Transcription
DevSecOpsJourney2/28/2018Confidential – Internal Distribution 1
Agenda DevSecOps @ Fannie MaeoThe Challenges and The PromisesoThe Strategy and The PrinciplesoDevSecOps E2E Value StreamoResults driven by innovation and leadership Lessons Learned and some of the takeaways Next steps and what is coming soon Q&A3/3/2018Confidential – Internal Distribution2
DevSecOps @ Fannie Mae – The ChallengesInformation Security Security assessments are performed after development and testingSecurity findings are risk acceptedbecause there is no time to fix issuesbefore releaseRisk acceptance is good for 12months and then renewedThe list of risk acceptedvulnerabilities grows Development Services Building software was not easy Production releases occurred every 9 3/3/2018to 18 months150 deliverables35 governance bodies6 product quality checkpointsConfidential – Internal Distribution3
DevSecOps @ Fannie Mae – The PromiseInformation SecurityDevelopment ServicesInformation Security rethinksApplication Security and asks –Development Services pursues DevOpsTransformation and asks –“How do we effectively structure theorganization to develop and deliversecure applications and manageapplication security risk?”“How do we safely and quickly deliversoftware to meet customer demands.”Strategy Shift in culture - Agile is a culturalrevolution from command and controlto self-organizing teams Change how software is built DevOps is a maniacal focus onautomationStrategy Developer Empowerment Business Engagement Application Lifecycle securitycoverage3/3/2018Confidential – Internal Distribution4
DevSecOps @ Fannie Mae – The Strategy Integrate withCulture Make SecurityEasy AutomateEverything Run as ONE (Security DevOps as a singled purpose team)Training development teams to develop Secure codeo OWASP Brown Bags and On Demand Training Courseso Secure Code Examples in GIT REPO show how to write secure codeEmpowering Developers/ Engaging Business Partnerso Verification of Fortify “Clean Scans”o Periodic “To-the-Right” Application Static and Dynamic TestsTracking security issues in the same systems developers are usingo Integrated Fortify with SonarQubeo Integrated Fortify with SSCo Application Security Issues Defect Tracking (Jira)Integrating preventive security controls/tools in the development phaseo HP-Secure Assisto Find Security Bugso Sonatype IQ PluginAutomating as many security tests as possible to run alongside other testso Integrating SAST tools ( HP-SA, Find Bugs, Find Security Bugs, Fortify)o Future Use DAST toolDetecting when applications are relying on libraries that have known vulnerabilitieso Integrating Sonatype with fortify to detect third party libraries that haveknown vulnerabilities3/3/2018Confidential – Internal Distribution5
DevSecOps @ Fannie Mae – The PrinciplesRugged DevOps DevSecOps Rapid and agile iteration from development into operationsStakeholders continuously monitor, analyze, attack and proactively determine defectsIncludes people, processes, technology, and culture of the organizationoSecurity is a byproduct of culture3/3/2018Confidential – Internal Distribution6
DevSecOps @ Fannie Mae – End to End Value Stream3/3/2018Confidential – Internal Distribution7
DevSecOps @ Fannie Mae – The ResultsDelivering the Promise Average days to close a vulnerability improved by 74% Automated code quality scanning shows overall securityAverage Days to Close a SecurityVulnerabilitycode scores has increased by 10% More than 60% of application teams are performingsecurity tests before release Critically vulnerable open source components (CVE 7.5 )downloaded has decreased from 18% to 6.25% 55% of technical debt and security defects identified as aresult of periodic testing have been dispositioned 77% of older technical debt and security defects havebeen remediated, have a remediation plan in place, or havebeen addressed through managed retirements of assets3/3/2018Confidential – Internal Distribution8
Results - Driven by innovation and leadership3/3/2018Confidential – Internal Distribution9
DevSecOps @ Fannie MaeLessons Learned Acknowledge that security vulnerabilities are defectsIf processes are too cumbersome, people will go around themDevelopers typically want one tool at the IDE levelDevOps CICD, code quality analysis is a critical needA single score can be misleading, automate, and measure resultsLeverage what you have while shifting leftRecognize it is a culture shift in how work is performed3/3/2018Confidential – Internal Distribution10
DevSecOps @ Fannie MaeComing soon DAST & IAST in CI/CD Securing the Software Supply Chaino Scan all eligible 3rd party libraries being usedo Ensure 3rd party vulnerabilities are tracked as defectso Break builds when critical vulns are detectedo Continuously monitor in-use 3rd party libraries Application Production Testing Container Security Continued refinement of CI/CD “paved road”o Software development teams will have end to endcontrolled deliveryo Enable autonomous delivery of software productsquickly, safely, and consistently while ensuringadherence to quality controls3/3/2018Confidential – Internal Distribution11
