.com/kimvanwilgen

kimvanwilgen@gmail.com

www.kimvanwilgen.com

@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

The Continuous Culture

Insurance company

Service provider

Wholesale

Agents

ANVAInsurtech company for the Netherlands

Why focus on security?

Boring, draining, worthless

Why is it boring?

Security roleplay

With the hypes of agile and continuous delivery focus shiftedto speed…and nothingelse

GDPRGo away!

Security is not a core competenceof developers

Panels are shifting- Cloud computing- Emergent processes and

tools- New architectures- IAAS- Shifting roles / T shapes- Just enough software

architecture- IoT, AI, machine learning

Hacking 4 dummies

Script kiddiesReady to use scripts for bored teens

Firewalls aren’t keeping you safe

10.6% of passwords

is a top 20 password

“Geeks are people who love something somuch that all the details matter.”

Marissa Mayer

Security all-in

Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Wikipedia, 2017

Continuous Security (CS) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production.

Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production. Continuous security is indispensable for delivering Continuous Delivery.

DevSecOps 2018

DevSecOps 2021

Technology radar: security is rising

@kimvanwilgen | www.kimvanwilgen.com

How to start?

Self-organised security

“We’ll be disclosing personal data of all theDutch through an open cloud SaaS platform. Make it safe to do so.”

Security Satellite team

5 dev(1 architect2 devs2 testers)

BSIMM: Build security in maturity model

Security board

Let’s play!

Gartner DevSecOps Top 10Have security championsDon’t eliminate all risk

Driven by DevOps teamsIdentify and remove first

Adapt your SAST, & DASTEliminate known vulnerabilities

Immutable infrastructureDetection of changes

Treat security tests as source code Train for the basics

#1: Have security champions

“When designing the software architecture a security expert helps

to do a risk assessment early and mitigate important risks by design”

- Simon Brown -

#2: Don’t eliminate all risk

Risk and cost based securitySmall tests and risk based

Integration in the pipeline

#3:DevOps driven

“At Google I’ve never spoken to anyonefrom the security team. They integratedsoftware security solutions in our pipelinesthat were helping delivery instead of frustrating it”Randy Shoup, WeWork

Automate first

• SAST

• DAST

• Proxy tools

• Dependency checks

• Custom scripts

Integration in the pipelines

SAST: technology analyzes an application's source,

bytecode or binary code for security vulnerabilities typically

at the programming and/or testing software life cycle (SLC)

phases

Leaders: Checkmarx, Veracode, Appscan (IBM), fortify

(Microfocus), PT application inspector, covarity (Synopsys)

+ Find problems early in lifecycle, detailed feedback,

- False positives & false negatives

DAST: analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.

Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7

+ Tests the application at runtime, realistic view

- More complex, harder to track, requires running instance

DAST: Zed attack proxy (ZAP)

#4: Identify and remove: start small

I’ve added over a 100 security rules in Sonar and sent the top X screwups to the team. Theyare more aware and will solve their own issues.

Dominik, member of ANVA security satellite team

#5: Adapt your SAST, DAST and security tests

Application Security Verification Standard

Unrelevant / Sast / Dast / RAST / other

Train for risks we can’tautomate

Learn and adapt first before you break the build

#6: Fix your vulnerabilities

Owasp dependency checkEliminate known vulnerabilities

550 vulnerabilities

#7: Immutable infrastructure

#8: Detection of changes

#9: Treat security tests as source code

#10: Train for the basics

Automate security features and scan against bugs andvulnerabilities

Check for logicalflaws manually,

educate andautomate them

Academy sessions

Hack yourself first too

Chaos Engineering is the discipline of experimenting on a distributed

system in order to build confidence in the system’s capability to

withstand turbulent conditions in production.

“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”

Troy Hunt, MVP for developer

security and creator of ‘Have I

been PWNED”

Hackyourselffirst.troyhunt.com

Evil user stories

As a Malicious Hacker, I want to gain

access to this web application’s Cloud

Hosting account so that I can lock out

the legitimate owners and delete the

servers and their backups, to destroy

their entire business.

Overview

Continuous Security

Automation

SAST DAST Proxy toolsCustomscripts

Depen-dencychecks

Knowledge

TrainingFeedback

fromdetection

Detection

Hack yourself

Externalpentesting

Gartner DevSecOps Top 10Have security championsDon’t eliminate all risk

Driven by DevOps teamsIdentify and remove first

Adapt your SAST, & DASTEliminate known vulnerabilities

Immutable infrastructureDetection of changes

Treat security tests as source codeTrain for the basics

@kimvanwilgen | www.kimvanwilgen.com

References and questions

www.kimvanwilgen.com

kimvanwilgen

kimvanwilgen@gmail.com

https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/

https://cybersecurity.isaca.org/static-assets/documents/State-of-

Cybersecurity-part-2-infographic_res_eng_0517.pdf

https://www.sans.org/reading-room/whitepapers/critical/continuous-security-

implementing-critical-controls-devops-environment-36552

10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017,

IDG00341371

https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb

https://www.thoughtworks.com/radar/techniques

Sources

Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools •...

Documents