32
How to REALLY Kick Your DevOps Program Up a Notch
| Date post: | 16-Apr-2017 |
| Category: |
Technology |
| Upload: | ibm-security |
| View: | 318 times |
| Download: | 0 times |
How to REALLY Kick Your DevOps Program Up a Notch
2 IBM Security
Agenda
• What is DevOps?
• Why is your DevOps incomplete?
• The recipe to success
• IBM Application Security on Cloud to the Rescue
• Q & A
IBM AND BUSINESS PARTNER INTERNAL
USE ONLY
Dave StewartStatic AnalyzerLead DeveloperIBM Security
Eitan WorcelApplication Security on CloudOffering ManagerIBM Security
What is DevOps?
4 IBM Security
DevOps is not a goal
The goal is to speed up release of an efficient, secure and easy to maintain product.
DevOps is a means to get there, DevOps itself is not the goal.
There is no silver bullet to implementing DevOps in an organization, any attempt should be proven out first with a few projects and not rolled out across an enterprise.
5 IBM Security
What is DevOps?
• Conceptually, DevOps is a convergence of Planning, Development and Operational activities and processes, as part of the software development lifecycle.
• In practice, DevOps is a value-added tool chain which enables iterative and frequent product releases, while helping to ensure high levels of quality, stability, and security in your product.
• In reality, when employed, DevOps is a delivery model that can accelerate your rapid development and help ensure high quality, high security releases of your software.
Product Planning
• Requirements Definition
• Feedback Iterations
Product Development
• Software Engineering• Quality
Engineering
Product Operations
• Software Release
• Product Support
DevOps Process
6 IBM Security
Four tenets of DevOps
Iterative Cycles
Progressive Scale
Early Identification
Real-time Alerts & Updates
“Agile” development.
Continuous process.
Cycles informs each other.
Crawl, walk, run.
Don’t get buried.
Evaluate levels of risk.
No surprises.
Inspect & Adapt.
Minimize critical risks.
Constant improvement.
Right people involved.
Frequent updates.
Why is your DevOps incomplete?
8 IBM Security
Did you forget something?
In reality, when employed, DevOps is a delivery model that can accelerate your rapid development and help ensure high quality, high security releases of your software.
9 IBM Security
10 IBM Security
Why is it hard to introduce AppSec to DevOps?
Challenges
• Developers tend to resist learning new tools or altering existing workflows, especially those outside the scope of their “day jobs”.
• Software products are large and complex, with many different components and connected parts, any of which can fail; Rolling out new requirements can risk “breaking it all”.
• Achieving high levels of quality and security require a significant amount of time to identify, assess, triage and prioritize risks.
• Application Security testing has a notorious reputation in being noisy. Filtering results is time consuming and requires expertise.
CHANGE
11 IBM Security
Application Security in DevOps IS NOT about automatically sending code to be tested for security vulnerabilities
Application Security in DevOps SHOULD NOT introduce fundamentally new workflows
Application Security in DevOps SHOULD NOT be rolled out across an enterprise without piloting and proving success first.
Application Security in DevOps SHOULD NOT rely on human triage/processing of scan results
How NOT to integrate AppSec into DevOps
Recipe to Success
13 IBM Security
Getting started with test automation
Identify and weigh your risk criteria
Crawl, then walk, then run
Choose your pilot(s) wisely
14 IBM Security
Plan your quality & security gates
Development Gate
QAGate
ProductionGate
Gate Goals
Testable build Failed builds High severity defects
SECURITYBUILD PRODUCTIONCODE QA
Gate Goals
Functional validation Low noise High severity /
confidence
SecurityGate
Gate Goals
Thorough defect triage High/med severity
defects
Gate Goals
Complete scans/tests Risk assessment Technical debt
assessment
15 IBM Security
Define your quality & security gate criteria
Development Gate
QAGate
ProductionGate
Gate Conditions
No High risk input validation
X number of confirmed vulnerabilities
SECURITYBUILD PRODUCTIONCODE QA
Gate Conditions
Unit tests implemented Preliminary security
scan Code reviewed
SecurityGate
Gate Conditions
No High/med severity defects
No input validation risks
Gate Conditions
All High risk issues resolved
All Medium risk issues > 30 days resolved
16 IBM Security
Overcoming the Challenges
CHANGE
Challenges Solution
• Application Security must play nicely with existing DevOps workflows and integrate as transparently as possible into the existing environment.
