Tech Talk: Keeping Applications Compliant and Secure Using Release Automation

World®’16

TechTalk:KeepingApplicationsCompliantandSecureUsingReleaseAutomationKeithPuzey- SeniorPrincipalEngineeringServicesArchitect- CATechnologies

DO5T10T

DEVOPS

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Agenda

INTRODUCTION

VULNERABILITIES

RELEASEAUTOMATIONANDCOMPLIANCE

THESEVENHABITSOFRUGGEDDEVOPS

HOW DEVOPSANDAUTOMATIONFACILITATESSECURITY ANDCOMPLIANCE

SECURITYTESTING

1

2

3

4

5

6


Introduction

SecurityistheresponsibilityofeveryoneandneedstostartwithDevelopment

Securitybreachescausedbyvulnerabilitiescostasignificantamountintime,effortandreputation

HOWCANDEVOPSHELP?


InfrastructureVulnerabilities- 2016

325

130 12398 87

46 40 38 34 31 27 23 22 21

0

50

100

150

200

250

300

350

#Vulnerabilities

VulnerabilitiesbyInfrastructureVendor

Oracle Microsoft IBM Cisco Debian Apache Novell Huawei HP Ubuntu Fedora Linux SAP RedHat

CiscoSecurityResearch– MidyearCyberSecurity Report2016


CiscoSecurityResearch– MidyearCyberSecurity Report2016

InfrastructureVulnerabilitiesbyRegion


OpenSourceVulnerabilities

Sonatype reportedthat1in16downloadsfromtheCentralRepositoryhadaknownsecuritydefect,and6.8percentofcomponentsinuseamongthe25,000applicationsanalyzed hadaknownsecuritydefectTheSonatype reportisbasedontheanalysisof 31billiondownloadrequestsofopensourcesoftwarecomponentsfromtheCentralRepository,whichSonatype managesandistheresultofananalysisofthepatternsandpracticesofmorethan25,000developersand3,000organizations.

Sonatype - 2016stateofthesoftwaresupplychain


CommonExploits

AccordingtotheSonatype “2016StateoftheSoftwareSupplyChain”report,recordsrevealthat17.4millionBouncyCastlecomponentsacrossallversionsweredownloadedlastyear.Ofthese,5.8million(33percent)wereknownvulnerable versionsofBouncyCastle.

Thedefectivecomponentsdownloadsoccurredacross93,253uniqueIPaddressesfrom13,824organizationsin197countries.

Sonatype - 2016stateofthesoftwaresupplychain

ONEOFTHEMOREPOPULARCHOICESFORENCRYPTIONISTHE LEGIONOFBOUNCYCASTLEJAVACRYPTOGRAPHY LIBRARY.


ShiftLeft…DiscoverSecurityDefectsEarlierinSDLC

FINDDEFECTSHERE

NOTHERE

UNIT SYSTEM PRODUCTIONUATINTEGRATION PERFORMANCE STAGING

INSTILLAcceleratedQuality

1

5

10

15

30

0

5

10

15

20

25

30

35

Requirements Coding Integration Acceptance Production

SecurityDefectCorrectionCostMultiplier

Source:NationalInstituteofStandards&Technology(NIST)


TheProblem

ThirdPartysoftwareisusedwithlatentvulnerabilities

Unsafedevelopmentmethods

Inabilitytoquicklyfixsecurityissues

Misconfigsofapplicationssupportingsystems


“TheSevenHabitsofRuggedDevops”Forrester

Forrester– TheSevenHabitsofRuggedDevOps

1 Increasetrustandtransparencybetweendevelopment,securityandoperations

2 Understandtheprobabilitiesandimpactofspecificrisks

3 Discarddetailedsecurityroadmapsinfavourofincrementalimprovements

4 UsetheCDpipelinetoincrementallyimprovesecuritypractices

5 Standardizethirdpartysoftwareandthenkeepcurrent- maintainthirdpartylibrarywithmostcurrentversions

6 Governwithautomatedaudittrails

7 Testpreparednesswithsecuritygames


How DevOpsandAutomationFacilitatesSecurityandCompliance

AUTOMATION EMPHASISONTESTING FASTFEEDBACKLOOPS

IMPROVEDVISIBILITY COLLABORATIONCONSISTENT

RELEASEPRACTICES


How DevOps FacilitatesSecurity andCompliance

Secureatthebeginning§ Securitymustbeintegratedatthestartofyour

DevOps process,itmustnotbeanafterthoughtorjustattheveryendofthesoftwaredeliverypipeline.

§ Becomesaqualityrequirement,similartoothertestsrunaspartofyoursoftwaredeliveryprocess.

Securitythroughautomatedtesting§ Automatedtestshavelessriskofintroducingsecurityflaws

duetohumanerror



EnabledevelopersbutmaintaingovernanceCreatemanageablesystemsthatare consistent, traceable,andrepeatable

Securityandcompliancecontrols mustbeanintegralpartof yourDevOps processes



Geteveryoneonthesamepageandpipeline§ Integratesecuritytoolsandtestsaspartofthepipelineused

byDevelopmentandOperationstodeploytheirupdates,§ InfoSecbecomesakeycomponentofthedeliverypipelineand

anenableroftheentireprocess

Resolveissuesquickly§ DevOpsaccelerates yourleadtime,sothatyoucan develop,

test,and deployyourpatch/updatemorequickly.


