Evolve Devsecops To Manage Both Speed And Risk
1y ago
31 Views
1 Downloads
1.13 MB
17 Pages
Report/dmca
Download PDF

Transcription

EVOLVE DEVSECOPS TO MANAGEBOTH SPEED AND RISK

AGENDA1.DevSecOps in the Context of Speed2.DevSecOps in the Context of Risk3.DevSecOps for Both Speed and Risk2

DSO & SPEED

What is the DevSecOps Community Talking About?Source: Twitter (#DevSecOps), 2020.4

DevSecOps Challenges 5 Unauthorized access to data and source code Unintended privilege escalation of authorizedusers Data modification False alerts and updates Suppression of valid alerts Malicious dependency insertion Hijacking of tools such as build serversSecure coding and system security nota priorityToo much focus on exit criteria,thereby building technical debtTesting process does not reflectproduction environmentSource: Morales et al. “Security Impacts of Sub-Optimal DevSecOps Implementations in a Highly Regulated Environment”, 2020.

DevSecOps Challenges We inherit a technology mess often not of our own making Organizations move into DevOps culture without addressing security No process or documentation for security reviews Haphazard security bolted on IT systems Cannot test all security requirements Adversary changes the environmentSource: D. Blum, Rational Cybersecurity for Business, https://doi.org/10.1007/978-1-4842-59526

7Yet we still need to keep moving fast

Security CompetenciesSECURELY PROVISION (SP)8OPERATE AND MAINTAIN (OM)OVERSEE AND GOVERN (OV)Risk Management (RSK)Software Development(DEV)Data Administration(DTA)Knowledge Management(KMG)Exec Cyber Leadership(EXL)Training, Education, andAwareness (TEA)Systems Architecture(ARC)Technology R&D (TRD)Customer Service andTechnical Support (STS)Systems Administration(ADM)Program/Project Mgt(PMA) and AcquisitionStrategic Planning &Policy (SPP)Test and Evaluation (TST)Systems Development(SYS)Network Services (NET)Systems Analysis (ANA)Legal Advice andAdvocacy (LGA)CybersecurityManagement (MGT)PROTECT AND DEFEND (PR)ANALYZE (AN)COLLECT AND OPERATE (CO)Cyber Defense Analysis(CDA)Cyber Defense Infra.Support (INF)Threat Analysis (TWA)Exploitation Analysis(EXP)Collection Operations(CLO)Incident Response(CIR)Vulnerability Assessment& Management (VAM)All-Source Analysis(ASA)Targets(TGT)Cyber Operations(OPS)Cyber OperationalPlanning (OPL)Language Analysis(LNG)INVESTIGATE (IN)Cyber Investigation(INV)Digital Forensics(FOR)Source: Adapted from NIST, “National Initiative for Cybersecurity Education (NICE): Cybersecurity WorkforceFramework”, 2017.

Security CompetenciesGOVERNANCEStrategy & Metrics Identify gate locations, gather necessaryartifacts Enforce gates with measurements andtrack exceptions Require a security sign offCompliance & PolicyUnify regulatory pressuresCreate policyIdentify PII data inventoryImplement and track controls forcompliance Include software security SLA in allvendor contracts Impose policy on vendors Training Provide awareness training9SSDL TOUCHPOINTSINTELLIGENCEAttack ModelsCreate a data classification schemeIdentify potential attackersGather and use attack intelligenceBuild attack patterns and abuse casesCreate technology specific attackpatterns Build an internal forum to discuss attacksArchitecture Analysis Perform security feature review Define and use AA process Make the Software Security Groupavailable as an AA resource or mentorSecurity Features & Design Build and publish security features Build secure-by-design middlewareframeworks and common libraries Standards & Requirements Translate compliance constraints torequirements Identify open source Control open source risk Source: Koskinen. “DevSecOps: Building Security Into the Core of DevOps”, 2020.Code ReviewUse automated tools along with manualreviewMake code review mandatory for allprojectsUse centralized reporting to close theknowledge loop and drive trainingUse automated tools with tailored rulesUse a top N bugs listSecurity TestingDrive tests with security requirementsShare security results with QAInclude security tests in QA automationDrive tests with risk analysis resultsBegin to build and apply adversarialsecurity tests (abuse cases)DEPLOYMENTPenetration Testing Feed results to defect management andmitigation system Use penetration testing tools internallySoftware Environment Use application input monitoring Ensure host and network security Use application behavior monitoring anddiagnostics Use application containers Use orchestration for containers and virtualizedenvironments Enhance application inventory with operationsBOM Ensure cloud security metrics Configuration Management & VulnerabilityManagementCreate or interface with incident responseIdentify software defects found in operationsmonitoring and feed them back to developmentHave emergency codebase responseTrack software bugs found in operationsthrough the fix processDevelop an operations inventory of applicationsSimulate software crises

