View
2
Download
0
Category
Preview:
Citation preview
3 Experts in Security
WebinarJune 14, 2017
Brought to you by Vivit’s Security and Privacy SIG
➢ Non-profit organization started by customers in 1993.
➢ Over 40,000 members worldwide.
➢ Your only source of information on HPE Software that is completely unbiased, uncensored and field-tested
➢ Vivit is not just for practitioners, but managers and executives, too.
50% practitioners50% in decision-making roles
Melillo Consulting
17 May 2017 – Event Sponsor
We have seen the trends and navigated the evolution of technology for the last 30 years
Today we find ourselves in a position to help our customers now & into the future.
We focus on creating long-term relationships & providing amazing results –
Melillo Consulting can deliver.
Today’s Speakers
Todd DeCapua
CSC
Scott Laderer
Melillo Consulting
Stan Wisseman
HPE
Jeffrey Payne
Coveros
Neil Christie
SageNet
http://www.linkedin.com/in/todddecapua/http://www.linkedin.com/in/scott-laderer-sr-085467/http://www.linkedin.com/in/stan-wisseman-3b7ab/http://www.linkedin.com/in/jeffery-payne-21373/https://www.linkedin.com/in/nechristie/
Webinar Housekeeping
• This “LIVE” session is being recorded
• Recordings are available to all Vivit members
• To enlarge the presentation screen, click on the rectangle in the upper right hand corner of the Presentation pane
Webinar Control Panel
• Session Q&A:
Please type questions in the Q&A pane and click on “Ask”
• Choose the language in which you would like to ask your questions
Agenda
• Topic 1"The true state of security in DevOps“Stan Wisseman, HPE Security Strategist
• Topic 2"Securing DevOps: How to Integrate Security into DevOps Processes“Jeff Payne, Founder & CEO of Coveros
• Topic 3“So, you think your application is secure. Now what?”Neil Christie, Director of Cybersecurity Operations at SageNet
The true state of security in DevOps
Stan Wisseman, Security Strategist. Security & Information Governance [Stan.Wisseman@hpe.com]
DevOps – Definition, Principles and Benefits
9
DevOps- A practice that emphasizes the collaboration and communication between software developers and IT professionals, with the goal of automating the process of software delivery
and infrastructure changes.
Principles• Develop and test in an environment similar to production• Deploy builds frequently• Automate the process of delivering software• Validate quality continuously
Benefits• Faster time to value • Faster time to market with higher quality• Stay ahead in a competitive environment
The studyDevOps and Application Security Research
• Asses the general habits, practices and tools used by those practicing DevOps
• Identify the current state of application security practices within DevOps organizations
MethodologyProject Goal
• 500+ quantitative surveys
• Developer and IT Ops qualitative surveys
• Qualitative interviews with security practitioners and executives
HPE, “AppSec and DevOps research survey: What’s the true state of application security in DevOps environments?” October 2016.
DevOps is gaining Momentum
Why is security being left behind?
HPE, “AppSec and DevOps research survey: What’s the true state of application security in DevOps environments?” October 2016.
Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed
1
Security TestingEmbed scalable security into the development tool chain
2
Continuous Monitoring and ProtectionMonitor and protect software running in Production
3
Improve SDLC Policies
The right approach for the new SDLC – Build it in
This is application security for the new SDLC
End to End Application Security
On-premise
On-demand
Static Runtime
Fortify on Demand
Application Development
App Defender
SecAssistant App Defender
Design Code Test Integration & Staging
Production
Fortify SCA
WebInspect
IT Operations
Dynamic
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15
Agility. Security. Delivered.
Integrating Security Into DevOps
Jeffery Payne
Founder & CEO
Coveros, Inc.
@jefferyepayne
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16
About Coveros
•Coveros helps organizations build and deliver secure software using
agile methods.
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17
Best Practice #1: Continuous Security
Security analysis and testing must be part of your continuous integration process if you are going to
successfully build releasable software on a daily basis
• Lightweight code analysis performed on local development environments prior to code check-ins
• Code analysis and unit level security testing performed as part of check-in builds
• Integrated more detailed secure code analysis and security testing into your hourly/nightly integration and regression testing
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18
Best Practice #2: Push Security Left
The more security testing and compliance that can be performed as part of QA in Sprints, the faster
your release process will be
• Risk-based security testing
• Open source versions / licensing
• Compliance checks, tests and reviews
• On-going penetration testing and system testing if possible
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19
Best Practice #3: Secure Your Toolchain
DevOps automation provides a vehicle for malicious code
to move into production
• Move to Infrastructure as Code shifts security challenge from environments to code that creates environments
• Security should focus on BOTH code and provisioned environments to provide defense in depth
• Containers must be analyzed & monitored so malcode isn’t along for the ride
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20
Best Practice #4: Security Team in DevOps
Security teams needs to be part of DevOps teams to be productive!
