Achieving Secure Contjnuous Delivery Chris Rutuer / Lucian Corlan - - PowerPoint PPT Presentation

Chris Rutuer / Lucian Corlan July 2016

Achieving Secure Contjnuous Delivery

Problem statement - Security

• Diffjcult access to (uncorrelated) vulnerability data
• No clear view on the security risk of a specifjc build or release
• No real agreed security gate (no trigger threshold)
• Product has a Roadmap and Security is (always) not (always) part of

it

Problem statement - Developers

• Security requirements appear when project is almost fjnished
• Security sign-ofg is a botuleneck
• When am I fjnally secure enough?

We’ve seen this before…

QA 5 years ago

• QA manual, at the end of a project
• JIRA tjckets passed around for small bugs
• Long dev / test cycles
• Key dependencies for sign-ofg
• Lack of overview of quality or risk

Our Goals

• Security requirements identjfjed early
• Viewed as true non-functjonal requirements
• Easy to fjx issues detected and fjxed within a sprint
• Security quality part of defjnitjon of done each sprint
• Security policy defjned and automatjcally applied
• Ability to measure and track all of the above

• Pros: Security team have visibility and quality control of all testjng
• Cons: Botulenecks, Key dependencies, 1 monthly cycle, tjme cost,

unclear sign-ofg criteria, manual reports / metrics

On the grid

• Pros: Botuleneck reduced, High value threat modelling, shorter

tjme to fjx

• Cons: Reliance on statjc analysis, tjme consuming manual process,

issues highlighted at end of sprint

20mph

• Pros: Issues highlighted quickly, multjple types of scan,

defjned policy under version control.

• Cons: Custom policy efgort and maintenance, diffjculty

analysing risk from separate reports

40mph

Demo

60mph

• Pros: All scans & tests normalised in one place, mitjgatjons and

suppressions tracked, metrics available, devs / testers performing actjves scans.

• Cons: Dynamic scans manual or passive, lack of custom app atuributes

Automated dynamic scanning

• Donatello proxies e2e tests through ZAP for

actjve scan mapping without crawling

Contextual risk policies – applicatjon passports

• Statjc & dynamic risk indicators based on

Threat Modelling exercises and OWASP Top 10 and assign weight to risk indicators

• Integratjon with GRC tool

88mph

Contextual risk profjles

• Enhance Applicatjon critjcality from ThreadFix
• statjc atuributes
• PCI data involved
• PII data involved
• Exposure
• New service?
• User story review
• Input fjltering
• Output encoding
• 3rd party integratjon
• Actjvely maintained
• Transported data encryptjon
• Non-repudiatjon or IP whitelistjng
• Security meter Defcon
• Authentjcatjon
• Randomness level
• Dynamic atuributes
• Number of user stories since last release
• Number of user stories since last manual pentest
• Number of Security User Stories (outcome of Threat Modeling)

88mph

Donatello / Threadfjx

• Betgair Security solutjon & DevSecCon
• Proprietary API (python or node.js) hooking into all the tools, plus statjc atuributes and interpretatjon of

results per applicatjon in Gitlab

• Job in the contjnuous delivery tool to run the calculatjon (per build)
• Dashboard for metrics

htups://www.dropbox.com/s/eidodmpgyvquxsw/Applicatjon-Security-Risk-Calculator.pdf?dl=0

Sources of inspiratjon

Q