Wabi-Sabi Your DevSecOps Presented by: Brittany - PDF document

¡ ¡ AW6 ¡ DevOps ¡Automation ¡ Wednesday, ¡November ¡6th, ¡2019 ¡10:30 ¡AM ¡ ¡ ¡ ¡ ¡ Wabi-­‑Sabi ¡Your ¡DevSecOps ¡ ¡ Presented ¡by: ¡ ¡ ¡ ¡ Brittany ¡Greenfield ¡ ¡ Wabbi ¡Inc ¡ ¡ Brought ¡to ¡you ¡by: ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ 888 -­‑-­‑-­‑ 268 -­‑-­‑-­‑ 8770 ¡ ·√·√ ¡904 -­‑-­‑-­‑ 278 -­‑-­‑-­‑ 0524 ¡-­‑ ¡info@techwell.com ¡ ¡ https://agiledevopseast.techwell.com/ ¡ ¡ ¡ ¡ ¡ ¡

¡ Brittany ¡Greenfield ¡ ¡ An ¡MIT ¡MBA ¡and ¡Duke ¡undergrad ¡with ¡more ¡than ¡a ¡decade ¡of ¡experience ¡as ¡a ¡ strategy ¡leader ¡for ¡enterprise ¡technology ¡companies, ¡Brittany ¡combined ¡her ¡ passions ¡for ¡business ¡process ¡innovation ¡that ¡she ¡gained ¡while ¡at ¡companies ¡such ¡as ¡ NetSuite ¡and ¡Kronos ¡with ¡infrastructure ¡technologies, ¡which ¡she ¡got ¡from ¡Cisco ¡and ¡ Cybereason, ¡to ¡found ¡Wabbi. ¡Understanding ¡as ¡the ¡functional ¡units ¡increasingly ¡ become ¡responsible ¡for ¡the ¡security ¡of ¡their ¡own ¡business, ¡she ¡sees ¡the ¡need ¡to ¡be ¡ able ¡to ¡assimilate ¡and ¡simplify ¡the ¡complexity ¡of ¡security ¡into ¡the ¡daily ¡processes ¡of ¡ developers. ¡ ¡

BRITTANY GREENFIELD FOUNDER & CEO @bagreenfield

QUESTION #1 @hiwabbi #WabiSabiSecDevOps

QUESTION #2 @hiwabbi #WabiSabiSecDevOps

QUESTION #3 @hiwabbi #WabiSabiSecDevOps

As a: Is it a chip? Gorilla Glue Brittany A crack? Hospital Bills I want to: Drink Tea How much effort Pain & Anxiety does it take to So I can : : make it usable? New Mug Finish my presentation Epics, Stories, Etc Story Points Tech Debt @hiwabbi #WabiSabiSecDevOps

THERE IS NO PERFECT ANSWER. DevOps lives in a world of gray where technical and business risk are balanced to continually deliver value to the customer. @hiwabbi #WabiSabiSecDevOps

Wabi-sabi is an acceptance and appreciation of the impermanent, imperfect, and incomplete nature of everything. Beth Kempton @hiwabbi #WabiSabiSecDevOps

A cross-disciplinary community of practice dedicated to the study of building, evolving and operating rapidly- changing resilient systems at scale. Jez Humble @hiwabbi #WabiSabiSecDevOps

@hiwabbi @hiwabbi #WabiSabiSecDevOps #WabiSabiSecDevOps

Untimely information means Development teams don’t know when policies have been violated, leaving Application Security in the rear-view mirror “The misalignment between development and cybersecurity teams leads to missed business opportunities, as new capabilities are delayed in reaching the market. In some cases, the pressure to close the gap has caused increased vulnerability, as development teams bend rules to work around security policies and standards.” -McKinsey, July 2019 @hiwabbi #WabiSabiSecDevOps

