Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools •...
Transcript of Kim van Wilgen - SDD Conference€¦ · Automate first • SAST • DAST • Proxy tools •...
We came, we saw, we kicked its ass!Kim van Wilgen
@kimvanwilgennl.linkedin.com/kimvanwilgen
About me Kim van WilgenHead of development at ANVA
Former head of IT at Klaverblad
Business background
Managing since 2005
Programming since 2018
@kimvanwilgen
nl.linkedin.com/kimvanwilgen
www.kimvanwilgen.com
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
The Continuous Culture
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Insurance company
Service provider
Wholesale
Agents
ANVAInsurtech company for the Netherlands
Why focus on security?
Boring, draining, worthless
Why is it boring?
Security roleplay
With the hypes of agile and continuous delivery focus shiftedto speed…and nothingelse
GDPRGo away!
Security is not a core competenceof developers
Panels are shifting- Cloud computing- Emergent processes and
tools- New architectures- IAAS- Shifting roles / T shapes- Just enough software
architecture- IoT, AI, machine learning
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Hacking 4 dummies
Script kiddiesReady to use scripts for bored teens
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Firewalls aren’t keeping you safe
10.6% of passwords
is a top 20 password
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
“Geeks are people who love something somuch that all the details matter.”
Marissa Mayer
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Security all-in
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
Wikipedia, 2017
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Continuous Security (CS) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production.
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production. Continuous security is indispensable for delivering Continuous Delivery.
DevSecOps 2018
DevSecOps 2021
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Technology radar: security is rising
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
@kimvanwilgen | www.kimvanwilgen.com
How to start?
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Self-organised security
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
“We’ll be disclosing personal data of all theDutch through an open cloud SaaS platform. Make it safe to do so.”
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Security Satellite team
5 dev(1 architect2 devs2 testers)
3 ops
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
BSIMM: Build security in maturity model
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Security board
Let’s play!
Gartner DevSecOps Top 10Have security championsDon’t eliminate all risk
Driven by DevOps teamsIdentify and remove first
Adapt your SAST, & DASTEliminate known vulnerabilities
Immutable infrastructureDetection of changes
Treat security tests as source code Train for the basics
#1: Have security champions
“When designing the software architecture a security expert helps
to do a risk assessment early and mitigate important risks by design”
- Simon Brown -
#2: Don’t eliminate all risk
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Risk and cost based securitySmall tests and risk based
Integration in the pipeline
#3:DevOps driven
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
“At Google I’ve never spoken to anyonefrom the security team. They integratedsoftware security solutions in our pipelinesthat were helping delivery instead of frustrating it”Randy Shoup, WeWork
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Automate first
• SAST
• DAST
• Proxy tools
• Dependency checks
• Custom scripts
Integration in the pipelines
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
SAST: technology analyzes an application's source,
bytecode or binary code for security vulnerabilities typically
at the programming and/or testing software life cycle (SLC)
phases
Leaders: Checkmarx, Veracode, Appscan (IBM), fortify
(Microfocus), PT application inspector, covarity (Synopsys)
+ Find problems early in lifecycle, detailed feedback,
- False positives & false negatives
SAST
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
DAST: analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.
Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7
+ Tests the application at runtime, realistic view
- More complex, harder to track, requires running instance
DAST
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
DAST: Zed attack proxy (ZAP)
#4: Identify and remove: start small
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
I’ve added over a 100 security rules in Sonar and sent the top X screwups to the team. Theyare more aware and will solve their own issues.
Dominik, member of ANVA security satellite team
#5: Adapt your SAST, DAST and security tests
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Application Security Verification Standard
Unrelevant / Sast / Dast / RAST / other
Train for risks we can’tautomate
Learn and adapt first before you break the build
#6: Fix your vulnerabilities
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Owasp dependency checkEliminate known vulnerabilities
48
550 vulnerabilities
#7: Immutable infrastructure
#8: Detection of changes
#9: Treat security tests as source code
#10: Train for the basics
Automate security features and scan against bugs andvulnerabilities
Check for logicalflaws manually,
educate andautomate them
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Academy sessions
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Hack yourself first too
Chaos Engineering is the discipline of experimenting on a distributed
system in order to build confidence in the system’s capability to
withstand turbulent conditions in production.
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”
Troy Hunt, MVP for developer
security and creator of ‘Have I
been PWNED”
Hackyourselffirst.troyhunt.com
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Evil user stories
As a Malicious Hacker, I want to gain
access to this web application’s Cloud
Hosting account so that I can lock out
the legitimate owners and delete the
servers and their backups, to destroy
their entire business.
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
Overview
Continuous Security
Automation
SAST DAST Proxy toolsCustomscripts
Depen-dencychecks
Knowledge
TrainingFeedback
fromdetection
Detection
Hack yourself
Externalpentesting
Gartner DevSecOps Top 10Have security championsDon’t eliminate all risk
Driven by DevOps teamsIdentify and remove first
Adapt your SAST, & DASTEliminate known vulnerabilities
Immutable infrastructureDetection of changes
Treat security tests as source codeTrain for the basics
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
@kimvanwilgen | www.kimvanwilgen.com
References and questions
www.kimvanwilgen.com
kimvanwilgen
@kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass
https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/
https://cybersecurity.isaca.org/static-assets/documents/State-of-
Cybersecurity-part-2-infographic_res_eng_0517.pdf
https://www.sans.org/reading-room/whitepapers/critical/continuous-security-
implementing-critical-controls-devops-environment-36552
10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017,
IDG00341371
https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb
https://www.thoughtworks.com/radar/techniques
Sources