Continuous security nl.linkedin.com/kimvanwilgen - - PowerPoint PPT Presentation

continuous security
SMART_READER_LITE
LIVE PREVIEW

Continuous security nl.linkedin.com/kimvanwilgen - - PowerPoint PPT Presentation

Feb 07, 2024 284 likes •800 views

Continuous security nl.linkedin.com/kimvanwilgen kimvanwilgen@gmail.com Kim van Wilgen | Schuberg Philis www.kimvanwilgen.com @kimvanwilgen September 2017 Cybercriminals accessed the personal data of 145.5M consumers 209K credit card

slide-1
SLIDE 1

Continuous security

Kim van Wilgen | Schuberg Philis

nl.linkedin.com/kimvanwilgen kimvanwilgen@gmail.com www.kimvanwilgen.com @kimvanwilgen

slide-2
SLIDE 2

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Cybercriminals accessed the personal data of 145.5M consumers

September 2017

209K credit card credentials were taken $ 300M was paid to victims and $275M in fines

slide-3
SLIDE 3

@kimvanwilgen | www.kimvanwilgen.com Continuous security

  • Forced browsing to get millions of results
  • Type admin / admin as username and password
  • Usage of http instead of https
  • Linking to phishing sites in their tweets
  • Alerts by security researchers were ignored
  • 30 days until notification, selling shares in the

meantime

Open invitation

slide-4
SLIDE 4

@kimvanwilgen | www.kimvanwilgen.com Continuous security

slide-5
SLIDE 5

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Customer director Schuberg Philis

20 18

Head of software development ANVA

20 17

Head of IT Klaverblad Verzekeringen

20 14

Hello world

19 80

slide-6
SLIDE 6

Schuberg Philis

6

Mission critical digital transformations Financially independent Started in 2001 300 team members (Dec 2018) EUR 60m revenue Market Quality leader in Business Critical IT Outsourcing Single KPI 100% customer satisfaction

slide-7
SLIDE 7

Our customers

7

slide-8
SLIDE 8

8

slide-9
SLIDE 9

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Why focus on security?

slide-10
SLIDE 10

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Focus shifted to speed…and nothing else

slide-11
SLIDE 11

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Constant change

slide-12
SLIDE 12

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Everything is connected into the heart of your business

slide-13
SLIDE 13

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Autonomous teams

slide-14
SLIDE 14

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Changing roles

slide-15
SLIDE 15

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Security in an agile world

slide-16
SLIDE 16

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Security should support the delivery of value

slide-17
SLIDE 17

@kimvanwilgen | www.kimvanwilgen.com Continuous security

slide-18
SLIDE 18

@kimvanwilgen | www.kimvanwilgen.com Continuous security

“If you are doing DevOps without security, you are doing it wrong”

Thiago de Faria – Head of solutions engineering, LINKIT

slide-19
SLIDE 19

@kimvanwilgen | www.kimvanwilgen.com Continuous security

DecSecOps model

Secure coding Defensible infrastructure Situational awareness Supporting way

  • f working
slide-20
SLIDE 20

@kimvanwilgen | www.kimvanwilgen.com Continuous security

DecSecOps model

Secure coding Defensible infrastructure Situational awareness Supporting way

  • f working
slide-21
SLIDE 21

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Integration in the pipeline: Automate everyting

slide-22
SLIDE 22

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Tools:https://www.owasp.org/index.php/Source_Code_ Analysis_Tools We use SonarQube + Find problems early in lifecycle, detailed feedback, scalable

  • Limited scope, configuration out of scope, false

positives & negatives

SAST

Static Analyses Security Testing

slide-23
SLIDE 23

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Tools: https://www.owasp.org/index.php/Category:Vulnerability_Scanning _Tools We use Nessus, Sentinel and ZAP + Tests the application at runtime, realistic view

  • More complex, harder to track, needs a running instance (late

feedback, limitedly scalable, slow)

DAST

Dynamic Application Security Testing

slide-24
SLIDE 24

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Dependency checks

Eliminate known vulnerabilities

24

We use Jfrog Xray Alternatives

  • SonaType
  • OWASP dependency

checker

  • Semmle (variant

analysis)

Vulnerable libraries

slide-25
SLIDE 25

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Licensing threat assessment

slide-26
SLIDE 26

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Evil user stories

As a Malicious Hacker, I want to gain access to all repositories so that I can look for vulnerabilities and secrets and destroy their entire business.

slide-27
SLIDE 27

@kimvanwilgen | www.kimvanwilgen.com Continuous security

DecSecOps model

Secure coding Defensible infrastructure Situational awareness Supporting way

  • f working
slide-28
SLIDE 28

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Immutable infrastructure

slide-29
SLIDE 29

@kimvanwilgen | www.kimvanwilgen.com Continuous security

One of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability—or never- changing—and applying least-privilege principles that limit what a container can do.