@hiwabbi #WabiSabiSecDevOps

Sales S e c D e v O p s Integration of security into development processes D e v O p s S e c Integration of security after development D e v S e c O p s Integration of security into development testing @hiwabbi #WabiSabiSecDevOps

Sales DevOpsSec Integration of security after development 90% O F C O M PA N I E S B E G I N What is my current A P P S E C A F T E R C O D E I S application security risk? I N P R O D U C T I O N 191 D AY S T O F I X A V U L N E R A B I L I T Y I N P R O D U C T I O N @hiwabbi #WabiSabiSecDevOps Source: Gartner

Sales DevSecOps Integration of security into development testing “ Largely manual testing efforts create bottlenecks What is my current that delay application security risk? deployments, increase costs (both for testing and remediation) and What are the scan create frustration for results & what do they mean? development and How quickly does this security teams alike. ” vulnerability need to be resolved? - Gartner, July 2018 Does this meet the security requirements to be released? @hiwabbi #WabiSabiSecDevOps

Sales What do I need to know to build this feature securely? SecDevOps What are the policies that impact this project? Integration of security into development processes 74% Have the policies been followed? O F D E V E L O P E R S WA N T What is my current T O B E I N V O LV E D application security risk? 100x What are the scan results & what do they mean? C H E A P E R T O F I X I N How quickly does this vulnerability need to be D E S I G N T H A N P R O D resolved? Does this meet the security requirements to be released? @hiwabbi #WabiSabiSecDevOps Sources: CMU, NIST

SecDevOps Security gains easy policy management to know that stakeholders are informed & controls are enforced consistently to minimize risk due to code in production. Development teams are informed of policies in advance so they can understand & plan for the AppSec requirements, and reduce the number of vulnerabilities created and manage remediation efficiently. A development-centric approach that assimilates Application Security processes into Development Ops gains visibility to understand potential & current processes to provide Sec, Dev & Ops teams with bottlenecks, automate security governance, and manage just-in-time actionable information . risk acceptance workflows. @hiwabbi #WabiSabiSecDevOps

What is the How do I figure out What is an security profile of what needs to be acceptable amount this project? fixed first? of risk to allow? Availability Criticality Time to Find o o o Confidentiality Stringency Time to Fix o o o Business Value Ease to Fix Threat Landscape o o o Accessibility Versioning Business Impact o o o Deployment Version o o SECURITY DEBT APP SEC POLICIES SCORING @hiwabbi #WabiSabiSecDevOps

Understand the project to know the correct secure coding practices & controls to apply across the SDLC. Enable AppSec and PMs to have a consistent P E O P L E cadence to understand the specific policies pertinent to a project and their impact Share feature specific policies with P R O C E S S developers before coding and capture front-line feedback during development Centralized policy engine with survey tools to T O O L S assign policies by project & feature definition information as part of workflow @hiwabbi #WabiSabiSecDevOps

Translate AppSec scans & tests into project specific results to know what and when to fix. Provide PMs and Ops with the information to P E O P L E easily understand and correctly prioritize scan results without AppSec intervention Define quality gates to provide consistent P R O C E S S governance and provide paths to release & remediation based on mutual terms Score adjusting tools to simplify T O O L S interpretation of results and create actionable workflows including automated governance @hiwabbi #WabiSabiSecDevOps

@hiwabbi #WabiSabiSecDevOps

@hiwabbi #WabiSabiSecDevOps

Understand the effort and risk associated with vulnerabilities to prioritize remediation PMs can integrate vulnerability remediation P E O P L E into existing workflows and reduce upfront cost of non-secure coding practices Deliberate management of vulnerabilities to P R O C E S S ensure continuous deployment with holistic understanding of business impact . Vulnerability management solutions with T O O L S end-to-end integration for continuous feedback to adapt to changing threats & ops @hiwabbi #WabiSabiSecDevOps

Hug your AppSec Owner Identify Integration Points Adopt Automation Tools general@wabbisoft.com @hiwabbi @hiwabbi #WabiSabiSecDevOps