• Application Security must enable us to progressively focus on the most important pieces/risks early, and provide an opportunity to inspect everything.
• Application Security must support a full automated Round Trip and not settle in automating test invocation. It should be configured and tuned depending on where we are in the release lifecycle.
• Application Security must employ cognitive solutions to minimize the need for highly specialized quality and security SMEs.
IBM Application Security on Cloud to the Rescue
18 IBM Security
Implement your quality & security gate criteria
Set criteria directly in your CI/CD environment to fail builds if not met.
19 IBM Security
QAGate
ProductionGate
SecurityGate
Development Gate
Pilot your application
SECURITYBUILD PRODUCTIONCODE QA
Security Issue information
Build informationIDEs
20 IBM Security
Up and running
Track risk build/build and iteration/iteration in your native dashboards.
21 IBM Security
Prioritized focus
Direct your developers to the most important issues directly in their native IDE, so they can fix the root cause of problems.
22 IBM Security
Utilize Cognitive Capabilities with Intelligent Findings Analytics
Security Analysis
Scan something
Get Results
Triage Results (Look for needles in the haystack)
Security Analysis
Scan something
Get Results
Intelligent Finding AnalyticsCognitive Learning “Security Expert in a Box”
And meanwhile, the iteration ends, and we are unsure of our risk…
23 IBM Security
ICA - Intelligent Code Analysis
IBM AND BUSINESS PARTNERS INTERNAL ONLY
Fact: Developers depend greatly on existing APIs
Problem: Security code scanning needs to understand those APIs in order to achieve good coverage; Unknown APIs leave Blind Spots
Solution: Manually discover API information and add that to the tool
24 IBM Security
ICA - Intelligent Code Analysis
IBM AND BUSINESS PARTNERS INTERNAL
ONLY
Introducing ICA
ASoC’s “new” Cognitive Security rule engine will analyze any framework used in your application for a full trace analysis of your custom code and the framework.
No more Blind Spots 100% coverage for existing trace languages Supports ANY Framework!! even the one that is planned for
release tomorrow
25 IBM Security
Advanced DAST Capabilities
IBM AND BUSINESS PARTNERS INTERNAL ONLY
Fact: Web application have very diverse behaviors.
Problem: Security scanning tools needs to understand those applications in order to achieve good coverage, since the unknown behaviors leave Blind Spots.
Solution: Use services or on-prem tools that are expensive and not scalable, or settle on limited results.
26 IBM Security
Advanced DAST Capabilities
IBM AND BUSINESS PARTNERS INTERNAL ONLY
Leverage IBM’s comprehensive DAST solution
Now you can leverage the full power of AppScan Standard to configure your ASoC scans to go as deeply or quickly as you need.
No more Blind Spots 100% focused on the application parts that interest the user Supports ANY application that can be automatically scanned
by AppScan Standard**doesn’t support client side certificate and smart tokens
27 IBM Security
Quantify return on your investment
28 IBM Security
Quantify return on your investment
29 IBM Security
Key Application Security on Cloud Resources
IBM Application Security on Cloud Developer Center:
Provides detailed information about Application Security on Cloud Contains a link to our Github Repositories Includes links to our discussion forums
IBM Application Security on Cloud Swagger Page: Provides details regarding Application Security on Cloud REST API
IBM Application Security on Cloud Marketplace Page: Test-drive Application Security on Cloud, with our complimentary trial
30 IBM Security
Summary Utilize tools that integrate seamlessly into your existing environment.
Invest in automation and repeatable, progressive testing processes.
Lean on “the machine” for intelligence and to perform the humans’ work.
Iteratively build a successful and efficient security practice over time.
Q&A
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