Questions and Comments?3/3/2018Confidential – Internal Distribution12
Fannie Mae’sDevSecOps JourneyThank you!Confidential – Internal Distribution13
AppendixConfidential – Internal Distribution14
DevSecOps @ Fannie Mae Overview1) Integrated Cyber Security with DevOps CultureStakeholders from Development, Operations/Business Partners and Cyber Security monitor, analyze, test,and identify, and fix vulnerabilities earlier and fasterOwnership and accountability of security defects is shared among executives, program managers, developersand information security personnel- Developers are performing testing alongside InfoSec, allowing developers to tackle new securityvulnerabilities while developing code- Accountability for the disposition of older security defects resides with Business Partners (i.e., determiningwhat to fix, risk accept, retire, etc.)- Cyber Security performs periodic risk-based security testing against select assets.As a part of the ongoingrisk disposition process, Business Partners disposition newly identified defects3/3/2018Confidential – Internal Distribution15
DevSecOps @ Fannie Mae Overview2) Make Security Easy to Understand and UseSteps were taken to make security activities and checks seamless- Developer tools were optimized with cyber security plugins- Cyber security test results were made available via developer tools and dashboards- Cyber security roadshows delivered to development community and Operations/Business Partners- Consistent cyber security reporting and outreach Operations/Business Partners3/3/2018Confidential – Internal Distribution16
DevSecOps @ Fannie Mae Overview3) Automate Everything- Many security tests and activities were automated (i.e. leveraging security plugins) or were designed tooccur alongside other development phase and CI/CD tests- Multiple tools that have been setup, configured, integrated, automated, and are now being maintainedto produce actionable information for developers, security personnel, and business partners Secure AssistFind bugsFind security bugsCASTSonatype3/3/2018Confidential – Internal Distribution17
Information Security JourneyDevOps Handbook Recommendations1. Training development teams to develop Secure code2. Tracking security issues in the same tracking system that developers are using3. Integrating preventive security controls/tools in the development phase4. Automating as many security tests as possible to run upon code commit/build5. Detecting when applications are relying on libraries that have known vulnerabilities6. Placing monitoring controls in place to ensure that production instances match known good state3/3/2018Confidential – Internal Distribution18
Information Security JourneyApplication Security Strategy breakdownDeveloper Empowerment Tools Training Remediation support Developer self-service tools – Fortify, security assist, find security bugs plugin, find bugs plugin, Sonatype IQ IDEplugin, Nexus Repository Manager with FirewallOWASP Top Ten Brown BagsSecure Code Examples in GIT REPO show how to write secure codeOnDemand Training CoursesRemediation SupportBusiness Engagement Reporting Risk conversations Monthly reporting to application ownersMonthly executive reportingRisk strategies (risk acceptance, remediation plans) developed by application ownersLifecycle coverage To-the-left work with development teams to proactively test applicationsTo-the-right InfoSec tests applications delivers results to app owners for risk disposition3/3/2018Confidential – Internal Distribution19
Development Services Journey“I am rugged and, more importantly, my code is rugged.I recognize that software has become a foundation of our modern world.I recognize the awesome responsibility that comes with the foundational role.I recognize that my code will be used in ways I cannot anticipate, in ways itwas not designed, and for longer than it was every intendedI recognize that my code will be attached by talented and persistent adversarieswho threaten our physical, economic and national security.I recognize these things – and I choose to be rugged.I am rugged because I refuse to be a source of vulnerability or weakness.I am rugged because I assure my code will support its missionI am rugged because my code can face these challenges and persist in spite of them.I am rugged, not because it is easy, but because it is necessary and I am up forthe challenge.”- The Rugged Manifesto3/3/2018Confidential – Internal Distribution20
Development Services JourneyDevelopment Services DevOps Breakdown Accelerate the build and release of software with QualityLeft shift the development experience by empowering the developerGovernance is a necessity; transparency and empowerment are keyBuild a Lean, developer experience – think Software Supply ChainEliminate delays, automate hand-offsAutomate to remove toil workAutomate measurement & monitoring3/3/2018Confidential – Internal Distribution21
Rugged DevOps DevSecOps Rapid and agile iteration from development into operations Stakeholders continuously monitor, analyze, attack and proactively determine defects Includes people, processes, technology, and culture of the organization . o. Security is a bypr
