ways
play

WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast - PowerPoint PPT Presentation

THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security 1. TODAYS AVERAGE APPLICATION IS A SECURITY DISASTER 2. SOFTWARE IS LEAVING SECURITY IN THE DUST Typical enterprise has hundreds or thousands of


  1. THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security

  2. 1. TODAY’S “AVERAGE” APPLICATION IS A SECURITY DISASTER

  3. 2. SOFTWARE IS LEAVING SECURITY IN THE DUST • Typical enterprise has hundreds or thousands of SOFTWARE applications 2020 2000 2010 • Applications are by far the WAF leading cause of SECURITY SAST DAST breaches (Verizon DBIR)

  4. 3. SOFTWARE SUPPLY CHAIN SECURITY IS TOTALLY BROKEN March 7 Mid-May July 29 Sept 7 CVE-2017-5638 Equifax Equifax Equifax discloses, Disclosed, Apache breach learns of Four more Struts2 releases fixed version occurs breach CVEs disclosed Equifax unaware Livin ’ la vida loca Equifax ignores Disaster Jan Feb Mar Apr May Jun Jul Aug Sept Oct Prepared Protected March 8 We observed widespread attack probes

  5. DIAGNOSIS: GOALS UNCLEAR, TIME WASTED What we must deliver: What we are delivering: Application/API portfolio Application/API portfolio  Right defenses in place  “I ran a scanner”  Defenses are effective  Attacks detected/blocked

  6. PUPPY MONKEY BABY DEV SEC OPS

  7. SO WHAT IS DEVOPS? The “Three Ways” 1. Establish work flow 2. Ensure instant feedback 3. Culture of experimentation https://itrevolution.com/the-three-ways-principles-underpinning-devops/

  8. Small batch sizes Tight feedback loops Swarm on problems Produce awesome Optimize for software downstream consumers

  9. QUESTION: CAN DEVOPS HELP SECURITY? • Problem : software is poor • Problem : security is poor quality, quality, late, slow, and doesn’t late, slow, and doesn’t provide provide business value. business value. • Approach : DevOps • Possible Approach : DevOps • Outcomes : • Required Outcomes : • 5x lower change failure rate • 10x increase in portfolio coverage? • 96x faster MTTR service • 80% reduction in vulns to prod? • 2x likely to exceed bus. goal • 0x increase in time to market?

  10. SEC DEV OPS != Static Pen Analysis Testing SHOVING LEGACY Dynamic WAF Scanning SECURIT Y TOOLS AND PROCES SES INTO

  11. 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work The 2. Ensure instant security feedback • Enable self-inventory “Three Ways” • Get real application threat intelligence • Create security notification infrastructure of Security* 3. Build a security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine” * Shamelessly adapted from The Phoenix Project, by Gene Kim

  12. Establish Security Work Flow The First Optimize delivery of security Security Way work that is valued by the business

  13. UMM …. WHAT IS SECURITY “WORK”? 1 2 3 4 Business Internal Operational Unplanned Security Security Security Security Projects Work Jobs Tasks Building defenses, compliance, Threat modeling, security Remediation, updates, Security “firefighting,” reporting, etc … architecture, security research, analytics, alerts, tickets, response, recovery, public vulnerability assessment, tools etc … relations, etc …

  14. FIRST WAY – BUILD A CONCRETE SECURITY STORY OVER Your security story maps TIME threat model ➡︐ defense strategy ➡︐ defenses ➡︐ assurance Making security concrete: • Enables communication • Aligns your team • Expose gaps and priorities • Creates line-of-sight * Shamelessly lifted from the Rugged Software Project

  15. FIRST WAY – ENABLE DEVELOPMENT TO BUILD SECURITY Deliver security one little piece at Refactor a time monolithic security tasks into small batch sizes. Leverage existing DevOps processes and tools

  16. FIRST WAY – WORK ON BIGGEST THREATS, ONE AT A TIME Add a single risk to Establish attack Implement defense threat model protection • Create JIRA ticket: • XML library • Enable RASP XXE rule Prevent XXE • Update training Create defense Establish continuous XXE Monitor DEV and OPS strategy assessment Updated • Update JIRA Ticket • Research typical • Vulns go to JIRA with Security failures Slack alert • Standardize parser config • Build custom test • Attacks go to Splunk Story cases and VictorOps • Log & block attacks • Enable IAST XXE rule Do you really need security experts for all these tasks?

  17. Ensure Instant Security Feedback The Second Security Way Establish tight security feedback loops across the lifecycle

  18. SECOND WAY – DEV ENABLE SELF-INVENTORY • You need to know Internal OPS the exact version of every app, api, and Public Cloud library running on every server in every environments Private APIs Containers • Not hard to fully Automatic Application automate self- Inventory inventory

  19. SECOND WAY – GET REAL APPLICATION THREAT INTELLIGENCE Establish the infrastructure to … • Know who is attacking you • Know what techniques they’re using • Know what they’re targeting • … and protect within hours Equifax Attack

  20. SECOND WAY – ESTABLISH A REALTIME APPSEC CONTROL PLANE DEV TEST PROD Public Cloud Public Cloud Private APIs Containers Private APIs Containers APIs

  21. Build Security Culture The Third A culture that constantly Security Way advances security with the threat through experimentation and learning

  22. THIRD WAY – MIGRATE TO “POSITIVE” SECURITY Measure positive security directly from your running application Testing for all the ways you Testing to verify might introduce XSS your XSS defense

  23. THIRD WAY – ACCELERATE THE EVOLUTION OF YOUR SECURITY STORY Celebrate new big The faster you risks without cycle, the faster recrimination you get secure Focus on strength and simplicity

  24. THIRD WAY – PROMOTE SECURITY IN SUNSHINE Architects Create Define Research Developers Security Security Story Defenses Monitor Implement We Security Threat Defenses Trust AppSec Infosec Users Visibility Cycle Understand Share Intelligence Stakeholders We We Hide Blame Business Understand Verify Audit Laws Compliance Legal

  25. TRUST

  26. BLAME “Don’t hate the playa Hate the game” -- Ice T

  27. The first rule of security is … HIDE …You do not talk about security

  28. 1. Establish security work flow • Build a concrete security story over time • Enable development to build security • Rip, mix, and burn security work The 2. Ensure instant security feedback • Enable self-inventory “Three Ways” • Get real application threat intelligence • Create security notification infrastructure of Security* 3. Build security culture • Migrate to “positive” security • Accelerate evolution of your security story • Promote “security in sunshine” * Shamelessly adapted from The Phoenix Project, by Gene Kim

  29. CLOSING THOUGHTS – TURNING SECURITY INTO CODE • Don’t focus on how to build software securely … • Make software security into something you build!

  30. Ask me anything. @planetlevel contrastsecurity.com LEADER Software Development Solution

Recommend


More recommend