+ All Categories
Home > Technology > SecDevOps Risk Workflow - v0.6

SecDevOps Risk Workflow - v0.6

Date post: 23-Jan-2018
Category:
Upload: dinis-cruz
View: 1,282 times
Download: 1 times
Share this document with a friend
90
SecDevOps Risk Workflow v0.6 InfoSecWeek, Oct 2016 @DinisCruz
Transcript
Page 1: SecDevOps Risk Workflow - v0.6

SecDevOps Risk Workflow v0.6

InfoSecWeek, Oct 2016

@DinisCruz

Page 2: SecDevOps Risk Workflow - v0.6

Me• Developer for 25 years

• AppSec for 13 years

• Day jobs:

• Leader OWASP O2 Platform project

• Application Security Training

• JBI Training, others

• Part of AppSec team of:

• The Hut Group

• BBC

• AppSec Consultant and Mentor

• “I build AppSec teams….”

• https://twitter.com/DinisCruz

• http://blog.diniscruz.com

• http://leanpub.com/u/DinisCruz

Page 3: SecDevOps Risk Workflow - v0.6

• Get it for free at https://leanpub.com/secdevops

Based on “SecDevOps Risk Workflow” book

Page 4: SecDevOps Risk Workflow - v0.6

APPSEC, INFOSEC, POLLUTION

Page 5: SecDevOps Risk Workflow - v0.6

• (unit) Test - For me a test is anything that can be executed with one of these Unit Test Frameworks: https://en.wikipedia.org/wiki/List_of_unit_testing_frameworks

• RISK - Abuse the concept, found RISK to be best one for the wide range of issues covered by AppSec, while being understood by all players

• 100% Code Coverage - not the summit, but base-camp (i.e. not the destination). And 100% code is not enough, we really need 500% or more Code Coverage)

• AppSec ~= Non Functional requirements - AppSec is about understanding and controlling app’s unintended behaviours

Disclaimers

Page 6: SecDevOps Risk Workflow - v0.6

• InfoSec is about: – Networks, Firewalls, Server security, Anti-virus, IDS, Logging, NOC,

Policies, end-user security, mobile devices, AD/Ldap management, user provisioning, DevOps, ….

• AppSec is about: – code, apps, CI, secure coding standards, threat models,

frameworks, code dependencies, QA, testing, fuzzing, dev environments, DevOps, ….

• If your ‘InfoSec’ team/person cannot code (and would not be hired by the Dev team), then that is NOT AppSec.

• Both are equally important, but InfoSec is much more mature, has bigger budgets and is understood by the business

AppSec vs InfoSec

Page 7: SecDevOps Risk Workflow - v0.6

The Pollution analogy

Page 8: SecDevOps Risk Workflow - v0.6

• The developers are the ones who pays the debt

• Pollution is a much better analogy

• The key is to make the business accept the risk (i.e the debt) – make sure it is your boss who gets fired (all the way to

the board)

• Which is done using the JIRA RISK Workflows

Technical Debt is a bad analogy

Page 9: SecDevOps Risk Workflow - v0.6

RISK WORKFLOW

Page 10: SecDevOps Risk Workflow - v0.6

RISK Workflow (using JIRA in Cloud)

Page 11: SecDevOps Risk Workflow - v0.6

Key for AppSec JIRA workflow is this button

Page 12: SecDevOps Risk Workflow - v0.6

CSO POINT VIEW

Page 13: SecDevOps Risk Workflow - v0.6

• Create an environment and workflow where Security (InfoSec and AppSec) is an enabler.

