How to Manage Risk of Your Polyglot Environments Manage Risk: - - PowerPoint PPT Presentation

how to manage risk of your polyglot environments
SMART_READER_LITE
LIVE PREVIEW

How to Manage Risk of Your Polyglot Environments Manage Risk: - - PowerPoint PPT Presentation

Jul 13, 2023 286 likes •718 views

How to Manage Risk of Your Polyglot Environments Manage Risk: Polyglot Environments Presenters Jeff Rouse , VP Product, ActiveState Pete Garcin , Senior Product Manager, ActiveState Larry Maccherone, Head of DevSecOps Transformation,

slide-1
SLIDE 1

How to Manage Risk of Your Polyglot Environments

slide-2
SLIDE 2

Presenters

  • Jeff Rouse, VP Product, ActiveState
  • Pete Garcin, Senior Product Manager, ActiveState
  • Larry Maccherone, Head of DevSecOps Transformation, Comcast

Manage Risk: Polyglot Environments

slide-3
SLIDE 3

VP Product

Jeff Rouse, ActiveState

slide-4
SLIDE 4

Platform Presentation Manage Risk: Polyglot Environments

Jeff Rouse

VP Product ActiveState

slide-5
SLIDE 5

Track-record: 97% of Fortune 1000, 20+ years open source Polyglot: 5 languages - Python, Perl, Tcl, Go, Ruby Runtime Focus: concept to development to production

Manage Risk: Polyglot Environments

slide-6
SLIDE 6

What is Polyglot?

Manage Risk: Polyglot Environments

SQL

slide-7
SLIDE 7

How Do Polyglot Environments Evolve?

  • Technology. Best tool for the job, modern

software projects.

  • People. technology stacks added through

acquisition, changes in tech leadership

  • Time. technologies come in & out of favour; old

languages never die.

Manage Risk: Polyglot Environments

slide-8
SLIDE 8

Every Organization is Polyglot

  • Any desktop application with an online

component.

  • YAML configuration used with any project.
  • An application with embedding scripting.

Manage Risk: Polyglot Environments

slide-9
SLIDE 9

Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

Adding a Language

slide-10
SLIDE 10

Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

Rank the Challenges

slide-11
SLIDE 11

Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

Stability & Security → Painful

slide-12
SLIDE 12

Hidden Costs

75%

Managing dependencies

Manage Risk: Polyglot Environments Source: ActiveState Developer Survey 2018, Open Source Runtime Pains

slide-13
SLIDE 13

Benefits

Manage Risk: Polyglot Environments

  • Speed. Ship faster: better products, better

innovation.

  • Recruitment. Be attractive workplace: enable

coders to choose the tools they need.

slide-14
SLIDE 14

Drawbacks

  • Variability. Tooling support & programming

language quality.

  • Expertise Gap. Deep core competency at odds with

breadth of programming languages.

  • Dependencies. Larger pool of dependencies.
  • Support Costs. Unable to centralize, maintenance.

Manage Risk: Polyglot Environments

slide-15
SLIDE 15

Title color by theme

Most important tex. tipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Presentation Title

Magnified Issues

How will you monitor, identify and resolve?

Production bugs, Common Vulnerabilities & Exposures (CVE), threats; additional risk exposure with 3rd party dependencies. Equifax Breach: out of date 3rd party dependency

Manage Risk: Polyglot Environments

slide-16
SLIDE 16

Reduce Services Reduce Tools Reduce Libs Reduce Attack Surface Robust Processes, Automated and Centralized for Visibility

Resolutions

Presentation Title

slide-17
SLIDE 17

Senior Product Manager

Pete Garcin, ActiveState

slide-18
SLIDE 18

Pete Garcin

Senior Product Manager ActiveState

Platform Presentation Manage Risk: Polyglot Environments

slide-19
SLIDE 19

Automated Processes

Manage Risk: Polyglot Environments

slide-20
SLIDE 20

Manage Risk: Polyglot Environments

slide-21
SLIDE 21

Automating Environments

Manage Risk: Polyglot Environments

  • Automate.
  • Bundle.
  • Simplify Shares. Encourage adoption of common

environments.

slide-22
SLIDE 22

Manage Risk: Polyglot Environments

slide-23
SLIDE 23

Manage Risk: Polyglot Environments

slide-24
SLIDE 24

Manage Risk: Polyglot Environments

Environment Configuration Dependency Management Workflow Configuration

Solving Core Problems

slide-25
SLIDE 25

Best Practices - Build Eng & Development

Manage Risk: Polyglot Environments

Build Standard Reproduce & Manage Shrink Build

slide-26
SLIDE 26

Manage Risk: Polyglot Environments

Monitor Runtime Get Updates

Best Practices - Development to Production

slide-27
SLIDE 27

Benefits to You

Time Dev Zen

Manage Risk: Polyglot Environments

Same Same

slide-28
SLIDE 28

Privileged and Confidential

DELETE

| 28 E7: SDL Self Assessment

Security at the Speed of Software Development

Presented by:

Larry Maccherone

The approach for Comcast’s Secure Development Lifecycle (SDL) initiative A lean/agile transformation approach to achieving a DevSecOps culture

slide-29
SLIDE 29

Privileged and Confidential

DELETE

| 29 E7: SDL Self Assessment

Larry Maccherone

Larry_Maccherone@Comcast.com

Larry Maccherone

LinkedIn.com/in/LarryMaccherone

slide-30
SLIDE 30

Security practices on DevOps continuum ➔ DevSecOps

  • Static/IAST analysis
  • Abuse case tests
  • Code review
  • Break the build

code analysis

  • Threat modeling → backlog items
  • Analyze/Predict → backlog items
  • Design complies with policy?
  • Test security features
  • Common abuse cases
  • Pen testing (Vuls found → Test scripts)
  • Compliance validation (PCI, etc.)
  • Fuzzing
  • If we do X will it mitigate Y?
  • Capacity forecasting
  • Learning → Update playbooks

and Training

  • Configuration validation
  • Feature toggles/Traffic

shaping configuration

  • Secrets management
  • Log information for

after-incident analysis

  • Intrusion detection
  • App attack detection
  • Restore/maintain service for

non-attack usage

  • RASP auto respond
  • Roll-back or toggle off
  • Block attacker
  • Shut down services
  • Analysis → Learning
  • Defect/Incident 3-step
  • New attack surface?

Plan to update threat model

slide-31
SLIDE 31

That’s a lot of stuff! How do we get development teams to adopt?

slide-32
SLIDE 32

3 2

E E X X A A M M P P L L E E

slide-33
SLIDE 33

Visualizing an Org’s practices

E E X X A A M M P P L L E E

slide-34
SLIDE 34

LinkedIn.com/in/LarryMaccherone

Dev[Sec]Ops is… empowered engineering teams taking ownership

  • f how their product

performs in production [including security]

slide-35
SLIDE 35

Build security in

more than bolt it on

Rely on empowered engineering teams more than security specialists Implement features securely

more than security features

Rely on continuous learning

more than end-of-phase gates

Build on culture change

more than policy enforcement

DevSecOps Manifesto

slide-36
SLIDE 36

We, the Security Team…

Recognize that Engineering Teams…

  • Want to do the right thing
  • Are closer to the business context and will

make trade-off decisions between security and other risks

  • Want information and advice so those

trade-off decisions are more informed

Pledge to…

  • Lower the cost/effort side
  • f any investment in

developer security tools or practices

  • Assist 2x as much with

preventative initiatives as we beg for your assistance reacting to security incidents

Understand that…

  • We are no longer gate keepers but rather tool-smiths and advisors
slide-37
SLIDE 37

DevSecOps Tool Landscape

Static Analysis (aka SAST)

  • Looks at source code
  • Data/control flow analysis
  • Prone to false positives
  • Rapid feedback for developers
  • Code fix suggestions

Dynamic

  • Exercises app via UI/API
  • Senses vulnerability by response to input
  • Zero? false positives. Report is an exploit
  • High false negatives
  • Difficult to implement especially w/ auth
  • Sometimes hard to find code to remediate

Runtime Application Security Protection (RASP)

  • Often uses same engine

as IAST

  • Reports on “bad”

behavior

  • Can abort transaction or

kill process to protect

Fuzzing (black box)

  • Instruments system (to varying degrees)
  • Sends unexpected input at API
  • Looks at response and instrumentation output
  • Great for testing protocols like SIP
  • Good for REST APIs
  • Potentially long run times
  • Hard to find code to remediate

Primary Code Analysis (PCA) for code you write (1st party)

Software Composition Analysis (SCA) for code you import (3rd party)

  • Identifies dependency and version
  • Checks CVE/NVD + … for reported

vulnerabilities

  • Proposes version/patch to remediate
  • Checks license vs policy
  • Runs fast
  • Easy to implement
  • Best bang for buck!

IAST

  • Runtime code analysis
  • Combine dynamic/static
  • Low false positives
  • Depends on test coverage
  • Immature but getting there
slide-38
SLIDE 38
slide-39
SLIDE 39

LinkedIn.com/in/LarryMaccherone

What’s next?

  • Questions?
  • Pilot this DevSecOps

transformation framework with a few of your teams

  • Connect with me on:

LinkedIn.com/in/LarryMaccherone

slide-40
SLIDE 40

Q & A

slide-41
SLIDE 41

What’s Next

  • Watch a demo:

https://www.youtube.com/watch?v=c5AIxN9ehrI

  • Get a demo marketing@activestate.com
  • Contact us for the language build you need:

platform@activestate.com

slide-42
SLIDE 42

Tel: 1.866.631.4581 Website: www.activestate.com Twitter: @activestate Facebook: /activestatesoftware

Where to find us

Manage Risk: Polyglot Environments