Post on 18-Jan-2017
EMPOWERING APPLICATION SECURITY IN THE WORLD OF
DEVOPS
AGENDA
STATE OF APPLICATION SECURITY
INTEGRATING APPLICATION SECURITY IN DEVOPS
UNIQUE CHALLENGES IN DEVOPS
© 2015 Black Duck Software, Inc. All Rights Reserved.
STATE OF APPLICATION SECURITY: CUSTOM & OPEN SOURCE CODE
WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS
XSS AND SQL INJECTION EXPLOITS ARE CONTINUING IN
HIGH NUMBERSSource: IBM X-Force Threat Intelligence Quarterly, 2014
Source: IBM X-Force Threat Intelligence Quarterly, 2014
APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN
25%
20%
15%
10%
5%
0%
2009 2010 2011 2012 2013
WEB APPLICATION VULNERABILITIES
33% OF VULNERABILITY DISCLOSURES ARE WEB
APPLICATION VULNERABILITIES
33%
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
INVESTMENT PRIORITY - “SECURITY RISKS” VS. YOUR “SPEND”
MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS
35%
30%
25%
20%
15%
10%
5%
APPLICATION
LAYER
DATALAYER
NETWORKLAYER
HUMANLAYER
HOSTLAYER
PHYSICALLAYER
SECURITY RISK
SPENDINGSPENDING DOES NOT EQUAL RISK
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
CUSTOM AND OPEN SOURCE CODE MIX
OPEN SOURCE• Needed functionality
without acquisition costs• Faster time to market• Lower development costs• Broad support from
communities
CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
The shifting application security threat landscapeRISE OF OPEN SOURCE VULNERABILITIESOPEN SOURCE COMPONENTS WITH KNOWN
VULNERABILITIES
Since 2014, over 6,000 new vulnerabilities in open source components.Source: Risk Based Security’s VulnDB
0
200
400
600
800
1,000
1,200 Heartbleed Disclosure
8 CONFIDENTIAL
WHO’S RESPONSIBLE FOR SECURITY?WHO IS RESPONSIBLE FOR SECURITY?
DEDICATED SECURITY RESEARCHERSALERTING AND NOTIFICATION INFRASTRUCTUREREGULAR PATCH UPDATESDEDICATED SUPPORT TEAM WITH SLA
“COMMUNITY”-BASED CODE ANALYSISMONITOR NEWSFEEDS YOURSELFNO STANDARD PATCHING MECHANISMULTIMATELY, YOU ARE RESPONSIBLE
COMMERCIAL CODE OPEN SOURCE CODE
9 CONFIDENTIAL
CONTAINERS AND DEVOPS
Containers can be vulnerable by virtue of the code that runs inside them
• OSS components running inside containers represent potential attack vectors
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –privileged flag set
© 2015 Black Duck Software, Inc. All Rights Reserved.
UNIQUE CHALLENGES IN DEVOPS
11 CONFIDENTIAL
WHAT IS DEVOPS?
• Set of principles• Faster software delivery• Continuous process• Collaborative• Achieved by automation
12 CONFIDENTIAL
CHALLENGES WITH APPLICATION SECURITY IN DEVOPS
• Developers are not security experts• Time pressure• Security can be an afterthought• Application security teams are small• Testing happens too late in the process
13 CONFIDENTIAL
BENEFIT FROM DEVOPS WITHOUT COMPROMISING SECURITY
• Automation of Security Testing
• Security Gates
INTEGRATING APPLICATION SECURITY IN DEVOPS
15 CONFIDENTIAL
CONTINUOUS INTEGRATION ENVIRONMENT
Binary Repository Management(Artifactory / Nexus)
Developers / IDE(Eclipse)
Deployment Environments (Amazon / Docker / VMWare /
Openstack)
Continuous Integration Server
(Jenkins / TeamCity / Bamboo)
Test Automation Tools(Selenium / JUnit)
Quality Management Tools
Bug Tracking Tools
Source Control Management (Git, CVS / Subversion / Perforce)
Build Tools (Maven / Bundler)
16 CONFIDENTIAL
StaticAnalysis
Dynamic Analysis
InteractiveAnalysis
Open Source
Scanning
APPLICATION SECURITY TESTING TECHNOLOGIES
17 CONFIDENTIAL
CONTINUOUS INTEGRATION ENVIRONMENT
Binary Repository Management(Artifactory / Nexus)
Developers / IDE(Eclipse)
Continuous Integration Server
(Jenkins / TeamCity / Bamboo)
Deployment Environments (Amazon / Docker / VMWare /
Openstack)
Test Automation Tools(Selenium / JUnit)
Quality Management Tools
Bug Tracking Tools
Source Control Management (Git, CVS / Subversion / Perforce)
Build Tools (Maven / Bundler)
DAST / IASTSAST / OSS
Bug TrackingIntegration
OSS
IDE integration
18 CONFIDENTIAL
BUILD CUSTOM SECURITY GATES BASED ON NEEDS
DELIVERY TEAM
VERSION CONTROL
BUILD & UNIT
TESTS
AUTOMATED
ACCEPTANCE TESTS
USER ACCEPTANCE TESTS
RELEASE
PIPELINE 1
PIPELINE 2
PIPELINE 3
19 CONFIDENTIAL
CUSTOM CODE VULNERABILITIESIBM AND BLACK DUCK – INTEGRATED VIEW
CUSTOM CODE VULNERABILITIES
OPEN SOURCE VULNERABILITIES
CUSTOM CODE VULNERABILITIES
20 CONFIDENTIAL
WHAT CAN YOU DO TOMORROW?WHAT CAN YOU DO TOMORROW?
Speak with your head of application development, DevOps and find out…
What are your current application security practices?
What kinds of security gates do you need to build to ensure nothing gets through?
What tools are you using as part of the development and application security lifecycle?
Are containers like Docker part of your deployment model?
How are you tracking for new vulnerabilities over time?
SEND QUESTIONS TO
IBM@BLACKDUCKSOFTWARE.COM
THANK YOU!