• Allow the business to ship faster with quality, security and assurance

• InfoSec protects the organisation and operations

• AppSec protects the code created, used and bought

• Developers code in environments where it is very hard to create security vulnerabilities

• Applications run in environments where security exploits are contained and visible

• Align business risk appetite with reality (using proposed Risk Workflow to allocate responsibility at the correct level)

What type of security organisation to create

Page 14: SecDevOps Risk Workflow - v0.6

• Give security teams a mandate to focus on Quality, Testing and Engineering

• Create a network of Security Champions

• Become the ‘Department of Yes’

• Measure code pollution using Risk Workflow

• Understand that developers are key players and need to be trusted

• Testing and Quality are core business requirements (and what gives you speed)

• Create an central AppSec team (usually there is only an InfoSec team)

How to embed security into the culture

Page 15: SecDevOps Risk Workflow - v0.6

• Security policies are the foundation of decisions

• They underpin the reason behind actions and risk accepted

• But, if not based on reality, most policies will NOT be

– read

– followed

– enforced

• For policies to work they need to be customised to its target (for example Secure coding standards for App XYZ)

• They also need to be delivered in the target’s environment (for example IDE)

What about security policies?

Page 16: SecDevOps Risk Workflow - v0.6

• If you don’t – have an AppSec team

– do Threat Models

– do weekly code reviews and security assessments

– have embedded security automation automation in your SDL pipeline

– have secure coding standards, bug-bounties, dependency management

– …. and many other other AppSec activities

• Where is security going to come from? • without them … there will be massive security vulnerabilities in code and

apps used

• and your security model is based on the ‘skill level and business model’ of your attackers

Security magic pixie dust

Page 17: SecDevOps Risk Workflow - v0.6

DEVOPS AND SECDEVOPS

Page 18: SecDevOps Risk Workflow - v0.6

Cost of IT Failure

https://www.youtube.com/watch?v=877OCQA_xzE

Page 19: SecDevOps Risk Workflow - v0.6

DevOps

https://en.wikipedia.org/wiki/DevOps http://www.bogotobogo.com/DevOps/DevOps_Jenkins_Chef_Puppet_Graphite_Logstash.php

Page 20: SecDevOps Risk Workflow - v0.6

What is DevOps

http://www.slideshare.net/AmazonWebServices/securing-systems-at-cloud-scale-with-devsecops

Page 21: SecDevOps Risk Workflow - v0.6

Deploy, deploy, deploy

https://github.com/blog/1241-deploying-at-github

Page 22: SecDevOps Risk Workflow - v0.6

It is all code

http://www.enhops.com/devops

Page 23: SecDevOps Risk Workflow - v0.6

All this to manage code

http://www.soa4u.co.uk/2015/04/a-word-about-microservice-architectures.html

Page 24: SecDevOps Risk Workflow - v0.6

SecDevOps

https://www.linkedin.com/pulse/devsecops-secdevops-difference-kumar-mba-msc-cissp-mbcs-citp

Page 25: SecDevOps Risk Workflow - v0.6

Scrum process

http://blog.xebia.com/wp-content/uploads/2013/08/scrum-process.jpg

Page 26: SecDevOps Risk Workflow - v0.6

DevSecOps

http://www.slideshare.net/AmazonWebServices/sec405-enterprise-cloud-security-via-devsecops-aws-reinvent-2014

Page 27: SecDevOps Risk Workflow - v0.6

What is DevSecOps

Page 28: SecDevOps Risk Workflow - v0.6

What about the code? AppSec?

http://www.slideshare.net/AmazonWebServices/sec320-leveraging-the-power-of-aws-to-automate-security-compliance

Page 29: SecDevOps Risk Workflow - v0.6

• Fixing and Securing the DevOps pipeline is not enough – In fact that is actually the ‘easy’ part

• We also need to fix the developers workflow and secure the code they create – Threat Models

