Upload
seniorstoryteller
View
151
Download
1
Embed Size (px)
Citation preview
Qualityhealthplans&benefitsHealthierlivingFinancialwell-beingIntelligentsolutions
DJSchleenFebruary13,2017
ImplementingDevOpsinaRegulatedEnvironment
@dschleen
©2017AetnaInc. 2
©2017AetnaInc. 3
©2017AetnaInc.
Let’sbustoutsomewallsandinstallsomewindows…
4
©2017AetnaInc.
TheAetnaLandscape
TheseedsofDevOpsaregerminatingeverywhere• 3,500+Developers• 1,500+Applications• Multipledeploymentplatformsanddevelopmentlanguages• Robustsoftwaresecurityprogramandtrainingprograms• Formerlya“waterfall”organization,butevolvingpeopleandresourcestosupportDevOps
• MatureDevOpspracticesinsomefacetsoftheorganizationandsubsidiaries
• Evolvinglegacyappstosupportmicroservicedesignprinciplesandcontainerization
5
©2017AetnaInc.
TheAetnaJourney
• TheevolutionofourSDLCfromWaterfalltoDevOps• IntegrationofourSoftwareSecurityProgramintoourCI/CDProcess,Specifically:─ AutomatedStaticCodeAnalysis─ ContainerVulnerabilityScanning─ IdentifyingandremediatingAWSSecurityRisk
• Howwemeasureourselvesandmapsecuritycontrolstocompliance• ObservationsandbenefitsofDevOps/DevSecOps• Constantlylearning,improving,andre-evaluating
6
©2017AetnaInc.
Aetna’sTraditionalApproach
7
Requirements Design Development Test Production
1.Setprojectexpectations:securefromthestart(perarchetype)
2.Definesecurityblueprints:Archetypespecificpatternsandsecure-by-designcomponents
Identification&proactiveprotectionagainstsecurityvulnerabilitiesinproduction
Conductapplicationsecuritytestingondeployedconfigurations
PREVENTATIVE DETECTIVEStaticAnalysis
DynamicAssessment
SecurityLibraries&Frameworks
ThreatModeling
Ex:Alldatainputbyusersmustbevalidated
AssetsAttackVectors
Threats
Threat-BasedPenTest
OpenSourceAnalysis
ApplicationRiskClassification
SecurityRequirementDefinition
SoftwareSecurityTraining(Role-BasedCurriculum)
PRODUCTIONContinuousPerimeter
Assessment
WebApplicationFirewalls
SecureCodingGuidelinesAutomatedAttack/Bot
Defense
SecureApplicationDesign
©2017AetnaInc.
• Automation/ToolIntegration• Transparency• IncreasedCollaboration• ConsistentAdoption• ContinualFeedback• RemediationEfficiency• ReleaseGating• Resiliency&Scalability(Microservices/Containers)
8
DevOpsandSecurity– anUnprecedentedOpportunity
©2017AetnaInc. 9
RoleBasedSoftwareSecurityTraining
DevOps/SecurityProgramIntegrated
Requirements&Design
Dev CIIntervalTriggered
AssessmentsProduction
Static Analysis (CI)
Dynamic Assessment
Container Security Scanning (CI)
Static Analysis (IDE)Threat-Based Pen
TestOpen Source Governance(CI)
Application Risk Classification
Security Requirement Definition
SecurityMavens(Security-TrainedDevelopersandOperations)
Perimeter Assessment
Web Application Firewalls
Automated Attack/Bot Defense
Container Security Management
Preventative Detective
Detailed manual assessments triggered automatically at appropriate interval; detached from release cycle
Lightweight threat modeling approach
AEFW/Secure Libraries
Iterative, Automated, Efficient
Secure Coding Standards
Threat Modeling Application Red Team
ContinuousMonitoring,Analytics,andKPIGathering
SCM
©2017AetnaInc.
CheckIn
Commitor PullRequest
SuccessfulBuild
SecurityScan
Feedback
CodeFeature
StaticCodeAnalysisandGatedCheck-ins
10
Goal:ImproveCodeSecurity• Movetoafullyintegratedandautomatedstate
• PushSCAtothebuildplatformandtriggeredwithcommits/merges
• Usethresholdsto“stopthebleeding”
• Measuredefectdensity(1highvulnerabilityin10000LOC)
• Automatethresholdreductionasvulnerabilitiesincodedecreased
• Beasunobtrusiveaspossibletodevelopers
• MandatorySecurityControl
Thresholds
©2017AetnaInc.
ContainerVulnerabilityScanning
Goal:EnsureourContainersarecurrentandvulnerabilityfree• UseCISDockerBenchmarksasaguideline• Initiallyattemptedtoscriptandautomatetheauditchecks• Identifiedcommercialsoftwaretoprovide:─ AutomatedCISDockerBenchmarkchecks─ Containerandrepositoryvulnerabilityscanning─ Securitypolicyenforcement─ Runtimepolicyenforcement─ Real-timethreatintelligence─ SpecificguidanceforHIPPACompliance
• Mandatoryforanycontainerhostdeployedenterprisewide
11
©2017AetnaInc.
AWSInfrastructureRisk
Goal:IdentifyandReduceAWSInfrastructureRisk• UseCISAWSFoundationsBenchmarksasaguideline• InitiallyscriptedandautomatedthechecksviaAWSCLI• Movedtoavendorprovidedplatformthat streamlinesandoptimizesvulnerabilityandriskmanagementforAWS
• ContinuouslymonitorourconfiguredAWSaccounts• Automaticallyidentifysecuritymisconfigurations• Rapidlymitigateriskthroughguidedremediation• MandatoryforanyAetnaorAffiliateAWSaccount
12
©2017AetnaInc. 13
• GatherrelevantandmeasureableKPIs– Example:DefectDensity
• Trendyourperformancetoseewhereyou’vebeenandprojectwhereyouaregoing
• Useinformationtostrengthentheconfidenceintheprocess
• Wheneverapplicable,mapprocessandinfrastructurecheckstocompliancerequirements(HIPPA,PCI)
TurnInformationintoUnderstanding
©2017AetnaInc.
ObservationsandBenefitsofDevSecOps
• Consistentapplicationofsecuritycontrolsacrossallbuilds,applications&releases
• DecreaseinDefectDensityfrom1.0 to0.1• Increaseinthesecurityintegrityofapplications• Increaseinremediationefficiencythroughcontinuousfeedback• Releasegating/securitygating• Rapiddeployment/increasedspeedtomarket• Increaseinefficiency&scalability(microservices)
14
©2017AetnaInc.
ChallengesMovingtoDevOps
• Evolvingthecultureandhabitsof3,500+developers• Multiple“flavors”ofDevOpsindifferentpartsoftheorganization• Securitytoolintegrationinamannerthatsupportsobjectivesforactionablecontinuousfeedback
• WhatisthebestapproachforintegratingthreatmodelingandmanualassessmentsintothelifecyclewithoutimpactingCDobjectives?
15
©2017AetnaInc.
Takeaways
• FindoutwhereDevOpsishappeninginyourorganization• Identifywheresecuritycontrolscanbeinjected• EnhancetheprocesswithSecurity,don’tbeanimpediment• Turninformationintounderstandingandmeasuresuccess• Learn,Expand,Improve,Repeat
16
©2017AetnaInc.
Thankyou
@dschleen
©2017AetnaInc. 18