Inject Security into Source Code How 2018 Will Shift Your Security - - PowerPoint PPT Presentation

inject security into source code
SMART_READER_LITE
LIVE PREVIEW

Inject Security into Source Code How 2018 Will Shift Your Security - - PowerPoint PPT Presentation

Aug 27, 2023 253 likes •777 views

Inject Security into Source Code How 2018 Will Shift Your Security Priorities Panelists F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te Wher e

slide-1
SLIDE 1

How 2018 Will Shift Your Security Priorities

Inject Security into Source Code

slide-2
SLIDE 2

Panelists

F a rsha d Ab a si, CT O Mira i Se c urity Ja c e k Ma te rna , CT O Asse mb la Je ff Ro use , Dir. Pro duc t Ma na g e me nt Ac tive Sta te

slide-3
SLIDE 3

>

T ra c k re c o rd:

>

20 ye a rs wo rking with o pe n so urc e la ng ua g e s & e nte rprise s, 97% o f F

  • rtune 500 c o mpa nie s trust us

Wher e we’ve been

>

5 L a ng ua g e s: Pytho n, Pe rl, T c l, Go & Rub y

>

64+ Pla tfo rms: Windo ws, Ma c , L inux, AI X, So la ris, HP-UX...

>

So lutio ns to he lp e nte rprise s b e ne fit fro m o pe n so urc e

slide-4
SLIDE 4

Wher e we’r e going

E na b le e nte rprise s to ke e p up with the pa c e o f c o de r inno va tio n b y re mo ving fric tio n a t a ll po ints in the SDL C:

> Stre a mline c o nfig ura tio n o f o pe n so urc e la ng ua g e s > Allo w c o ntro l o f a pplic a tio n se c urity & c o mplia nc e > E

sta b lish inte g rity a t a ll sta g e s in the so ftwa re de ve lo pme nt life c yc le (SDL C) A Sa a S Pla tfo rm to stre a mline the e ntire de v pro c e ss & ma ke thing s a s se c ure a s po ssib le , le a d with a Pytho n runtime o ffe ring .

slide-5
SLIDE 5

Inj ecting S ecurity Into S

  • urce Code

Farshad Abasi | 2018-01-23 | v0.1

slide-6
SLIDE 6

S hifting security to the left

  • About 56%
  • f all software defects arise during the requirement phase, 27%

during design phase, and only 7% during development

  • Defects identified and resolved during requirement & design are about 100 times less

costly to fix than those discovered after

  • Goal is to address security earlier, not create more work for devs
  • S

hift left does not mean the roles and responsibilities of quality and security go away

slide-7
SLIDE 7

Continuous security in a CI / CD environment

  • S

ecurity tools should be integrated into the CI / CD pipeline

  • Integration allows ” low hanging fruit” to be caught earlier

and regularly

  • Can't afford to wait until the end of the build-and-release

pipeline to perform a detailed security scan

  • Information security platforms should expose functionality

via APIs

  • Allows for automation and integration of security into DevOps and the

developer’s preferred tool chain

slide-8
SLIDE 8

Making security easier for Dev teams

  • S

tart with secure development and training

  • Don’ t make developers become security experts or switch tools
  • Adopt the concept of people-centric security
  • Empower developers to take personal responsibility for security
  • Compensate for this with monitoring, following a "trust and verify" mindset
  • Use of frameworks and tools to handle security
  • Input validation to be done by development framework or plug-in
  • CS

RF tokens to be generated, inserted and verified by framework

  • IDE plug-ins
slide-9
SLIDE 9

Microservices architecture and impact on security

  • Microservices break larger services/ apps into smaller independent
  • nes
  • Loosely coupled as opposed to tightly coupled
  • May not include any security controls that were previously part of the larger

service/ application (e.g. authentication, authorization, input validation)

  • Typically developed in an agile manner by DevOps teams
  • Need to ensure some security is built into the dev pipeline to catch low hanging fruit
  • S

hould enforce security at a single point (i.e. gateway) and maintain end-to-end trust throughout the j ourney

  • Use of trust-tokens
  • End-to-end security assessment across the entire user-

j ourney involving different microservices should be performed

slide-10
SLIDE 10

Maintain a security focus without slowing delivery

  • Incorporation of security into DevOps/ Agile should speed up the
  • verall release process
  • Incorporating as much security as possible into the DevOps/ Agile

workflow through automation

  • S

hould be done transparently

  • Must preserve the agility and speed of DevOps/ Agile environment
  • S

hift-left security increases delivery speed by reducing:

  • number of eyeballs at a given time, resulting in smaller/ efficient teams
  • total gates with manual checks
slide-11
SLIDE 11

Immutable infrastructure and impact on security

  • Traditional mutable systems are patched and maintained
  • E.g. admins can S

S H into a server and upgrade packages, adj ust configuration, or push patches via an agent

  • Immutable infrastructure components are replaced rather than changed
  • Changes to the infrastructure (or even an admin account) are not allowed
  • If changes are required, a new server is built from a base image + packages
  • If changes are detected a violate a set criteria, that instance is replaced
  • Immutability results in increased security
  • Patching/ updating large number of servers is not required as you can create one

image and push out new instances quickly

  • Existing applications need to be re-architected to align with this model
slide-12
SLIDE 12