– Security knowledge in the IDE

– Security Champions

– Risk Workflows that reward visibility and non-functional requirements

Since everything is code, code is root cause

Page 30: SecDevOps Risk Workflow - v0.6

• Interesting debate at the moment in the industry

• For me Sec-DevOps is about adding security to DevOps

• Dev-SecOps is about adding development practices to Security operations

• I like the idea that SecDevOps when done right – becomes just DevOps, which when the Ops are done

right,

– should become just Dev

SecDevOps or DevSecOps

Page 31: SecDevOps Risk Workflow - v0.6

SECURITY CHAMPIONS

Page 32: SecDevOps Risk Workflow - v0.6

Security Champions (SC)

http://blog.diniscruz.com/2015/10/what-are-security-champions-and-what-do.html

Page 33: SecDevOps Risk Workflow - v0.6

If you don’t have an SC, get a Mug

Page 34: SecDevOps Risk Workflow - v0.6

JIRA WORKFLOW

Page 35: SecDevOps Risk Workflow - v0.6

1.Open JIRA issues for all AppSec issues

2.Write passing tests for issues reported

3.Manage using AppSec RISK workflow 1.Fix Path: Open, Allocated for Fix, Fix, Test Fix, Close

2.Accept Risk Path: Open, Accept Risk, Approve Risk, (Expire Risk)

4.Automatically report RISK’s status

Proposed JIRA workflow

Page 36: SecDevOps Risk Workflow - v0.6

RISK Workflow (using JIRA in Cloud)

Page 37: SecDevOps Risk Workflow - v0.6

PATH #1 - Fix issue

Page 38: SecDevOps Risk Workflow - v0.6

PATH #2 - Accept and Approve RISK

Page 39: SecDevOps Risk Workflow - v0.6

PATH #2 - Variation when risk not approved

Page 40: SecDevOps Risk Workflow - v0.6

‘FIX’ PATH

Page 41: SecDevOps Risk Workflow - v0.6

Issue: Data_Files.set_File_Data - Path Traversal

Page 42: SecDevOps Risk Workflow - v0.6

Status: OPEN

Page 43: SecDevOps Risk Workflow - v0.6

Status: IN PROGRESS

Page 44: SecDevOps Risk Workflow - v0.6

Status: ALLOCATED FOR FIX

Page 45: SecDevOps Risk Workflow - v0.6

Status: FIXING

Page 46: SecDevOps Risk Workflow - v0.6

Status: TEST FIX

Page 47: SecDevOps Risk Workflow - v0.6

Status: FIXED

Page 48: SecDevOps Risk Workflow - v0.6

PATH ‘RISK ACCEPT/APPROVE’

Page 49: SecDevOps Risk Workflow - v0.6

RISK: Support for coffee allows RCE

Page 50: SecDevOps Risk Workflow - v0.6

Status: OPEN

Page 51: SecDevOps Risk Workflow - v0.6

Status: IN PROGRESS

Page 52: SecDevOps Risk Workflow - v0.6

Status: AWAITING RISK ACCEPTANCE

Page 53: SecDevOps Risk Workflow - v0.6

Status: RISK ACCEPTED

Page 54: SecDevOps Risk Workflow - v0.6

Status: RISK APPROVED

Page 55: SecDevOps Risk Workflow - v0.6

Status: RISK APPROVED EXPIRED

Page 56: SecDevOps Risk Workflow - v0.6

All status changes are tracked

Page 57: SecDevOps Risk Workflow - v0.6

KEY CONCEPTS FOR JIRA RISK WORKFLOW

Page 58: SecDevOps Risk Workflow - v0.6

Key for AppSec JIRA workflow is this button

Page 59: SecDevOps Risk Workflow - v0.6

• This is a separate JIRA repo from the one used by devs – I like to call that project ‘RISK’

– This avoids project ‘issue creation’ politics and ‘safe harbour for: • known issues

• ’shadow of a vulnerability’ issues

• ‘this could be an problem…’ issues

• ‘app is still in development’ issues

– When deciding to fix an issue:

• that is the moment to create an issue in the target project JIRA (or whatever bug tracking system they used)

– When issue is fixed (and closed on target project JIRA):

• AppSec confirms fix and closes RISK

Separate JIRA project

Page 60: SecDevOps Risk Workflow - v0.6

• Key is to understand that issues need to be moving on one of two paths: – Fix

– Risk Accepted (and approved)

• Risks (i.e. issues) are never in ‘Backlog’

• If an issue is stuck in ‘allocated for fix’, then it will be moved into the ‘Awaiting Risk Acceptance’ stage

