SESSION ID: DSO-T11 DevSecOps State of the Union Clint Gibler Research Director NCC Group @clintgibler #RSAC #RSAC Distill tips / insights from talks, blog posts, conversations 2 #RSAC About Me ● Technical Director and Research Director at NCC Group ● PhD in Computer Science from UC Davis Things I ❤ ● DevSecOps, security automation, scaling security ● Automated bug finding (static and dynamic analysis, fuzzing, …) 3 Before We Start - My Assumptions • You’ve found SAST/DAST not that useful (operational time required & cost) • You’re willing to invest time now to reap big security wins later • Your security team has at least a few people, but not dozens 4 #RSAC #RSAC Agenda ● Big Picture ○ ○ ● Scaling Your Company’s Security ○ ○ ○ ● Mindsets and Principles Choosing How to Invest Your Time The Fundamentals Scaling Your Efforts Security Endgame Action Plan #RSAC Mindsets & Principles Automate as much as possible – Security teams are always time and person-limited, you need to scale Guardrails not Gatekeepers - minimize “no’s” – Netflix’s Paved Road. Scaling Appsec at Netflix by @astha_singhal Prefer high-signal, low-noise tools and alerting – It may be better to miss some issues than drown in triaging alerts that don’t matter 6 #RSAC Mindsets & Principles Developers are your customers - UI and UX is important – How can we fit into dev’s existing tools and workflows? – Can we make the secure way easier, faster, or otherwise better than the current way? – Build in useful features (telemetry, logging, etc.) Self-service security – Provide tools and services devs can use without security team interaction See also: Tech Beacon blog post on mindsets / principles 7 #RSAC Choosing How to Invest Your Time Now Medium Term Long Term #RSAC Choosing How to Invest Your Time Ask Yourself ● ● ● Of my near / medium term tasks, which will provide the most long-term strategic value? Can I do a near term task a little bit differently to make it much more useful later? What (sub)problems can I solve with high accuracy, at scale? @clintgibler Security Tools in Your Tool Belt #RSAC Static analysis Dynamic analysis Runtime detection Fuzzing Secure wrapper libraries Pen tests Choosing what to ignore Bug bounty Targeting Vulns by Complexity / Class Easy ● ● ● ● Missing TLS No security headers Calling dangerous fxns Missing security controls ● ● ● ● Medium Standard OWASP bugs XSS, SQLi XXE, SSRF ... Increasing Vuln Complexity #RSAC Hard ● ● ● Complex, multistep bugs Business logic flaws Abuse @clintgibler Targeting Vulns by Complexity / Class Secure defaults Easy Automated tools Bug bounty Medium Increasing Vuln Complexity #RSAC Pen tests Hard Targeting Vulns by Complexity / Class Secure defaults Easy Automated tools Bug bounty Medium Increasing Vuln Complexity #RSAC Pen tests Hard Targeting Vulns by Complexity / Class Secure defaults Easy Automated tools Bug bounty Medium Increasing Vuln Complexity #RSAC Pen tests Hard @clintgibler Targeting Vulns by Complexity / Class Secure defaults Easy Automated tools Bug bounty Medium Increasing Vuln Complexity Pen tests #RSAC Runtime monitoring Hard #RSAC Targeting Vulns by Complexity / Class – Key Takeaways ● ● ● Solve as many of your problems as possible with secure defaults Automated tools won’t solve all of your problems Bug bounty can provide decent coverage of low/medium hanging fruit ○ ● ● If you’re building a new AppSec program, start with a private program with few researchers. Consider a pen test first and paying for triage. Use pen testing for the hard problems, where it provides best value Runtime monitoring for bugs that are too hard/inefficient to find in other waysnd 16 We Come Bearing Gifts: Enabling Prod Security w/ Culture & Cloud AppSec Cali ’18 | Patrick Thomas, Astha Singhal #RSAC A​ Pragmatic Approach for Internal Security Partnerships AppSec Cali ’19 | Scott Behrens, Esha Kanekar #RSAC #RSAC Agenda ● Big Picture ○ ○ ● Scaling Your Company’s Security ○ ○ ○ ● Mindsets and Principles Choosing How to Invest Your Time The Fundamentals Scaling Your Efforts Security Endgame Action Plan #RSAC The Fundamentals Vulnerability Management Continuous Scanning Asset Inventory