Application Security at DevOps Speed - DevOpsDays Singapore 2016
Security at the Speed of DevOps
-
Upload
tony-rice -
Category
Technology
-
view
460 -
download
4
Transcript of Security at the Speed of DevOps
Tony RiceSenior Application Security Engineer, Cisco Systems
Security at the Speed of DevOps
Research Triangle 2016
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
TL;DR: Agile development moves too fast, hire robots
Richard Sargent
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agile vs. Waterfall
Sprint 2
Waterfall
Sprint 1 Sprint 3
“The Homer” courtesy of Fox
Backlog Backlog Backlog
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Does Agile promote Security?
Security in the Software Lifecycle (1.2) - Department of Homeland Security
Our highest priority is to satisfy the customer through early and continuous delivery of software.
Welcome changing requirements, even late in development.
Deliver working software frequently on a shorter timescale.
Developers will be trusted by both management and customers to get the job done.
Hire motivated individuals and trust them to get the job done.
The most efficient and effective communication method is face-to-face conversation.
Working software is the primary measure of progress.
Sponsors, developers, and users should be able to maintain a constant pace indefinitely.
Continuous attention to technical excellence and good design enhances agility.
Simplicity--the art of maximizing the amount of work not done--is essential.
The best architectures, requirements, and designs emerge from self-organizing teams.
The team must reflect on its efficacy at regular intervals and adjust its behavior accordingly.
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Does Agile promote Security?
Security in the Software Lifecycle (1.2) - Department of Homeland Security
Our highest priority is to satisfy the customer through early and continuous delivery of software.
Welcome changing requirements, even late in development.
Deliver working software frequently on a shorter timescale.
Developers will be trusted by both management and customers to get the job done.
Hire motivated individuals and trust them to get the job done.
The most efficient and effective communication method is face-to-face conversation.
Working software is the primary measure of progress.
Sponsors, developers, and users should be able to maintain a constant pace indefinitely.
Continuous attention to technical excellence and good design enhances agility.
Simplicity--the art of maximizing the amount of work not done--is essential.
The best architectures, requirements, and designs emerge from self-organizing teams.
The team must reflect on its efficacy at regular intervals and adjust its behavior accordingly.
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements Design Coding Test Deploy
Software Delivery Life Cycle
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cost to Fix
$1
$100-1000
$15
$30
Source: Software Engineering Economics, Barry W. Boehm
Cost to Fix
$1
$100-1000
$15
$30
Requirements Design Coding Test Deploy
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cost to Fix
$1
$100-1000
$15
$30
Source: Software Engineering Economics, Barry W. Boehm
Defect Introduction
30%
18%
Requirements Design Coding Test Deploy
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cost to Fix
$1
$100-1000
$15
$30
Source: Software Engineering Economics, Barry W. Boehm
Vulnerability Introduction
Requirements Design Coding Test Deploy
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cost to Fix
$1
$100-1000
$15
$30
Source: Software Engineering Economics, Barry W. Boehm
86%Defect Discovery
Requirements Design Coding Test Deploy
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Solution1. Introduce fewer bugs2. Discover them earlier
xkcd#327
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements Design Coding Test Deploy
Defect Discovery YesterdayTomorrow
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Source NASA JSC
Send the Robots
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Manual Everything
✗ Code merged by hand (senior developer)✗ Ad hoc manual builds, manual tests✗ Measurement: customer complaints
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Source NASA JSC
Hire a Chief Robot
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Continuous Integration
✔ Automated builds✔ Automated integration testingMeasurement: build quality
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Secure by Design
✔ Security included in requirements✔ Common security librariesMeasurement: adoption
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Vulnerability Scanning
✔ Automated Vulnerability Scanning✔ Code quality testsMeasurement: vulnerability counts
“ “constantly think about how you could be doing things better and questioning yourself Elon Musk
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Developer Culture Shift
✔ Test driven development, unit test reuse✔ Dynamic & Static Automated Vulnerability Scanning✔ Code Review / Pair ProgrammingMeasurement: vulnerability counts, code review records
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
TESTING
TESTING!!
xkcd#303
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Continuous Deployment
✔ Version control for all artifacts✔ Proactive Monitoring✔ Stable, reproducible development environmentMeasurement: deployments per day
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements & Design Coding Integration Test Deploy
Continuous Security
✔ Zero manual intervention from check-in to deployment✔ Only inputs: code, configs and tests✔ Development priority on refactoring legacy code, testsMeasurement: code coverage
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Haskins, Bill, Jonette Stecklein, Brandon Dick, Gregory Moroney, Randy Lovell, and James Dabney. "8.4.2 Error Cost Escalation Through the Project Life Cycle." INCOSE International Symposium 14.1 (2004): 1723-737. NASA Technical Reports Server. NASA Johnson Space Center.
• Boehm, Barry W. Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, 1981. ISBN 0138221227
• Puppet Labs. State of DevOps Report (2014):.
• Martin, James. An Information Systems Manifesto. Englewood Cliffs, NJ: Prentice-Hall, 1984. ISBN 0134647696.
• Security in the Software Lifecycle, Department of Homeland Security (August 2006)
• Moving Targets: Security and Rapid-Release in Firefox, Sandy Clark, et al.
Additional Reading
http://www.slideshare.net/tony_rice
http://www.slideshare.net/tony_rice