Always moving until fix or acceptance

Page 61: SecDevOps Risk Workflow - v0.6

• If you don’t have 350+ issues on your JIRA RISK Project, you are not playing (and don’t have enough visibility into what is really going on)

• Allow team A to see what team B had (and scale due due to issue description reuse)

• Problem is not teams with 50 issues, prob is team with 5 issues

• This is perfect for Gamification and to provide visibility into who to reward (and promote)

You need volume

Page 62: SecDevOps Risk Workflow - v0.6

• All issues identified in Threat Models are added to the JIRA RISK project

• Create Threat models by – layer

– feature

– bug

• … that is a topic for another talk

Threat model

Page 63: SecDevOps Risk Workflow - v0.6

Mapping to InfoSec risks

Page 64: SecDevOps Risk Workflow - v0.6

Mapping JIRA Tickets to Tests

Page 65: SecDevOps Risk Workflow - v0.6

JIRA AppSec Dashboards

Page 66: SecDevOps Risk Workflow - v0.6

Weekly emails with Risk status

Page 67: SecDevOps Risk Workflow - v0.6

• Components (one per team or project)

• Labels (to add metadata to issues, for OWASP Top 10)

• Links – connect with internal/external issues and

– external resources

• Auto emails

• Copy and paste of images into description

• Markdown

• Security restrictions (use with care)

• Security lock certain actions

• Extra workflow actions for example when moving state)

• Create APPSEC JIRA project for AppSec related tasks (like ‘Create Threat Model for app XYZ’)

Other powerful JIRA features

Page 68: SecDevOps Risk Workflow - v0.6

GITHUB RISK WORKFLOW

Page 69: SecDevOps Risk Workflow - v0.6

Using GitHub (instead of JIRA)

Page 70: SecDevOps Risk Workflow - v0.6
Page 71: SecDevOps Risk Workflow - v0.6
Page 72: SecDevOps Risk Workflow - v0.6

Example with DoS issue

Page 73: SecDevOps Risk Workflow - v0.6

TDD

Page 74: SecDevOps Risk Workflow - v0.6

• For TDD to be productive you need – Real time unit test execution (when hands lift)

– Real time code coverage

• TDD focus needs to be on – making developers more productive

– preventing developers from switching context

• If 99% code coverage doesn’t happen ‘by default’ TDD workflow is not working

TDD

Page 75: SecDevOps Risk Workflow - v0.6

TDD in WebStorm with WallabyJS

Page 76: SecDevOps Risk Workflow - v0.6

What happens when you increase attack surface

Page 77: SecDevOps Risk Workflow - v0.6

You want a test to fail

Page 78: SecDevOps Risk Workflow - v0.6

TDD in WebStorm with WallabyJS

• … but is a topic for another talk :)

Page 79: SecDevOps Risk Workflow - v0.6

OWASP

Page 80: SecDevOps Risk Workflow - v0.6

• Best AppSec conferences of the year

• 100s of chapters around the world

• 100s of research projects on AppSec

• All released under OpenSource and Creative Common licenses

• Best concentration of AppSec talent in the world

• Please join, collaborate, participate

Epicentre of Application Security

Page 81: SecDevOps Risk Workflow - v0.6

Conferences

Page 82: SecDevOps Risk Workflow - v0.6

Chapters

Page 83: SecDevOps Risk Workflow - v0.6

Chapters - Europe

Page 84: SecDevOps Risk Workflow - v0.6

Projects - Flagship

Page 85: SecDevOps Risk Workflow - v0.6

Projects - Labs

Page 86: SecDevOps Risk Workflow - v0.6

Projects - Incubator

Page 87: SecDevOps Risk Workflow - v0.6

Summit - 2008

Page 88: SecDevOps Risk Workflow - v0.6

Summit 2011

Page 89: SecDevOps Risk Workflow - v0.6

Corporate Members

Page 90: SecDevOps Risk Workflow - v0.6

Thanks, any questions

@diniscruz

[email protected]


Recommended