Kim van Wilgen - SDD Conference Automate first ¢â‚¬¢ SAST...

Click here to load reader

download Kim van Wilgen - SDD Conference Automate first ¢â‚¬¢ SAST ¢â‚¬¢ DAST ¢â‚¬¢ Proxy tools ¢â‚¬¢ Dependency checks

of 63

  • date post

    09-Jul-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Kim van Wilgen - SDD Conference Automate first ¢â‚¬¢ SAST...

  • We came, we saw, we kicked its ass! Kim van Wilgen

    @kimvanwilgen nl.linkedin.com/kimvanwilgen

    kimvanwilgen@gmail.com www.kimvanwilgen.com

  • About me Kim van Wilgen Head of development at ANVA

    Former head of IT at Klaverblad

    Business background

    Managing since 2005

    Programming since 2018

    @kimvanwilgen

    nl.linkedin.com/kimvanwilgen

    kimvanwilgen@gmail.com

    www.kimvanwilgen.com

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    The Continuous Culture

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Insurance company

    Service provider

    Wholesale

    Agents

    ANVA Insurtech company for the Netherlands

  • Why focus on security?

  • Boring, draining, worthless

  • Why is it boring?

    Security roleplay

  • With the hypes of agile and continuous delivery focus shifted to speed…and nothing else

  • GDPRGo away!

    Security is not a core competence of developers

  • Panels are shifting - Cloud computing - Emergent processes and

    tools - New architectures - IAAS - Shifting roles / T shapes - Just enough software

    architecture - IoT, AI, machine learning

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Hacking 4 dummies

  • Script kiddies Ready to use scripts for bored teens

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Firewalls aren’t keeping you safe

    10.6% of passwords

    is a top 20 password

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    “Geeks are people who love something so much that all the details matter.”

    Marissa Mayer

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Security all-in

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Continuous Delivery (CD) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

    Wikipedia, 2017

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Continuous Security (CS) is a set of practices and principles in software engineering aimed at building, testing and releasing software faster and more frequently. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering changes, and ultimately value, to customers by allowing for more incremental changes to applications in production.

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production.

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Continuous Security (CS) is a set of practices and principles in software engineering aimed at designing, developing, testing and running software more securely. They help reduce the cost, time and risk of delivering integrity, availability and data protection, and ultimately security, to applications in production. Continuous security is indispensable for delivering Continuous Delivery.

  • DevSecOps 2018

    DevSecOps 2021

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Technology radar: security is rising

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    @kimvanwilgen | www.kimvanwilgen.com

    How to start?

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Self-organised security

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    “We’ll be disclosing personal data of all the Dutch through an open cloud SaaS platform. Make it safe to do so.”

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Security Satellite team

    5 dev (1 architect 2 devs 2 testers)

    3 ops

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    BSIMM: Build security in maturity model

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Security board

  • Let’s play!

  • Gartner DevSecOps Top 10 Have security champions Don’t eliminate all risk

    Driven by DevOps teams Identify and remove first

    Adapt your SAST, & DAST Eliminate known vulnerabilities

    Immutable infrastructure Detection of changes

    Treat security tests as source code Train for the basics

  • #1: Have security champions

  • “When designing the software architecture a security expert helps

    to do a risk assessment early and mitigate important risks by design”

    - Simon Brown -

  • #2: Don’t eliminate all risk

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Risk and cost based security Small tests and risk based

  • Integration in the pipeline

    #3:DevOps driven

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    “At Google I’ve never spoken to anyone from the security team. They integrated software security solutions in our pipelines that were helping delivery instead of frustrating it”Randy Shoup, WeWork

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Automate first

    • SAST

    • DAST

    • Proxy tools

    • Dependency checks

    • Custom scripts

    Integration in the pipelines

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    SAST: technology analyzes an application's source,

    bytecode or binary code for security vulnerabilities typically

    at the programming and/or testing software life cycle (SLC)

    phases

    Leaders: Checkmarx, Veracode, Appscan (IBM), fortify

    (Microfocus), PT application inspector, covarity (Synopsys)

    + Find problems early in lifecycle, detailed feedback,

    - False positives & false negatives

    SAST

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    DAST: analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application's reactions and, thus, determines whether it is vulnerable.

    Leaders: Fortify, AppScan, ZAP, Qualys, Rapid7

    + Tests the application at runtime, realistic view

    - More complex, harder to track, requires running instance

    DAST

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    DAST: Zed attack proxy (ZAP)

  • #4: Identify and remove: start small

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    I’ve added over a 100 security rules in Sonar and sent the top X screwups to the team. They are more aware and will solve their own issues.

    Dominik, member of ANVA security satellite team

  • #5: Adapt your SAST, DAST and security tests

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Application Security Verification Standard

    Unrelevant / Sast / Dast / RAST / other

    Train for risks we can’t automate

  • Learn and adapt first before you break the build

  • #6: Fix your vulnerabilities

  • @kimvanwilgen | www.kimvanwilgen.comWe came, we saw, we kicked it’s ass

    Owasp dependency check Eliminate known vulnerabilities

    48

    550 vulnerabilities

  • #7: Immutable infrastructure

  • #8: Detection of changes

  • #9: Treat security tests as source code

  • #10: Train for the basics

  • Automate security features and scan against bugs and vulnerabilities

    Check for logical flaws manually,

    educate and automate them

  • @kimvanwilgen | www.kimva