inject security into source code
play

Inject Security into Source Code How 2018 Will Shift Your Security - PowerPoint PPT Presentation

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e


  1. Inject Security into Source Code How 2018 Will Shift Your Security Priorities

  2. Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te

  3. Wher e we’ve been > T ra c k re c o rd: > 20 ye a rs wo rking with o pe n so urc e la ng ua g e s & e nte rprise s, 97% o f F o rtune 500 c o mpa nie s trust us > 5 L a ng ua g e s: Pytho n, Pe rl, T c l, Go & Rub y > 64+ Pla tfo rms: Windo ws, Ma c , L inux, AI X, So la ris, HP-UX... > So lutio ns to he lp e nte rprise s b e ne fit fro m o pe n so urc e

  4. Wher e we’r e going E na b le e nte rprise s to ke e p up with the pa c e o f c o de r inno va tio n b y re mo ving fric tio n a t a ll po ints in the SDL C: > Stre a mline c o nfig ura tio n o f o pe n so urc e la ng ua g e s > Allo w c o ntro l o f a pplic a tio n se c urity & c o mplia nc e > E sta b lish inte g rity a t a ll sta g e s in the so ftwa re de ve lo pme nt life c yc le (SDL C) A Sa a S Pla tfo rm to stre a mline the e ntire de v pro c e ss & ma ke thing s a s se c ure a s po ssib le , le a d with a Pytho n runtime o ffe ring .

  5. Inj ecting S ecurity Into S ource Code Farshad Abasi | 2018-01-23 | v0.1

  6. S hifting security to the left • About 56% of all software defects arise during the requirement phase, 27% during design phase, and only 7% during development • Defects identified and resolved during requirement & design are about 100 times less costly to fix than those discovered after • Goal is to address security earlier, not create more work for devs • S hift left does not mean the roles and responsibilities of quality and security go away

  7. Continuous security in a CI / CD environment • S ecurity tools should be integrated into the CI / CD pipeline • Integration allows ” low hanging fruit” to be caught earlier and regularly • Can't afford to wait until the end of the build-and-release pipeline to perform a detailed security scan • Information security platforms should expose functionality via APIs • Allows for automation and integration of security into DevOps and the developer’s preferred tool chain

  8. Making security easier for Dev teams • S tart with secure development and training • Don’ t make developers become security experts or switch tools • Adopt the concept of people-centric security • Empower developers to take personal responsibility for security • Compensate for this with monitoring, following a "trust and verify" mindset • Use of frameworks and tools to handle security • Input validation to be done by development framework or plug-in • CS RF tokens to be generated, inserted and verified by framework • IDE plug-ins

  9. Microservices architecture and impact on security • Microservices break larger services/ apps into smaller independent ones • Loosely coupled as opposed to tightly coupled • May not include any security controls that were previously part of the larger service/ application (e.g. authentication, authorization, input validation) • Typically developed in an agile manner by DevOps teams • Need to ensure some security is built into the dev pipeline to catch low hanging fruit • S hould enforce security at a single point (i.e. gateway) and maintain end-to-end trust throughout the j ourney • Use of trust-tokens • End-to-end security assessment across the entire user- j ourney involving different microservices should be performed

  10. Maintain a security focus without slowing delivery • Incorporation of security into DevOps/ Agile should speed up the overall release process • Incorporating as much security as possible into the DevOps/ Agile workflow through automation • S hould be done transparently • Must preserve the agility and speed of DevOps/ Agile environment • S hift-left security increases delivery speed by reducing: • number of eyeballs at a given time, resulting in smaller/ efficient teams • total gates with manual checks

  11. Immutable infrastructure and impact on security • Traditional mutable systems are patched and maintained • E.g. admins can S S H into a server and upgrade packages, adj ust configuration, or push patches via an agent • Immutable infrastructure components are replaced rather than changed • Changes to the infrastructure (or even an admin account) are not allowed • If changes are required, a new server is built from a base image + packages • If changes are detected a violate a set criteria, that instance is replaced • Immutability results in increased security • Patching/ updating large number of servers is not required as you can create one image and push out new instances quickly • Existing applications need to be re-architected to align with this model

