Shifting Security Left - The Innovation of DevSecOps - AgileDC

© COPYRIGHT 2019 COVEROS, INC. ALL RIGHTS RESERVED. 1@ThomasStiehm #AgileDC
Agility. Security. Delivered.
Shifting Security Left
The Innovation of DevSecOps
Tom Stiehm
@ThomasStiehm

About Coveros
• Services
• Agile Transformations & Coaching
• Agile Software Development
• Agile Testing & Automation
• DevOps Implementations
• DevSecOps Integrations
• Agile, DevOps, DevSecOps Security, Testing Training
• Open Source Products
• SecureCI – DevSecOps toolchain
• Selenified – Agile test framework
Coveros helps organizations accelerate software delivery using agile and DevOps methods
2

Why should you care about security?
To reduce the likelihood of becoming the next:

Shifting Security Left
•Shifting Left is taking a practice or process done late in
development and doing it earlier.
•Shifting Security Left is doing security testing, analysis, and
remediation during development, iteratively. Usually
automating data collection to make it faster and cheaper.
•The net result is making security practices part of the daily
workflow of the development team.

Why Shift Security Left?
Application Security is hard, error prone, and expensive. It is
often made harder by trying to shoehorn it into the end of a
release.
Shifting Left allows the teams to deal with security issues early
and often:
•Reducing Risk
•Reducing Cost
•Leads to fewer errors
•Results in fewer security compromises

How DevSecOps builds on DevOps
DevSecOps is a practice that rose from DevOps that includes
information technology security as a fundamental aspect in all
the stages of software development. -- Wikipedia
DevSecOps builds on DevOps
by leveraging collaboration and
feedback to address security
concerns throughout the
software development life cycle.

Legacy Security Practices
The Focus is on testing at the end.

Security before the code is written
Be proactive:
•Architect and design security in from the start based on threat
analysis.
•Include security in your pipeline from the start.
•Take time to analyze and remediate AppSec findings.
Why?
•Your software has security defects in it.
•Testing security into software at the end doesn’t work.
•Relying on network and OS security to protect applications
doesn’t work.
•Ignoring security concerns doesn’t work.

Shifting Left includes reacting to the feedback on a regular basis.
Security Practices in DevSecOps

Where to Start
•SCA - Install Software Composition Analysis
•Expand existing CI/CD processes to scan your application
dependencies
•SAST - Start with Static Application Security Testing
•Quick to integration into a build pipeline
•Leverages existing CI/CD assets
•DAST - Next integrate Dynamic Application Security Testing
•Could be as simple as adding a DAST proxy to your existing
automated or manual testing environment
•Expand into using the automated aspects of DAST tools

What to do next
•Security Testing – Testing the security features of your
software
•Security Test Automation - Using test automation tools like
Selenium or Cucumber
•Penetration Testing – Human beings evaluating the security
of your software with the aid of tools
•Threat Analysis – Understand who will attack you, why, and
how
•Infrastructure Analysis Scanning & Testing – Securing your OS
and Server Software

Advanced DevSecOps Techniques
•IAST - Interactive Application Security Testing is technique for
detecting security vulnerabilities in a running application
•RASP - Runtime Application Self-Protection building on the
same technology base as IAST by providing a facility to react
to a detected vulnerability as it is exploited, e.g. terminating
the session
•HAST - Hybrid Application Security Testing uses DAST with
IAST to find vulnerabilities

Operational Security
•Security Information and Event Management (SIEM)
•Infrastructure Analysis Scanning & Testing
•Encrypting Data at Rest
•Encrypting Data in all Network Channels

Secure practices in a pipeline

Culture Shift
Goal Mindset: “Everyone is responsible for security.”
Three things to try when changing culture:
1. Build a Knowledge base
2. Promote Openness
3. Create Cybersecurity Champions
Need to experiment to find what works for your specific
organization.

DevSecOps Benefits
•Faster vulnerability detection and mitigation
•Always-known security posture
•Less security-based risk
•Smaller chance of getting exploited
•Reduced cost of fixing AppSec bugs
•Avoidance of publicity for getting pwned
•Able to recover from security incidents faster

Wrap UP
#Coveros5
•Starting to Shift Left is more important then what practices
you start with
•Greenfield start with Threat Analysis and build security in
•Legacy or brownfield start with SCA (or SAST or DAST)
•Iteratively add more security practices into your process
•Iteratively add more security to your build pipeline