SecurityTesting

Automatedtesting§ Automatingtestsensurequalitytestingandweneedthesame

approachautomatesecuritytests.§ Alargeproportionofsecuritytestsareessentiallychecksthat

knownweaknesseshavenotbeenintroducedandtheselendthemselvessuperblytoautomation


SecurityTesting—What’sAutomated

FunctionalSecurityTests§ Theseareessentiallythe

sameasautomatedacceptancetests,buttargetedatverifyingthatsecurityfeaturessuchasauthenticationandlogout,workasexpected.

§ TestscanmostlybeautomatedusingexistingacceptancetestingbrowserautomationtoolslikeSelenium/WebDriver.

Specificnon-functionaltestsagainstknownweaknesses§ Includestestingknown

weaknessesandmis-configurationssuchaslackoftheHttpOnly flagonsessioncookies,oruseofknownweakSSLsuitesandciphers.

§ Theseareparticularlywellsuitedforautomationbecausetheweaknessesareknownupfront

Securityscanningoftheapplicationandinfrastructure§ Manuallydrivenpenetration

testsusuallykickoffwithanautomatedscanusingvulnerabilityscanningtoolslikeNessus,BurpandOWASPZAPthiscanbeautomatedaspartofyourDevOpsprocess.


“Puttingaguardrailuponthehighwayallowsyoutogofaster,notslower.Withproperchecks,youcatchproblemsbeforetheybecomeshowstoppersandsecurityrisksinproduction.Andwhenit’spartoftheautomatedworkflow,theoverheadisessentiallynil.”

AlanSharp-Paul,co-founderofDevOpstoolvendorUpguard


CA’sThreePillarsofContinuousDeliveryIntegrated,IterativeSolution

AgileTeams

DevelopersandTesters

ReleaseManagement

ProductOwner

ScrumMaster

ProductManager

DailyReviews

Roadmap

Vision

Backlog

SprintBacklogs

CustomerValue

PLAN

ShippableProducts

DevelopSwiftly

TestAgilely

ReleaseReliably

OPERATE

FeedbackLoops


QA/TEST PRE-PROD PRODUCTIONDEV

ZERO-TOUCHDEPLOYMENT

ContinuousDeliveryDynamicDuoZero-touchDeployment+AdvancedReleaseManagement

ContinuousDeliveryDashboardOPTIMIZEPIPELINE

CAReleaseAutomation

CAReleaseAutomationCDEdition PLANANDMANAGE

RELEASES


SixWaysCAReleaseAutomationHelpsCompliancy

Authenticityofbuildmaterialiswhat’sbeingdeployedOnlyauthorizedstaffgettopromotepackages

AutomatedsecurityacrossallenvironmentsConsistentsecurityandtestingacrossallenvironments

SecurityfeedbackloopbacktodevelopmentIdentifyvulnerabilitiesandsecurityissuesearlyinthedevelopmentcycle

Segregationofrolesforreleases,phasesandtasksacrossenvironments

AuditabilityandtraceabilityAuditeverystageofyourCDpipeline

Usespeedtoyouradvantage,smallincrementalimprovements


AuditabilityandTraceability

AuditeverystageofyourCDpipeline


CAContinuousDeliverySolutionsCAReleaseAutomationandotherCDsolutionspavethewaytoaudit-readyreleaseswithtracking,governanceandsecuritychecks.

DevOpsHelpsCompliancyStayingcompliantandsecurearetoughernowthanever.DevOps,continuousdeliveryandautomationarekeypracticesthatcanhelpcompliancyinafast-movingappculture.

AutomateSecurityTestingSecuritytestsareessentiallychecksthatknownweaknesseshavenotbeenintroduced—aprimecandidateforautomation.

SummaryAFewWordstoReview


RecommendedSessions

SESSION# TITLE DATE/TIME

DO5T03PLeadershipPanel:ContinuousDeliveryintheFinancialServicesIndustry 11/16/2016at04:30pm

DO5T14SAnalystKeynote:ContinuousDelivery:MakingDevOpsAwesome 11/17/2016at10:30am

DO5T14SINGDeliversUnprecedentedGlobalContinuousDeliveryasaService 11/17/2016at03:00pm


MustSeeDemos

Release AutomationTheater5- DOV513P

OrchestrateYourRelease

ServiceVirtualizationTheater5- DOV507P

DeliverBetterApps

TestDataManagerTheater5- DOV511P

DeliverTestDataFaster

IntegratedCDTheater5- DOV501P

ModernizeAppDelivery


Stayconnectedatcommunities.ca.com

Thankyou.


DevOps– ContinuousDelivery

FormoreinformationonDevOps– ContinuousDelivery,pleasevisit:http://cainc.to/PiTFpu