Security Best PracticesPreventionDetectionSource: Ahmed. “DevSecOps: Enabling Security by Design in Rapid Software Development”, 2019.10Response

DSO & RISK

The Risk Assessment Process1ELICIT VIEWSFROMSTAKEHOLDERS BrainstormingDelphi techniqueInterviewSurvey 23IDENTIFY RISKDETERMINESOURCES,CAUSES ANDDRIVERS OFRISKChecklistTaxonomyClassificationScenario SANDLIKELIHOODSELECTBETWEENOPTIONSRECORD ANDREPORT Bow TieAnalysisSource: ISO. “ISO 31010: Risk Management – Risk assessment techniques”, 2019. Business ImpactAnalysis Privacy ImpactAnalysis Cost/BenefitAnalysis Risk Register

13How do we integrate this with DevSecOps?

Combining Speed and RiskCMDB or inventory listAutomated securitysurveyStandards andFrameworksSecurity taxonomy& classificationArchitecture ty matrixSecurity andPrivacy ImpactAnalysisRiskGuardrailRiskMetric14Secure codingknowledgebase and JITT

NEXT STEPS

Next StepsShorter Term Look for areas where good practices are missingand advocate for implementing those as part ofan existing security roadmapDemonstrate and teach good practices such asrisk assessments and threat modeling Influence the business toward reducingcomplexity and following good practices Be aware that you may not have all thescenarios and answers available16Longer Term Align with existing IT strategy Look through the lens of risk across all systems,even legacy systems Build relationships with people outside IT andSecurity

THANK YOU

5 DevSecOps Challenges Unauthorized access to data and source code Unintended privilege escalation of authorized users Data modification False alerts and updates Suppression of valid alerts Malicious dependency insertion Hijacking of tools such as build servers Source: Morales et al. "Security Impacts of Sub-Optimal DevSecOps Implementations in a Highly Regulated Environment", 2020.

Related Books

A DevSecOps Guide - Bitpipe

A DevSecOps Guide - Bitpipe

DevSecOps - Deloitte

DevSecOps - Deloitte

DoD Enterprise DevSecOps Reference Design

DoD Enterprise DevSecOps Reference Design

DevSecOps Journey

DevSecOps Journey

DoD Enterprise DevSecOps Strategy Guide

DoD Enterprise DevSecOps Strategy Guide

IT Security Procedural Guide: OCISO DevSecOps Program CIO-IT Security .

IT Security Procedural Guide: OCISO DevSecOps Program CIO-IT Security .

Implementing DevSecOps in MDA GMD - Carnegie Mellon University

Implementing DevSecOps in MDA GMD - Carnegie Mellon University

A Cybersecurity Engineering Strategy for DevSecOps - DTIC

A Cybersecurity Engineering Strategy for DevSecOps - DTIC

CAEMaestro Evolve - CAE Healthcare

CAEMaestro Evolve - CAE Healthcare

Costpoint Expense Series - Deltek

Costpoint Expense Series - Deltek

Oracle ERP Cloud Service Implementation Leading Practice .

Oracle ERP Cloud Service Implementation Leading Practice .

PopularTags

Recent Views