Tsvi Korren - Chief Solutions Architect at Aqua Security

slide-30
SLIDE 30

@kimvanwilgen | www.kimvanwilgen.com Continuous security

  • Scan infrastructure scripts against the security policy
  • Configuration and patches are code changes
  • Apply least privilege principles
  • Apply pervasive visibility
  • Systematic workload re-provisioning – difficult to persist across rebuilds

Immutable infrastructure mindset

Source: Gartner report on cloud security

slide-31
SLIDE 31

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Compare the infrastructure with CIS best practices, eg admin account, encryption and patch level

  • Hardening your system with feedback in

the pipeline

  • Auditable approval process of deviations

through pull request @securityteam

Testing the infrastructure

slide-32
SLIDE 32

@kimvanwilgen | www.kimvanwilgen.com Continuous security

DecSecOps model

Secure coding Defensible infrastructure Situational awareness Supporting way

  • f working
slide-33
SLIDE 33

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Have security champions

slide-34
SLIDE 34

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Don’t eliminate all risk

slide-35
SLIDE 35

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Alignment of security and business value

slide-36
SLIDE 36

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Learn and adapt first before you break the build

slide-37
SLIDE 37

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Application Security Verification Standard

Unrelevant / Sast / Dast / RAST / other Train for risks we can’t automate

slide-38
SLIDE 38

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Fix your vulnerabilities

slide-39
SLIDE 39

@kimvanwilgen | www.kimvanwilgen.com Continuous security

I’ve added over a 100 security rules in SonarQube and sent the top 10 screwups to the team. We sat down and discussed them. They are more aware now. I enabled a dependency check. We had 550 vulnerabilities. We solved more than half by removing an obsolete dependency in the test framework for Opera testing. We ran some critical upgrades. Now we have 17.

slide-40
SLIDE 40

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Security upfront

slide-41
SLIDE 41

@kimvanwilgen | www.kimvanwilgen.com Continuous security

DecSecOps model

Secure coding Defensible infrastructure Situational awareness Supporting way

  • f working
slide-42
SLIDE 42

Automate security features and scan against bugs and vulnerabilities Check for logical flaws manually, educate and raise context awareness

slide-43
SLIDE 43

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Train for the basics

slide-44
SLIDE 44

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Contextual awareness

slide-45
SLIDE 45

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Hack yourself first too

Chaos Engineering: Make rare events regular

slide-46
SLIDE 46

@kimvanwilgen | www.kimvanwilgen.com Continuous security

“Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.”

Troy Hunt, MVP for developer security and creator of ‘Have I been PWNED”

slide-47
SLIDE 47

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Red teaming

“Did you check the cake for hard and sharp

  • bjects before bringing this inside?”
slide-48
SLIDE 48

@kimvanwilgen | www.kimvanwilgen.com Continuous security

Trusted source and lowering our fences

slide-49
SLIDE 49

@kimvanwilgen | www.kimvanwilgen.com Continuous security

DecSecOps model

Secure coding Defensible infrastructure Situational awareness Supporting way of working

SAST DAST Dep.check Licensing Evil stories Config as code Immutability Test against CIS config CDN SIEM Train Raise awareness Hack yourself Red teaming SecLead Value based Start small Adapt to context Fix issues Detect change Version control

slide-50
SLIDE 50

@kimvanwilgen | www.kimvanwilgen.com Continuous security

https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/ https://cybersecurity.isaca.org/static-assets/documents/State-of-Cybersecurity-part- 2-infographic_res_eng_0517.pdf https://www.sans.org/reading-room/whitepapers/critical/continuous-security- implementing-critical-controls-devops-environment-36552 10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371 https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb https://www.thoughtworks.com/radar/techniques https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/MMC- Cyber-Handbook_2016-web-final.pdf Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World, Gartner, 2018

Sources