  12. S ecurity of code in production • Require manual approval in the pipeline to put sensitive components from dev into production • E.g. those handling sensitive data or functionality • Use automated installers and uninstallers • Deploy using a least privilege security model • Apply change control and configuration management • Captures the baseline configuration to help identify malicious changes • Ability to track changes is useful from a security perspective • Can prevent unauthorized changes and roll back those that may have introduced security vulnerabilities

  13. DevS ecOps and inj ecting security into S DLC • Barriers must be removed between security and application teams • Dev Similar to how DevOps overcomes the divide S oftware releases between Dev and Ops teams & updates • S ecurity requirements must be clearly communicated and easily integrated into the complete process Sec Ops Confidentiality, R eliability, Integrity, performance, • S ecurity review and testing must be Availability scaling integrated at multiple points in DevOps workflows

  14. DevSecOps Shifting security “Left”

  15. Software is eating the world. Companies are under pressure to move FAST.

  16. While, Enterprises are spending more on cybersecurity than ever.

  17. $100,000,000,000

  18. BUT, breaches are at an all time high. “The dramatic increase in cyber attack frequency, complexity, and size over the past year suggests that the economics of hacking have turned a corner.” - Radware, 2017

  19. “90% of security incidents relate to vulnerabilities in code.” - US Dept. of Homeland Security

  20. Why?

  21. CENTRAL IT Shadow IT TEAM IT

  22. Companies have a Need for Speed.

  23. DevOps.

  24. Value Dev _ Ops.

  25. Value Availability Dev _ Ops. Efficiencies that speed up software lifecycle.

  26. DevOps and Security silos Source Builds Production Code Sec team out of the “loop” with DevOps

  27. Controls and Security can no longer be side-lined.

  28. Dev Sec Ops.

  29. Value Dev _ Sec _ Ops.

  30. Value Availability Dev _ Sec _ Ops.

  31. Value Availability Dev _ Sec _ Ops. Trust Validate building blocks without slowing lifecycle.

  32. Shift security “Left” Effort ROI

  33. Shift security “Left” Source Builds Production Code Spending further “Left” increases returns

  34. But, to reach DevSecOps your company must: 1. Adopt an automation culture 2. Deploy agile software lifecycle 3.Integrate security into your culture

  35. Competition is driving faster release cycles

  36. DevOps Cycle

  37. DevSecOps

  38. Security: Shift Left or Shift Out #1 problem is time to market

  39. Security must be baked in.

  40. Security Automation (It’s table stakes.)

  41. Open Source: Accelerates Innovation but Introduces Risk 60% 85% Open Source Repositories # of open source modules by language – Unknown or Out Security Vulnerabilities* of Compliance Licenses* Python Perl Go Ruby Developers 110,000 35,000 20,000 133,000 Node.js (npm): 575,000 * Based on 2017 Black Duck Open Source Security and Risk Analysis audit.

  42. You Got This Security must be baked in

  43. Solution: Shift Issue Resolution Left ActiveState Platform Policy Definitions GPL License Substitute Component Older Version Newer Version Supplied IDE Vulnerability Patch Provided Adds a component/ library ActiveState Identifies Issues (based on your policy) and Provides a Solution in the IDE Dev

  44. Drill Down

  45. Q&A

  46. T ha nk you to our pa ne lists F arshad Abasi, Mirai Se c urity farshad.abasi@miraise c urity.c o m Jac e k Mate rna, Asse mbla jac e k@asse mbla.c o m Je ff Ro use , Ac tive State je ffr@ac tive state .c o m

  47. Find Us T e l: 1.866.631.4581 We bsite : www.ac tive state .c o m T witte r: @ ac tive state F ac e bo o k: / ac tive state so ftware E arly Ac c e ss Sig nup: https:/ / start.ac tive state .c o m/ e arly-ac c e ss/

Recommend


More recommend