#MicroFocusCyberSummit Shifting Security Left Bringing security - PowerPoint PPT Presentation

#MicroFocusCyberSummit

Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit

WHY ARE YOU HERE You want to know WHAT shifting security left means You want to know WHY you should shift left You want to know HOW to shift left #MicroFocusCyberSummit

WHAT is Shifting Security Left Software Development LifeCycle Moving current activities left Changing how you do security Changing the location of the Compromise in order to reduce risk Controlling development Becoming a part of development 4

WHY You to Shift Left Shifting left (correctly) can change ALL of this!!! 5

FROM TO Security 6

WHY You to Shift Left RESULTS Actual Risk Reduction 7

HOW Can Security Shift Left TRANSPARENT INTEGRATION AND AUTOMATION THE NAME OF DEVSECOPS IS SPEED  GO AT THE SPEED OF DEVELOPMENT (DAILY SCANS OF MODIFIED CODE) TRANSPARENT ACTIVITY  SCANS AND RESULTS SHOULD BE COMPLETED WITHOUT DEVELOPMENT STOPPING DIRECT ACCESS TO SOURCE CODE  A DEVELOPER SHOULD NOT HAVE TO MANUALLY PROVIDE CODE TO SCAN AUTOMATED SCANNING BASED ON RELEVANT CHANGES  A DEVELOPER SHOULD NOT HAVE TO WAIT ON RESULTS 8

Two Shift-Left Concepts for DEVSECOPS ALLOW CRITICALS INTO PRODUCTION DIFFER LEGACY VS INTRODUCED RISK tCELL’s 2018 Q2 Report “Security Immediately address introduced risk Report for In-Production Web with developers in existing or next Applications” release cycle Average of 34 DAYS to patch the Work with application and product most critical CVE’s owners to reduce technical debt over time IDEA: Patch Introduced Risk by Next Release IDEA: FOCUS ON THE NOW NOW: REAL WORLD EXAMPLE 9

STEP 1: Identify Relevant Code BitBucket/GitHub/SVN(TeamForge)  You need direct access to your repos as a security team  Use APIs and scripting to identify all repositories and branches having code changes  IDENTIFY ALL REPOS THAT HAVE CHANGED  CAPTURE REPO INFORMATION: ProjectName->RepositoryName->BranchName  Validate repository changes and capture commit metadata GITHUB Example in PERL to pull Repositories $github_proj_url="https://git.instance.net/api/v3/user/repos?per_page=100\\&page=$i"; chomp($github_proj_url); $curl_proj_command = "curl -s -u <password>"; $curl_proj_command .= " -X GET"; $curl_proj_command .= " $github_proj_url"; $json_proj=`$curl_proj_command`; chomp($json_proj); $decoded_json_proj=decode_json($json_proj); push @repo_values , @{$decoded_json_proj}; 10

STEP 2: Create Projects and Scan FORTIFY PROJECT APIs  Define a naming standard for your SSC Project based on Code Repository Data  Generate Fortify API Access Token  Verify SSC Project exists, if not, create it  Pull the source code and scan it  Upload results to SSC API Snippet for generating a Fortify Access Token my $token_response=`curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic $Base64_Encoded_Password' -d '{ "type": "UnifiedLoginToken " }' 'http://ssc_server_name.net:PORT/ssc/api/v1/tokens’`; chomp($token_response); my $decoded_json_commit=decode_json($token_response); my $t_response_code=$decoded_json_commit->{'responseCode'}; print MSTRLOG "\nThe Token create response code was: $t_response_code\n"; my $token_value = $decoded_json_commit->{'data'}->{'token'}; 11

STEP 3: Relevant Issue Identification FORTIFY ISSUE APIs  For each issue, identify the issues of importance  Severity, Age, Category, Confidence Level, etc  Label issues based on relevant to current release or legacy issues existing prior to current release  Initiate reporting mechanism (email, dashboard notification, etc) for issues to stakeholders  CURRENT ISSUES – ACTIVE DEVELOPERS RESPONSIBLE  LEGACY ISSUES - PRODUCT OWNERS AND DEVELOPER LEADS API Snippet for Fortify Issues my $issue_response=`curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: FortifyToken $fortify_token' 'http://ssc_server_name.net:port/ssc/api/v1/projectVersions/$target_version_id/issues?limit=- 1&orderby=priority&fields=priority'`; chomp($issue_response); my $decoded_json_issues=decode_json($issue_response); print Dumper $decoded_json_issues; 12

