DevSecOps – Security at the speed of...
Transcript of DevSecOps – Security at the speed of...
DevSecOps – Security at the speed of Development Ryan Sheldrake – Solutions Architect EMEA [email protected]
Why am I here?
• Understand why we have open source vulnerabilities in our software
• Empower Developers – fix early!
• Effectively manage open source vulnerabilities and licenses throughout the delivery pipeline
“You cannot inspect quality into a product.” W. Edwards Deming
Out of the Crisis 1982
3
Thou shalt not pass
5 10/23/2013 @joshcorman ~ Marc Marc Andreessen 2011
XXXXXXX
HAS ALREADY CONSUMED
Heartbleed / Struts + (UnPatchable) Internet of Things == ___ ?
In Our Bodies In Our Homes
In Our Infrastructure In Our Cars
Source: Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed - Josh Corman, Gene Kim
HACKERS! HACKERS
EVERYWHERE!
100:1 developers outnumber application security
Incentives incentivise
ON TIME ON BUDGET ACCEPTABLE QUALITY/RISK
Modern applications are mostly assembeld
The Perspective of Maven Central
DOWNLOAND RECORDS FOR
Jul-2014
10,000,000,000
ROLLING 365-DAY DOWNLOADS
Jan-2015 Jul-2015 Jan-2106
20,000,000,000
30,000,000,000
40,000,000,000
50,000,000,000
Jul-2106
DOWNLOAD RECORDS FOR PyPI
WHY is it so difficult to manage Open Source effectively?
Things get complex….FAST!
Now…a real application
Transitive dependencies – Maven Central 2015
Millions of components with complex interdependencies
8 years later, vulnerable versions of Bouncy Castle were downloaded…
5.7M times
CVE-2007-6721 CVSS Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
2007 2015
Bouncy Castle
NEWER COMPONENTS MAKE BETTER SOFTWARE
Analysis of components in 25,000 applications scans
COMPONENTS BY YEAR
DEFECT DENSITY
1 2 3 4 5 6 7 8 9 10 11
5%
10%
15%
20%
25%
Component Age in Years
3X HIGHER DEFECT DENSITY
OLDER COMPONENTS DIE OFF Analysis of components in 25,000 applications scans
INACTIVE PROJECTS (% on latest version)
1 2 3 4 5 6 7 8 9 10 11
5%
10%
15%
20%
25%
Component Age in Years
TRACK AND TRACE Does your organization maintain an inventory of open source components used in production applications? (e.g., a software bill of materials)
1-in-5 had or suspected a breach related to an open source component in the
past 12 months.
18,330,958 78% downloads were vulnerable
COMMONS COLLECTION CWE-502
23,476,966 total downloads in 2016
2,731 organizations downloaded the
vulnerable versions.
STRUTS2 CVE-2017-5638
279,796 total downloads in 2016
Image Source: Canadian Revenue Agency, Wikipedia
DEFECT RATIO FOR JAVASCRIPT
Source: Thou Shalt Not Depend on Me: Analyzing the Use of Outdated JavaScript Libraries on the Web, © 2017 NDSS, Northeastern University
87% of handlebars inclusions were known vulnerable
37% of jQuery inclusions
were known vulnerable
40% of Angular inclusions
were known vulnerable
37% websites include at least one library with a known vulnerability
“Improvement of the process includes better allocation of the human effort.”
W. Edwards Deming Out of the Crisis
1982
Dev
Prod
QA
UAT Build
Public Component Repositories
Source Control
Deploy Repository
Developers
Up-front manual checks days-weeks
Near-production pen test & scan/scold
Weeks-months
Traditional Approach
So. In summary
• Unit testing has become TDD (Test Driven Development) • Usability testing has become BDD (Behaviour Driven
Development) • Integration testing has become MDD (Model Driven
Development)
•Q.E.D A large part of security needs to become SSD (Security Supported Development)
Fix early and fast…SAVE MONEY
Dev
CD
CI
Prod
QA
UAT Build
Public Component Repositories
Source Control
Deploy Repository
Developers IQ Server
Multiple Integration Points throughout the Pipeline
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START
@weekstweets
Make access to precise, quality information easy
**** COMMERCIAL DISCLAIMER – OTHER TOOLS EXIST
Synchronous testing occurs at every build
Keep a list of what you use
Dev CD CI
Prod
QA
UAT Build
Public Component Repositories
Source Control
Deploy Repository
Developers
OSS analysis (NLC, OWASP Dep Check) Static & Dynamic code analysis Fuzz Unit tests, BDD tests
TDD Test suite Infrastructure Test suite Behavioural test suite Security Test suite (Gauntlt, Metaspoilt, OSS analysis)
ZAP Proxy Infrastructure tests Chaos Monkey Gauntlt Secret managers
Red & Blue teaming Security incident monitoring AppSensor Kibanah, Splunk
https://github.com/devsecops/awesome-devsecops
Make Security Testing Fun
Test with Security games - Bring toolset along
Be transparent with information
Use the data you automatically collect
Summing Up
• Understand why we have open source vulnerabilities in our software
• Empower Developers – Choose the best version!
• Effectively manage open source vulnerabilities and
licenses throughout the delivery pipeline
Thanks - References • Wired Article – Hackers remotely kill Jeep on Highway: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
• https://www.theregister.co.uk/2016/03/30/bmw_complies_with_gpl/
• State of Devops 2015: https://puppetlabs.com/2015-devops-report
• Rugged Devops Book: http://devops.com/2015/04/20/the-rugged-devops-ebook/
• Rugged Software: http://www.ruggedsoftware.org/
• DevSecOps: http://devsecops.org
• “The Phoenix Project” by Gene Kim: http://itrevolution.com/books/phoenix-project-devops-book/
• State of Software Supply Chain 2015: https://www.sonatype.com/state-of-the-software-supply-chain
• 7 Habits of Rugged Devops: https://www.forrester.com/report/The+Seven+Habits+Of+Rugged+DevOps/-/E-RES126542
• Verizon Data Breach Report: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
• CodeCentric CI Example: https://blog.codecentric.de/en/2015/10/continuous-integration-platform-using-docker-container-jenkins-sonarqube-nexus-gitlab/
• FS-ISAC: https://www.sonatype.com/software-security-control-white-paper
• IEC-62304: http://www.iso.org/iso/catalogue_detail.htm?csnumber=38421
• PCI-DSS: https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
• Reflections on NPMGate: http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm
• Lessons learnt again from NPMGate: http://www.sonatype.org/nexus/2016/03/25/npm-gate-lessons-learned-again/
• DevSecOps toolkit: https://github.com/devsecops/awesome-devsecops