• Security personnel must be integrated into DevOps teams and work day to day with developers, testers, and release managers to assure the proper security analysis (automated AND manual) is performed frequently
• Security teams role shifts from running security tools to continuous reviews of assurance and testing results, triage with DevOps teams, and assuring any critical security defects are fixed
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21
Security in the Delivery Process
SCA WebInspect App Defender
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22
SecureCI
Source code control
Build management
Automated unit &
acceptance testingAutomated
integration and
system testing
Code analysis & metrics
Quality dashboard
CI Server
Repository & lifecycle security
assurance
Security testing
Load & stress
testing
© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23
Thank You!
Jeffery Payne
@jefferyepayne
So, you think your application is secure. Now what?
Neil Christie, Director of Cybersecurity Operations
www.sagenet.com © 2017 SageNet Not for redistribution without permission.25
Agenda
• Review of core security principles
• Architecture documentation
• Event Logs
• Access Control
• Configuration Management
• Encryption
• Penetration Testing
www.sagenet.com © 2017 SageNet Not for redistribution without permission.26
Cybersecurity Core Principles
People• Appropriate Skill Set: Leadership
& Technical Delivery
• Enough staff resources
• Security specific roles
• Security Operations Center
• 24x7 capability
Technology• Appropriate toolset
• Security monitoring and
investigation: SIEM
• Perimeter Defenses: UTM,
Firewall, IDS, IPS
• Internal Defenses: Network
Segmentation, Antivirus
• Other: Access control, Data Loss
Prevention, Web & Mail Filter
Process• Comprehensive security policy &
enforcement
• Best practices security framework
(ISO 27001/27002, NIST 800-53)
• Compliance requirements
• Security Operations
• Regular assessment/pen tests
• Incident Response
• Awareness & Education
www.sagenet.com © 2017 SageNet Not for redistribution without permission.27
Architecture Documentation
• Data flows
• Ports used
• System names
• Security components depicted
• Supports the following:
– Compliance
– Architecture reviews
– Micro segmentation
– Etc.
www.sagenet.com © 2017 SageNet Not for redistribution without permission.28
Event Logs
• Audit Policy setting of device for Operating System level monitoring
• Application logs for application level visibility
• Key application files need to be documented for File Integrity Monitoring
Servers
Routers
Security Appliances
DesktopsWeb Services
DatabasesAccess Points
SageNet AWS Platform(Shared or Private Environment)
VPN over Internet
SIEMonster
Customer Security Operations Team/Personnal
SageNet Logger• Aggregates machine data at each
location• Securely transmits data to SIEM• Stores data in event of WAN
outage, forwards when back online• Ability to provide local vulnerabilty
scanning
• SageNet SOC engineers review and evaluate alerts
• Provide context (ie eliminate false positives)
• Forwards alerts as defined by standard operation procedures
Customer Environment
SageNet SOC
Alerts automatically sent to customer per SOP
After SageNet SOC review, alerts sent to customer per SOP
Periodic evaluation and tuning of alerts between customer and SageNet SOC
www.sagenet.com © 2017 SageNet Not for redistribution without permission.29
Access Control
• Separation of Duties should be considered
• Two factor authentication (2FA) for administration activities
• Network Segmentation whenever possible (PCI scope, etc)
• High risk application functions should consider 2FA
• RBAC for applications
• Test privilege separation
www.sagenet.com © 2017 SageNet Not for redistribution without permission.30
Configuration Management
• Operating System hardening guidelines
• Security systems installed and configured
• Patch management process
• Monitoring and/or recertification process
www.sagenet.com © 2017 SageNet Not for redistribution without permission.31
Encryption
• Ensure that application is using encryption where possible
– TLS 1.2 for connection encryption to web interface
– Database encryption
– Communication between systems should be encrypted where
possible
www.sagenet.com © 2017 SageNet Not for redistribution without permission.32
Penetration Testing
• Regular testing required under most compliance programs
• Scope is important
– Test infrastructure
– Test any security controls in place
– Test role based access controls
– Red Team/Blue Team (Purple teaming)
Protect 2017 – Register through Vivit’s URL for Discount
Register by June 21 for HPE’s premier security event of the year and save $200. Protect 2017 takes place September 11-13 at the Marriott Wardman Park in Washington, D.C. Security at the speed of innovation.
✓ 3 days of content, education and networking in a highly immersive and interactive setting.
✓ HPE’s security vision and roadmap
✓ Dozens of sessions and hands-on demos targeted at managing digital risk in all forms
✓ Up to 24 CPE credits at a deep discount
✓ Onsite support from the engineers who build our security solutions
✓ Partner speed dating, cyber games, networking activities
✓ 1:1 meetings with HPE security executives, targeted at your specific needs
Register Now https://software-events.ext.hpe.com/protectindex?utm_social=vivit
https://software-events.ext.hpe.com/protectindex?utm_social=vivithttps://software-events.ext.hpe.com/protectindex?utm_social=vivithttps://software-events.ext.hpe.com/protectindex?utm_social=vivithttps://software-events.ext.hpe.com/protectindex?utm_social=vivit
Thank you
• Complete the short survey enclosed to improve Vivit’s SIG Webinars
www.vivit-worldwide.org
http://www.vivit-worldwide.org/
Thank You
Recommended