Periodic Table of DevOps Tools
En
Os
Fm
Os
Pd
Pd
Fm
En
En
En
Fm
Os
En
Os
Pd
Os
Fm
Fm
Fm
Fm
Pd
En
En
Os
Fr
Os
Fr
Os
Pd
Fr
Fr
Fr
Os
Fm
Fm
Fr
Os
Fm
Os
En
Fm
Fm
Pd
Pd
En
En
Fm
En
En
En
Os
Fm
En
Fr
Os
Os
Os
Os
En
En
En
Fm
En
Os
En
En
Os
En
En
Os
Pd
Os
Os
En
Os
Os
En
En
Pd
En
Fm
Fm
Pd
Pd
Pd
En
Os
En
Pd
Pd
Fm
Os
Fm
En
Fm
Pd
Pd
En
Pd
Os
Os
En
En
Os
Fm
Fm
Pd
Pd
Os
Os
En
Os
Os
Fm
En
En
Pd
Os
Os
En
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
3 4 5 6 7 8 9 10
1 2
11 12 13 14 15 16 17 18
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
Cw
Sv
Gh
Gl
At
Nx
Bb
Dp
Db
Dt
Rg
Fw
Pf
Jn
Ba
Tr
Cr
Cs
Vs
Tc
Cb
XLi
Sw
Fn
Se
Ga
Cu
Ki
Jr
Ju
Jm
Tn
Mc
Nr
Tl
Ka
Ja
Tt
Lo
Dt
Sk
Su
Sl
Pe
Mf
Dd
St
Ch
An
Pu
Sa
Ad
Cn
Tf
Ru
Pa
Ce
El
Ry
XLd
Oc
Cd
Eb
Ni
Ac
Ud
Go
Ec
Ca
Zb
Og
Ku
Dk
XLr
Ms
Ra
De
Zn
Pd
Cc
Ur
Aws
Gke
Aks
Ae
Cx
Sn
Pr
Af
Az
Om
Rk
Cf
Sg
Tw
Al
Ld
Gc
Cp
Sp
Hm
Bd
Ck
Os
Ic
Op
Cy
Ir
Aw
Sr
Vc
Ps
Fd
Sg
Sp
It
Mg
Ls
Hv
Ff
GitLab
GitHub
Subversion
ISPW
Artifactory
Nexus
BitBucket
Datical
DBMaestro
Delphix
Redgate
Flyway
Perforce
FitNesse
Selenium
Gatling
Cucumber
Kibana
Jira
JUnit
JMeter
TestNG
Mocha
Trello
New Relic
Karma
Jasmine
Tricentis
Tosca
Locust.io
Slack
Dynatrace
SoapUI
Sauce Labs
Perfecto
Micro Focus
UFT
Stride
Datadog
Chef
Ansible
Puppet
Salt
CollabNet
VersionOne
AppDynamics
Terraform
Rudder
Packer
CFEngine
Remedy
ElasticSearch
XebiaLabs
XL Deploy
Octopus
Deploy
AWS
CodeDeploy
ElasticBox
Nagios
Agile Central
UrbanCode
Deploy
GoCD
ElectricCloud
CA Automic
Zabbix
OpsGenie
Kubernetes
Mesos
Rancher
Docker
Enterprise
Docker
XebiaLabs
XL Release
Zenoss
Pagerduty
CA CD
Director
GKE
AKS
AWS ECS
UrbanCode
Release
AWS
Checkmarx
SAST
Snort
Plutora
Release
OpenMake
Rkt
Codefresh
Azure
Functions
Azure
Signal
Sciences
Tripwire
Alibaba Cloud
AWS
CodePipeline
Spinnaker
Helm
Lambda
Google Cloud
BlackDuck
CyberArk
OpenStack
Cloud
Foundry
Iron.io
Apache
OpenWhisk
IBM Cloud
OpenShift
SonarQube
Veracode
Fluentd
Prometheus
Sumo Logic
Splunk
ITRS
Moogsoft
Logstash
HashiCorp
Vault
Fortify SCA
Jenkins
Bamboo
Travis CI
Circle CI
Codeship
VSTS
TeamCity
AWS
CodeBuild
XebiaLabs
XL Impact
ServiceNow
Deployment
AIOps
Cloud
Release Orchestration
Containers
Conﬁguration
Testing
Continuous Integration
Database Automation
Source Control Mgmt.
Collaboration
Security
Monitoring
AnalyticsOs Open Source
Fr Free
Fm Freemium
Pd Paid
En Enterprise
PERIODIC TABLE OF DEVOPS TOOLS (V3)
https://xebialabs.com/periodic-table-of-devops-tools/

Questions?
@thomasstiehm
• Join me on the TechWell Hub
• https://hub.techwell.com/
• #devops

Shifting Security Left - The Innovation of DevSecOps - AgileDC

More Related Content

What's hot

Similar to Shifting Security Left - The Innovation of DevSecOps - AgileDC

More from Tom Stiehm

Recently uploaded

Shifting Security Left - The Innovation of DevSecOps - AgileDC