SESSION ID: DSO-R07 How to harness Dev and their native tools to accelerate DevSecOps Cindy Blake Sr Security Evangelist GitLab @cblake2000 #RSAC Problem: Even Basic Application Security Testing is Hard ➢ ➢ ➢ ➢ ➢ Applications are a prime target of cyber attacks Lack of hygiene allows proven exploits to be reused App Sec tools are expensive and require integration of both technology and processes To shift left, workflows must target both dev and sec teams Security and developer teams lack the means to collaborate and scale across silos 2 #RSAC #RSAC Lead, follow or get out of the way! There will always be more of them then there are of you! 3 Shifts in Software That Will Impact Security 1. a. b. c. 2. a. b. c. 3. a. b. How software is composed and executed Open Source Cloud Native and serverless Dynamic environments How software is delivered and managed Iterative MVC, agile Policy-driven automation Everything as-code How software complies with regulatory requirements Beyond application security testing Supply chain and SDLC integrity, auditability 4 #RSAC Cloud Native? 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Packaged as lightweight containers Developed with best-of-breed languages and frameworks Designed as loosely coupled microservices Everything is an API to connect microservices Architected with a clean separation of stateless and stateful services Abstracted from server and operating system dependencies Deployed on self-service, elastic, cloud infrastructure Managed through agile DevOps processes Automated capabilities Defined, policy-driven resource allocation https://thenewstack.io/10-key-attributes-of-cloud-native-applications/ 5 #RSAC New Attack Surfaces of Cloud Native #RSAC Three main building blocks of cloud native architecture Containers Hold a cloud native application’s libraries and processes. They share one operating system. They make the applications portable. Orchestrators Direct how and where containers run. Microservices Apps are broken down into smaller parts, or microservices, to make them easier to scale based on load. 6 Is Security a Square Peg in a Round Hole of DevOps? Established security tools were intended for a waterfall process at the end of SDLC and are incongruent with DevOps’s ● ● ● People Process Technology 7 #RSAC Problem: Modern Software vs Legacy App Sec ➢ New attack surfaces of composable application infrastructure make network security less relevant. ➢ The iterative development process (Agile/MVC) is incongruent with full app security scans ➢ Code changes faster and faster, with more open source , more APIs, and microservices (mini apps) ➢ DevSecOps doesn’t scale without developer enablement, automation, and exception-based security 8 #RSAC #RSAC Do You Solve for the Obvious Threats? Images from http://clipart-library.com #RSAC “Your most important security product won’t be a security product .” CISO of VMWare #RSAC Git What? Know your Git... and why it matters Git GitLab GitHub Integration Complexity of Toolchains Slows Down Teams Manage Plan Create Verify Package Secure 12 Release Configure Monitor #RSAC Defend DevOps Complexity Inhibits Auditability… and Introduces More Security Risk #RSAC Business Problems X 100s of Tools Solution Deployment X X Multiple Data Models 13 Complexity & Risk X Lack of Transparency App Sec Silos Compound a Web of DevOps Integrations Each app sec product must integrate with multiple DevOps tools 14 #RSAC The advantage of a Single Application for DevOps 15 #RSAC Continuous Application Security – Embedded into CI Static Application Security Testing (SAST) Container Scanning Dynamic Application Security Testing (DAST) Dependency Scanning License Compliance Security Testing 16 Built into Merge Requests #RSAC Focus on leaders in Continuous Integration (CI) Leader in the Forrester CI Tools WaveTM 17 #RSAC Continuous Application Security = a United Workflow 18 #RSAC #RSAC What If You Could… Scan all code, every time Seamlessly for dev Using FEWER tools With Dev, Sec, and Ops on the same page And happy compliance auditors 19 A Software Factory Approach Also Reduces Risk What if you dealt with each one at the point where it is introduced? 20 #RSAC What happens when you find 10k vulnerabilities at the end of the SDLC?