View
230
Download
7
Category
Preview:
Citation preview
Security Automation in Agile SDLCReal World CasesOfer MaorDirector of Security Strategy, Synopsys
AppSec California, January 2016
Speaker
• Security Strategy at Synopsys• Founder of Seeker / Pioneer of IAST• Hacker at Heart• Longtime OWASPer• Over 20 Years in Cybersecurity• Avid Photographer
Yes, Agile can bite…
Too MuchData Security by
Developers
Short Cycles Rapid Delivery
PrioritizingRisk
Understandingthe Pain
The Agile Security Challenge™
AutomationAutomated, Continuous, Practical Testing
Case I
Insurance Company Transforming to Agile
Case I
Background
Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium
• Insurance Company. Home grown apps• ~15 different systems (Customer/Agent/Internal)• Varying level of agile maturity & transformation• CI-Only to Full-Agile• Focus on new systems
Case I
Challenges
Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium
• Limited security background for developers, no existing process• Different “Agile Maturity” – No one process fits all • Insufficient test automation (coverage)• Limited security resources • Strong regulatory requirements• Various technologies (.Net, Java, Legacy MF, more…)
Case I
Process
Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium
• Creating strong cooperation (R&D/DevOps/Security)• Security visibility into R&D bugs • Weekly approval committee• R&D Training (Basic!)• Risk Policy (adapting risks, “High” only blocks)• Multiple output channels (tickets, reports, etc.)
Case I
Existing CI/DevOps
Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium
• CI – Jenkins. Pulls code from Java/.NET Repositories• Ticket Tracking – HP QC • Static Analysis (mainly for quality). Not integrated into the process• Artifacts deployed to test env (permanent – static)• Test automation – basic (in progress)• Functionality testing – mostly manual
Case I
Security Automation
Insurance CompanyAgile Maturity: In TransitionAutomation Maturity: StartingAppSec Maturity: Medium
• Integrate to launch from CI• Integration with both automated (speed) and manual testing (coverage) • Multiple Outputs:
• Jenkins Integration – “High” breaks build (response + HTML data) • QC Integration – Bug Tracking and Remediation• PDF Report – for auditing and committee review
Case II
UK Retailer, Established Agile Shop
Case II
Background
UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low
• UK Retailer with eCommerce Platform• Single Platform, 5 “Flavors” (Customer facing)• “Run of the mill” Agile Shop:
• Scrum based• 3-Weeks long sprints. Strict enforcement• Strong automation
Case II
Challenges
• Response to an incident• Minimal existing security• No security background for developers. • Limited security resources • No existing process between security & R&D• Very strict 3 weeks sprints
UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low
Case II
Process
• Process driven by R&D, with security supervision• Security “Workflow” created, testing once a week• Week 1 & 2 to identify vulnerabilities in new code• Week 3 test provides verification • Breaking (Medium or higher) on verification – feature pushed out of version • Weekly reports (PDF) to security group for auditing
UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low
Case II
Existing CI/DevOps
• CI – Jenkins. • Ticket Tracking – JIRA • All testing environment is done in cloud (Amazon) • Dynamic orchestration of test env – new environments every week (4 servers/instance)• Automated deployment of build artifacts alongside testing framework (Selenium)• Daily execution of test automation (functionality)
UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low
Case II
Security Automation
• Dedicated security environment• Adaption of orchestration scripts (for deploying security testing software)• Integration with Selenium• Weekly orchestration test environment and execution of tests• Tests integrated into CI – HTML reports for Jenkins viewing. • PDF Reports for processing and audit
UK RetailerAgile Maturity: HighAutomation Maturity: HighAppSec Maturity: Low
Case III
eCommerce Giant, Continuous Delivery
Case III
Background
eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High
• In Top 10 largest eCommerce sites• Following a long, cross-organization “Agile Transformation” process• Highly advanced Agile/DevOps process• Modular site with multiple front-end and back-end components• Hundreds of engineers (Dev, QA, DevOps, etc.)• Heavy investment in security – already using various tools
Case III
Challenges
• Introduction of security automation in QA/DevOps• Multiple components for multiple teams • Extremely dynamic testing environments (dynamically orchestrated and changing)• Home-Grown DevOps – Cloud, CI, Testing, Orchestration, etc.• Highly Agile/Rapid environment – Continuous Delivery with daily artifacts • Security cannot be involved in the daily process
eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High
Case III
Process
• Process initiated by the security group, with DevOps cooperation• QA/DevOps training on process (rather than security) • Security tests to run as part as other testing, on a daily basis• Prioritization policy – “Medium” or higher blocks. “Low” scheduled for next version. • Verification Metrics – Usage of another tool in production – must return clean. • Security group supervises the process and has visibility to reports.
eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High
Case III
Existing CI/DevOps
• Homegrown CI/Orchestration/Cloud• Ticket Tracking - JIRA• Daily builds creation • Daily creation of cloud environments with various server roles and elastic scaling • Daily orchestration of latest builds and latest test automation versions• Hybrid Automation – Selenium for web/front-end, Homegrown for WS
eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High
Case III
Security Automation
• Orchestration adapted to deploy security testing software as part of existing testing env• Full CI integration• All existing automation directed to integrate with security testing• Security tests run daily • Full JIRA bug tracking integration – with automated delivery per team• Running of additional blackbox scanner on production for reverification
eCommerce GiantAgile Maturity: Very HighAutomation Maturity: Very HighAppSec Maturity: Very High
Thank You!
Questions?
Recommended