Achieving Secure Contjnuous Delivery Chris Rutuer / Lucian Corlan July 2016
Problem statement - Security • Diffjcult access to (uncorrelated) vulnerability data • No clear view on the security risk of a specifjc build or release • No real agreed security gate (no trigger threshold) • Product has a Roadmap and Security is (always) not (always) part of it
Problem statement - Developers • S e c u r i t y r e q u i r e m e n t s a p p e a r w h e n p r o j e c t i s a l m o s t fj n i s h e d • Security sign-ofg is a botuleneck • When am I fjnally s e c u r e e n o u g h ?
We’ve seen this before… QA 5 years ago • Q A m a n u a l , a t t h e e n d o f a p r o j e c t • JIRA tjckets passed around for small bugs • Long dev / test cycles • Key dependencies for sign-ofg • Lack of overview of quality or risk
Our Goals • Security requirements identjfjed early • Viewed as true non-functjonal requirements • Easy to fjx issues detected and fjxed within a sprint • Security quality part of defjnitjon of done each sprint • Security policy defjned and automatjcally applied • Ability to measure and track all of the above
On the grid • Pros: Security team have visibility and quality control of all testjng • Cons: Botulenecks, Key dependencies, 1 monthly cycle, tjme cost, unclear sign-ofg criteria, manual reports / metrics
20mph • Pros: Botuleneck reduced, High value threat modelling, shorter tjme to fjx • Cons: Reliance on statjc analysis, tjme consuming manual process, issues highlighted at end of sprint
40mph • Pros: Issues highlighted quickly, multjple types of scan, defjned policy under version control. • Cons: Custom policy efgort and maintenance, diffjculty analysing risk from separate reports
Demo
60mph • Pros: All scans & tests normalised in one place, mitjgatjons and suppressions tracked, metrics available, devs / testers performing actjves scans. • Cons: Dynamic scans manual or passive, lack of custom app atuributes
88mph Automated dynamic scanning • Donatello proxies e2e tests through ZAP for actjve scan mapping without crawling Contextual risk policies – applicatjon passports • Statjc & dynamic risk indicators based on Threat Modelling exercises and OWASP Top 10 and assign weight to risk indicators • Integratjon with GRC tool
88mph C o n t e x t u a l r i s k p r o fj l e s • Enhance Applicatjon critjcality from ThreadFix • statjc atuributes • PCI data involved • PII data involved • Exposure • New service? • User story review • Input fjltering • Output encoding • 3rd party integratjon • Actjvely maintained • Transported data encryptjon • Non-repudiatjon or IP whitelistjng • Security meter Defcon • Authentjcatjon • Randomness level • Dynamic atuributes • Number of user stories since last release • Number of user stories since last manual pentest • Number of Security User Stories (outcome of Threat Modeling)
Donatello / Threadfjx
Sources of inspiratjon • B e tg a i r S e c u r i t y s o l u tj o n & D e v S e c C o n • Proprietary API (python or node.js) hooking into all the tools, plus statjc atuributes and interpretatjon of results per applicatjon in Gitlab • Job in the contjnuous delivery tool to run the calculatjon (per build) • Dashboard for metrics htups://www.dropbox.com/s/eidodmpgyvquxsw/Applicatjon-Security-Risk-Calculator.pdf?dl=0
Q
Recommend
More recommend