S ecurity of code in production

  • Require manual approval in the pipeline to put sensitive

components from dev into production

  • E.g. those handling sensitive data or functionality
  • Use automated installers and uninstallers
  • Deploy using a least privilege security model
  • Apply change control and configuration management
  • Captures the baseline configuration to help identify malicious changes
  • Ability to track changes is useful from a security perspective
  • Can prevent unauthorized changes and roll back those that may have

introduced security vulnerabilities

slide-13
SLIDE 13

DevS ecOps and inj ecting security into S DLC

  • Barriers must be removed between

security and application teams

  • Similar to how DevOps overcomes the divide

between Dev and Ops teams

  • S

ecurity requirements must be clearly communicated and easily integrated into the complete process

  • S

ecurity review and testing must be integrated at multiple points in DevOps workflows

Dev S

  • ftware releases

& updates Ops R eliability, performance, scaling Sec Confidentiality, Integrity, Availability

slide-14
SLIDE 14

DevSecOps

Shifting security “Left”

slide-15
SLIDE 15

Software is eating the world. Companies are under pressure to move FAST.

slide-16
SLIDE 16

While, Enterprises are spending more on cybersecurity than ever.

slide-17
SLIDE 17

$100,000,000,000

slide-18
SLIDE 18
  • Radware, 2017

BUT, breaches are at an all time high.

“The dramatic increase in cyber attack frequency, complexity, and size over the past year suggests that the economics of hacking have turned a corner.”

slide-19
SLIDE 19

“90% of security incidents relate to vulnerabilities in code.”

  • US Dept. of Homeland Security
slide-20
SLIDE 20

Why?

slide-21
SLIDE 21

CENTRAL IT

Shadow IT

TEAM IT

slide-22
SLIDE 22

Companies have a Need for Speed.

slide-23
SLIDE 23

DevOps.

slide-24
SLIDE 24

Dev _ Ops.

Value

slide-25
SLIDE 25

Dev _ Ops.

Availability Value

Efficiencies that speed up software lifecycle.

slide-26
SLIDE 26

Builds

DevOps and Security silos

Source Code Production Sec team out of the “loop” with DevOps

slide-27
SLIDE 27

Controls and Security can no longer be side-lined.

slide-28
SLIDE 28

DevSecOps.

slide-29
SLIDE 29

Dev _ Sec _ Ops.

Value

slide-30
SLIDE 30

Dev _ Sec _ Ops.

Value Availability

slide-31
SLIDE 31

Dev _ Sec _ Ops.

Value Availability Trust

Validate building blocks without slowing lifecycle.

slide-32
SLIDE 32

Shift security “Left”

Effort ROI

slide-33
SLIDE 33

Builds

Shift security “Left”

Source Code Production Spending further “Left” increases returns

slide-34
SLIDE 34

1.Adopt an automation culture 2.Deploy agile software lifecycle 3.Integrate security into your culture

But, to reach DevSecOps your company must:

slide-35
SLIDE 35

Competition is driving faster release cycles

slide-36
SLIDE 36

DevOps Cycle

slide-37
SLIDE 37

DevSecOps

slide-38
SLIDE 38

Security: Shift Left or Shift Out

#1 problem is time to market

slide-39
SLIDE 39

Security must be baked in.

slide-40
SLIDE 40

Security Automation (It’s table stakes.)

slide-41
SLIDE 41

Open Source: Accelerates Innovation but Introduces Risk

Developers

Open Source Repositories

60%

Security Vulnerabilities*

85%

Unknown or Out

  • f Compliance

Licenses*

# of open source modules by language –

Perl

35,000

Python

110,000

Go

20,000

Ruby

133,000

* Based on 2017 Black Duck Open Source Security and Risk Analysis audit.

Node.js (npm): 575,000

slide-42
SLIDE 42

Security must be baked in

You Got This

slide-43
SLIDE 43

IDE

Dev

Policy Definitions Adds a component/ library

Solution: Shift Issue Resolution Left

GPL License Older Version Vulnerability

ActiveState Identifies Issues (based on your policy) and Provides a Solution in the IDE

Substitute Component Newer Version Supplied Patch Provided ActiveState Platform

slide-44
SLIDE 44
slide-45
SLIDE 45
slide-46
SLIDE 46
slide-47
SLIDE 47

Drill Down

slide-48
SLIDE 48

Q&A

slide-49
SLIDE 49

T ha nk you to our pa ne lists

F arshad Abasi, Mirai Se c urity farshad.abasi@miraise c urity.c o m Jac e k Mate rna, Asse mbla jac e k@asse mbla.c o m Je ff Ro use , Ac tive State je ffr@ac tive state .c o m

slide-50
SLIDE 50

Find Us

T e l: 1.866.631.4581 We bsite : www.ac tive state .c o m T witte r: @ ac tive state F ac e bo o k: / ac tive state so ftware E arly Ac c e ss Sig nup: https:/ / start.ac tive state .c o m/ e arly-ac c e ss/