Qualityhealthplans&benefitsHealthierlivingFinancialwell-beingIntelligentsolutions

DJSchleenFebruary13,2017

ImplementingDevOpsinaRegulatedEnvironment

@dschleen

©2017AetnaInc. 2

©2017AetnaInc. 3

©2017AetnaInc.

Let’sbustoutsomewallsandinstallsomewindows…

4

©2017AetnaInc.

TheAetnaLandscape

TheseedsofDevOpsaregerminatingeverywhere• 3,500+Developers• 1,500+Applications• Multipledeploymentplatformsanddevelopmentlanguages• Robustsoftwaresecurityprogramandtrainingprograms• Formerlya“waterfall”organization,butevolvingpeopleandresourcestosupportDevOps

• MatureDevOpspracticesinsomefacetsoftheorganizationandsubsidiaries

• Evolvinglegacyappstosupportmicroservicedesignprinciplesandcontainerization

5

©2017AetnaInc.

TheAetnaJourney

• TheevolutionofourSDLCfromWaterfalltoDevOps• IntegrationofourSoftwareSecurityProgramintoourCI/CDProcess,Specifically:─ AutomatedStaticCodeAnalysis─ ContainerVulnerabilityScanning─ IdentifyingandremediatingAWSSecurityRisk

• Howwemeasureourselvesandmapsecuritycontrolstocompliance• ObservationsandbenefitsofDevOps/DevSecOps• Constantlylearning,improving,andre-evaluating

6

©2017AetnaInc.

Aetna’sTraditionalApproach

7

Requirements Design Development Test Production

1.Setprojectexpectations:securefromthestart(perarchetype)

2.Definesecurityblueprints:Archetypespecificpatternsandsecure-by-designcomponents

Identification&proactiveprotectionagainstsecurityvulnerabilitiesinproduction

Conductapplicationsecuritytestingondeployedconfigurations

PREVENTATIVE DETECTIVEStaticAnalysis

DynamicAssessment

SecurityLibraries&Frameworks

ThreatModeling

Ex:Alldatainputbyusersmustbevalidated

AssetsAttackVectors

Threats

Threat-BasedPenTest

OpenSourceAnalysis

ApplicationRiskClassification

SecurityRequirementDefinition

SoftwareSecurityTraining(Role-BasedCurriculum)

PRODUCTIONContinuousPerimeter

Assessment

WebApplicationFirewalls

SecureCodingGuidelinesAutomatedAttack/Bot

Defense

SecureApplicationDesign

©2017AetnaInc.

• Automation/ToolIntegration• Transparency• IncreasedCollaboration• ConsistentAdoption• ContinualFeedback• RemediationEfficiency• ReleaseGating• Resiliency&Scalability(Microservices/Containers)

8

DevOpsandSecurity– anUnprecedentedOpportunity

©2017AetnaInc. 9

RoleBasedSoftwareSecurityTraining

DevOps/SecurityProgramIntegrated

Requirements&Design

Dev CIIntervalTriggered

AssessmentsProduction

Static Analysis (CI)

Dynamic Assessment

Container Security Scanning (CI)

Static Analysis (IDE)Threat-Based Pen

TestOpen Source Governance(CI)

Application Risk Classification

Security Requirement Definition

SecurityMavens(Security-TrainedDevelopersandOperations)

Perimeter Assessment

Web Application Firewalls

Automated Attack/Bot Defense

Container Security Management

Preventative Detective

Detailed manual assessments triggered automatically at appropriate interval; detached from release cycle

Lightweight threat modeling approach

AEFW/Secure Libraries

Iterative, Automated, Efficient

Secure Coding Standards

Threat Modeling Application Red Team

ContinuousMonitoring,Analytics,andKPIGathering

SCM

©2017AetnaInc.

CheckIn

Commitor PullRequest

SuccessfulBuild

SecurityScan

Feedback

CodeFeature

StaticCodeAnalysisandGatedCheck-ins

10

Goal:ImproveCodeSecurity• Movetoafullyintegratedandautomatedstate

• PushSCAtothebuildplatformandtriggeredwithcommits/merges

• Usethresholdsto“stopthebleeding”

• Measuredefectdensity(1highvulnerabilityin10000LOC)

• Automatethresholdreductionasvulnerabilitiesincodedecreased

• Beasunobtrusiveaspossibletodevelopers

• MandatorySecurityControl

Thresholds

©2017AetnaInc.

ContainerVulnerabilityScanning

Goal:EnsureourContainersarecurrentandvulnerabilityfree• UseCISDockerBenchmarksasaguideline• Initiallyattemptedtoscriptandautomatetheauditchecks• Identifiedcommercialsoftwaretoprovide:─ AutomatedCISDockerBenchmarkchecks─ Containerandrepositoryvulnerabilityscanning─ Securitypolicyenforcement─ Runtimepolicyenforcement─ Real-timethreatintelligence─ SpecificguidanceforHIPPACompliance

• Mandatoryforanycontainerhostdeployedenterprisewide

11

©2017AetnaInc.

AWSInfrastructureRisk

Goal:IdentifyandReduceAWSInfrastructureRisk• UseCISAWSFoundationsBenchmarksasaguideline• InitiallyscriptedandautomatedthechecksviaAWSCLI• Movedtoavendorprovidedplatformthat streamlinesandoptimizesvulnerabilityandriskmanagementforAWS

• ContinuouslymonitorourconfiguredAWSaccounts• Automaticallyidentifysecuritymisconfigurations• Rapidlymitigateriskthroughguidedremediation• MandatoryforanyAetnaorAffiliateAWSaccount

12

©2017AetnaInc. 13

• GatherrelevantandmeasureableKPIs– Example:DefectDensity

• Trendyourperformancetoseewhereyou’vebeenandprojectwhereyouaregoing

• Useinformationtostrengthentheconfidenceintheprocess

• Wheneverapplicable,mapprocessandinfrastructurecheckstocompliancerequirements(HIPPA,PCI)

TurnInformationintoUnderstanding

©2017AetnaInc.

ObservationsandBenefitsofDevSecOps

• Consistentapplicationofsecuritycontrolsacrossallbuilds,applications&releases

• DecreaseinDefectDensityfrom1.0 to0.1• Increaseinthesecurityintegrityofapplications• Increaseinremediationefficiencythroughcontinuousfeedback• Releasegating/securitygating• Rapiddeployment/increasedspeedtomarket• Increaseinefficiency&scalability(microservices)

14

©2017AetnaInc.

ChallengesMovingtoDevOps

• Evolvingthecultureandhabitsof3,500+developers• Multiple“flavors”ofDevOpsindifferentpartsoftheorganization• Securitytoolintegrationinamannerthatsupportsobjectivesforactionablecontinuousfeedback

• WhatisthebestapproachforintegratingthreatmodelingandmanualassessmentsintothelifecyclewithoutimpactingCDobjectives?

15

©2017AetnaInc.

Takeaways

• FindoutwhereDevOpsishappeninginyourorganization• Identifywheresecuritycontrolscanbeinjected• EnhancetheprocesswithSecurity,don’tbeanimpediment• Turninformationintounderstandingandmeasuresuccess• Learn,Expand,Improve,Repeat

16

©2017AetnaInc.

Thankyou

@dschleen

©2017AetnaInc. 18