DevOps Security-Part1 An insight into S-SDLC SUMAN SOURAV
Aug 15, 2015
DevOps Security-Part1An insight into S-SDLC
SUMAN SOURAV
Agenda
DevOps Security –Introduction
Software Security Toll Gates in DevOps
An inside story of continuous security
testing implementation
Challenges
Disclaimer
Not endorsing any tools
About me Software Security Professional having 10+ years of
experience
Specialize in Secure SDLC implementation
Threat Modeling/Secure Code Review/Penetration Testing/DevOps Security
Secure Coding Trainer, SecurityQA Testing Trainer, Speaker
What next for me ?
IoT Security
SmartCity Security
DevOps-Introduction
Faster Release Cycle
Shortened Delivery Time
Unified Tools and Process
Integration between different teams
Secure-SDLC
Security Requirements
• Requirements
Threat Modeling
• Design
Secure Code Review
• Development
Vulnerability Scanning/PT
• Deployment
Monitoring
• Operation
Time to complete these activities ?
DevOps Security: Pre-Staging
Source : Kaspersky
Continuous Integration
Security Automation
Right Process, People, Tools
Collaboration & Sharing
Metrics and Data Analytics
Security Failures in DevOps
Dev Risk
DEVELOPMENT BUILD AND DEPLOY
STAGINGREQUIREMENTS
External
Repositorie
s
Common Components
DESIGN
Repository
SCM Tools
Security Test Automation
Threat Modeling
SCA Tools/IDE Plugins
VS/PT/IASTComponents Monitoring
Production
Monitoring
Third Party Libraries- Security Report
Collaboration
Product 1
Product 3
Product 2
Product 4 Product 5 Product 6 Product 7 Product 8
Product 9Security Champions
Requirements
Security Questionnaire
Automated Score Calculation
Provide guidance for component
selection
Design
Threat Modeling (Demo)
Automated
Approach
Development
Source Code Management
1. Branching
2. Ownerships
Secure Code Review-IDE Plugins
(Demo)
Develop and Test
Takes couple of mins to generate
vulnerability report
Vulnerability Coverage
• Detect most obvious
vulnerabilities
• Quickly Provide
Security posture of
the applications
Merging Reports
• Keep eyes of new issues
and fixed issues
• Less time in false positive
analysis
Build & Deployment
CI Tools
Jenkins
Hudsons
TeamCity etc
CI Tools Integration
Third Party libraries analysis
Static Analysis
Security Unit test Cases
Dynamic Analysis
QA Role- in DevOps Security
Security Review of
Requirements & Design
Documents
Security Static Code
Analysis Results Review
Dynamic Security Analysis
Penetration testing
including Fuzz Testing
Third Party Components
Review
QARole
Security Unit Test Cases (Demo)
CI Integration-DAST
Unit Test Cases Browsers Scanners Reports
Reference:
http://www.hindsightsoftware.com/blog/security-
testing-with-selenium-and-the-zed-attack-proxy-zap
Static Analysis Integration
BuildEnvironment
FixVulnerabilities
IntegrateWith Build
Upload toServer
ExecuteScan
Generatereport
SA
Developers
ReportingServer
Audit andRe-upload
Login
Interactive Application Security
Testing (IAST)
Accuracy without false positive
Testing is fast
Indifferent to the underlying
framework.
Vulnerability Management &
Hybrid Analysis
Static Analysis
Dynamic
Analysis
SecurityQA
VA/PT/IAST
Priority Fix
Security Metrics & Data Analytics
10
20
30
40
110
85
71
20
0
20
40
60
80
100
120
Release 1 Release 2 Release 3 Release 4
Training Index Bug Index
Bug Tracking System
Keep track of issue remediation
Workflow to Automate issues
creation & assigning ownership
Automated email alert to
respective product owners
Limitations & Challenges
All manual tests cant be automated
Test automations are not sequenced
Stay Tuned……..
DevOps Security-Part 2
--An insight into Security Operation
Suman Sourav@SumanS0urav
https://sg.linkedin.com/in/sumansourav