DevSecOps

What, Why and How

Anant Shrivastava
NotSoSecure Global Services
@anantshri
 About
Anant Shrivastava
• Director NotSoSecure Global Services
• Sysadmin / Development / Security
• Project Owner: AndroidTamer, Codevigilant
• Contributor : OWASP, null, G4H and more
• https://anantshri.info (@anantshri on social platforms)

NotSoSecure Global Services (a Claranet group company)

• Boutique Consulting firm specialized in training and consulting
 Agenda
● What is DevSecOps
● Why do we need DevSecOps
● How do we do DevSecOps
● Integrate Security in Pipeline
● Tools of Trade
● Sample Implementation
● Case Studies
 Disclaimer

● I will be listing a lot of tools, It’s not an exhaustive list.

● I don't endorse or recommend any specific tool / vendor

● Every environment is different: Test and validate before implementing any

ideas.
 What is DevSecOps
Effort to strive for “Secure by Default”
● Integrate Security in tools
● Create Security as Code culture
● Promote cross skilling
 Why do we need DevSecOps
● DevOps moves at rapid pace, traditional security just can't keep up

● Security as part of process is the only way to ensure safety

 Shifting Left saves cost & time

Source
CI/CD Staging/Q Penetration
Developer Code Build Production Monitoring
Server A Testing
Repository
 Shifting Left saves cost & time

Source
CI/CD Staging/Q Penetration
Developer Code Build Production Monitoring
Server A Testing
Repository

Automated Source 1 SQL Injection

Code Review Fewer Man Day Effort
No New Deployments
 How do we do DevSecOps
• DevSecOps is Automation + Cultural Changes

• Integrate security into your DevOps Pipeline

• Enable cultural changes to embrace DevSecOps

 Injecting Sec in DevOps

Artifact
Repository
Build Artifacts
versioning against
code commits

CI/CD Server

Code
Developer
Repository
Pre-Build Post-Build QA/Staging Production
Pre-Commit Static Application Security in
Secrets Dynamic Manual Web
Hooks Security Infrastructure as
Management Application Application
IDE Plugins Testing(SAST) Code(Iaac)
Security Pentesting
Source Compliance as
Testing(DAST) Business Logic
Composition Code
Analysis (SCA) Flaws Alerting and
Monitoring

Vulnerability Management
 Sample Implementation
A simplistic flow of DevSecOps Pipeline using some of the tools mentioned earlier
 Tools of trade
Microsoft
Threat Modelling Tools ThreatSpec. Threat Modeling
Tool

Pre-Commit Hooks truffleHog Git Hound

Software Composition Analysis Retire.js

Static Analysis Security Testing

(SAST)

IDE Plugins CAT.net

Secret Management Keywhiz

Preference Given to opensource tools; we don’t endorse any tool
 Tools of trade

Vulnerability Management Jackhammer

Dynamic Security Analysis

Infrastructure Scan

Compliance as Code
Docker Bench for Security

WAF

Preference Given to opensource tools; we don’t endorse any tool

 To be or not to be in Pipeline
● API / command line access
● Execution start to final output should be 15 minutes max
● Containerized / scriptable
● Minimal licensing limitations (parallel scans or threads)
● Output format parsable / machine readable (no stdout, yes to json /xml)
● Configurable to counter false negatives / false positives
 What about Cloud

• The Threat Landscape changes

• Identity and Access Management
• Billing Attacks

• Infrastructure as Code allows quick audit / linting

• Focus more on:
• Security groups
• Permissions to resources
• Rouge /shadow admins
• Forgotten resources (compromises / billing)
 Cultural Aspect
● Automation alone will not solve the problems

● Focus on collaboration and inclusive culture

● Encourage security mindset specially if it's outside sec team

● Build allies (security champions) in company

● Avoid Blame Game

This is just the tip of the iceberg

(Details out of scope for this session)
 Security Champion
• Bridge between Dev, Sec and Ops teams
• Build Security Champions
• Single Person per team
• Everyone provided with similar cross skilling opportunities
• Incentivize other teams to collaborate with Sec team
• Internal Bug bounties

• Sponsor Interactions (Parties / get-togethers)

• Sponsor cross skilling trainings for other teams

Generic Case Study
 Case Study

ts
A sse
t o r ed
o n i
d u nm
e d an
u n t
acc o
Un
Prevention: Recurring Asset Inventory and Automated Assessments
 Case Study

e d
x p os
t lye
c iden
e n ac
Tok
t h
Au Prevention:
Pre-commit Hook and continuous
repository monitoring
 More Case Studies

t i o n
g ur a
o n f i
i s c
t s M
d A sse
C l o u

Prevention: Continuous monitoring and review of cloud assets and config

 Case Study: Last one I promise

s ur e
is cl o
de d
t o co
d ing
on lea
r a t i
f i g u
s con
M i
Prevention: Patching and Continuous monitoring of Assets
 Is it Enough
• Rite of passage by periodic pen test and continuous bug bounty
• It's not just important to get feedback but to also action on them
• Risk Acceptance Documentation should be the worst case scenario not your
first bet
 References
• https://www.blackhat.com/docs/us-17/thursday/us-17-Lackey-Practical%20
Tips-for-Defending-Web-Applications-in-the-Age-of-DevOps.pdf
• https://www.sonatype.com/hubfs/2018%20State%20of%20the%20Softwar
e%20Supply%20Chain%20Report.pdf
• https://snyk.io/opensourcesecurity-2019/
• https://www.veracode.com/state-of-software-security-report
 Key Takeaways

• Security is everyone responsibility

• Embrace security as an integral part of the process, use feedback to refine

the process

• DevSecOps is not a one size fit all: your mileage will vary