What Tools Will You Need 1) TECHNICAL RESOURCE FOR PYTHON or PERL SCRIPTING 2) ACCESS TO YOUR SOURCE CODE REPOSITORY 3) SERVER WITH ACCESS TO SOURCE REPO AND SSC SERVER 13

What Now – Next Steps NEXT 15 DAYS  Requisition a Linux server for testing  Research Repo and Fortify APIs and Play with Examples Provided NEXT 30 DAYS  Write scripts to process your repository data  Write scripts to create SSC Projects NEXT 60 DAYS  Write scripting process to scan relevant repositories  Define the official process for Automated Static Scanning 14

#MicroFocusCyberSummit Brenton Scott Witonski <>< E-mail: Brenton.Witonski@acxiom.com LinkedIn: https://www.linkedin.com/in/brentonwitonski Personal: www.lovepala.com Thank You.

Brandon Spruth

Previous Products & Services Create awesome products & services with feedback loops Security As Code 17 Delivering value with frictionless, innovative and responsive processes Be a Better Partner // Security as Code / Everything as Code Provide tests and insight beyond known anomalies Business strategy is achieved with the Not Just Scanners & Reports collaboration of all departments and Attack products and services like an attacker providing remediation providers in service to the customer who requires better, faster, cheaper, secure products and services Next

Previous Regulatory Compliance Overcoming hurdles for laws regulations, guidelines, and specifications. Bug Management 12 Issue management and justification 11 1 with development teams remediation 10 2 Security Treadmill Scaling your product security operations Threat Modeling 18 9 3 Consulting with design and architecture Sublinear programs scale better than linear ones where budget, resources and workload increases 8 4 year-over-year. 7 5 Code Reviews 6 Hunting for security defects SAST & DAST Testing Updating and creating pipeline jobs for automated testing Next

Previous Change in leadership Live for a cause and focus on Contingency outcomes Planning 0 Break Industry 1 Plan for the worst but hope for the Practices best! Experiment beyond the typical taxonomy of tests Create use cases 19 0 2 Decrease Resources Illustrate and discuss outside influences Company experiences a downturn that would adversely effect your in the market with cutbacks operations Implement tests 0 Increase Workload 3 Challenge the use-cases with Greater development more hypotheticals releases overall velocity is up 25% Next

Previous DevSecOps Scanning Frictionless F Streamline process with quality experience Innovative I Flexible enough to complement the tech stack 20 Responsive R Simple onboarding with quick iterative scan duration Reliable R Scan results need to be accurate and meaningful Next

Previous Dynamic Application Security Test Orchestration 21 Iterate Remediate Feedback Scan Next

Previous WebBreaker Demos Orchestration on DAST with a light-weight client WebBreaker Installation & Configuration WebBreaker Centralized Scan Management 22 WebBreaker with DevSecOps WebBreaker Proxy & Swagger Integration Next

23 Previous Next

Previous Self-Service Test Coverage Low barrier to entry for non- Achieve greater velocity of tests with wide security professionals adoption Security-As-A-Service Contextual Scan Orchestration 24 Actionable Feedback Provide reproduction steps and concise remediation guidance Portability Lightweight and practical enough to seamlessly integrate into a tech stack Next

25 Previous Next

Bonus Content – APIs

GIT STASH API – Repository USE FOR GETTING A LIST OF YOUR REPOS IN A STASH GIT INSTANCE my $stash_repo_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos?limit=300"; chomp($stash_repo_url); my $curl_repo_command = "curl -s -u <password>"; $curl_repo_command .= " -X GET"; $curl_repo_command .= " $stash_repo_url"; my $json_repo=`$curl_repo_command`; die "Could not get $stash_repo_url!" unless defined $json_repo; chomp($json_repo); my $decoded_json_repo=decode_json($json_repo); print "\n\n#################\n\tSTART REPO DUMP\n#################\n"; print Dumper $decoded_json_repo; 27

GIT STASH API – Commits USE TO GET COMMIT DATA FOR EACH REPO IN STASH GIT INSTANCE my $stash_commit_url="https://stash.company.com/rest/api/1.0/projects/$proj_name/repos/$repo_n ame/commits?limit=1"; chomp ($stash_commit_url); my $curl_commit_cmd = "curl -s -u <password>"; $curl_commit_cmd .= " -X GET"; $curl_commit_cmd .= " $stash_commit_url"; my $json_commit=`$curl_commit_cmd`; chomp($json_commit); my $decoded_json_commit=decode_json($json_commit); print "\n\n#################\n\tSTART COMMIT DUMP\n#################\n"; print Dumper $decoded_json_commit; 28