How to Successfully Shift Left Your DevSecOps Strategy - SAEC Days - July 2020 Arthur Hicken - Parasoft Evangelist
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
How to Successfully Shift Left Your
DevSecOps Strategy
SAEC Days - July 2020
Arthur Hicken – Parasoft Evangelist
Arthur Hicken
@codecurmudgeon
The Quest for Better Software
Better
Faster
Cheaper Speed Quality
Safer
More Secure
Cost Risk
Arthur Hicken
@codecurmudgeon
“DevOps is the practice of operations and development engineers participating together in the
entire service lifecycle, from design through the development process to production support.”
– The Agile Admin Arthur Hicken
@codecurmudgeon
Challenges of DevOps
• Tests must produce binary decision go/no-go
• Reuse unit test and functional tests from dev to QA
• High level of automation
• Requires disciplined mature process
• Testing must automatically answer
• Is it stable
• Will it do what it’s supposed to do
Arthur Hicken
@codecurmudgeon
Arthur Hicken @codecurmudgeon
An ounce of prevention…
“We wouldn't have
to spend so much
time, money, and effort
on network security if
we didn't have such
bad software security.”
Bruce Schneier in Viega and McGraw,
“Building Secure Software,” 2001
Arthur Hicken
@codecurmudgeon
Arthur Hicken @codecurmudgeon
The Traditional Approach to Security = Dev>Sec>Ops
Dev Stream
Dev Stream
QA/Integration Security Deploy
Dev Stream
Specialized skills and
software = limited
resources available
Dev Stream
Arthur Hicken
@codecurmudgeon
The Traditional Approach to Security = Dev>Sec>Ops
Security Problems
It’s too close These
to the release I’ll have to retest problems
date! the whole need fixing
application!!
Dev Stream
I don’t understand
the problem
Dev Stream
That’s not a
‘real’ problem
QA/Integration Security Deploy
Dev Stream
We are no longer
Specialized skills and
working on that
software = limited
code
resources available
Dev Stream
Results in delayed releases and/or security vulnerabilities in production @codecurmudgeon
Arthur Hicken
Solving the challenges of implementing DevSecOps
Security knowledge is limited and requires skilled resources / tools
• Easily define a centralized policy based on industry standards (CWE, OWASP, CERT, UL-2900)
• Documentation, examples and embedded training to enable the team
End-of-cycle security testing results in delays and vulnerabilities in production
• Enable the developers to perform analysis directly inside the IDE
• Leverage integration with the build process and CI plugins to gate the CI pipeline
Unknown state of security risk until the last moment
• On-going monitoring of software quality enables prioritization and course correction
• Real-time compliance reporting eliminates overhead of security oversight
Arthur Hicken
@codecurmudgeonWhen and where do we find problems?
85%
640 x
Percentage
of defects
40 x
Cost to repair defect
10 x % Defects found
1x 4x
% Defects introduced
Coding Unit Test Functional System Release
Test Test
Arthur Hicken
@codecurmudgeon‘Shift-left’ defect detection and remediation
Changing the software development culture to reduce cost and increase agility
Leverage earlier
stage quality
85%
640 x
practices
i.e. Code Analysis, Unit
Testing, API testing
Percentage
of defects
40 x
Continuously execute later stage tests
during active/on-going development
e.g. end-to-end business scenarios, security testing Cost to repair defect
10 x % Defects found
1x 4x
% Defects introduced
Coding Unit Test Functional System Release
Test Test
Reduces costs from late-cycle defect detection Arthur Hicken
@codecurmudgeonPenetration testing is moved left
How can we get lefter?
• Early pen-test before application is
available
• Service virtualization enables
• SAST
• Flow-analysis techniques for tainted data
• Flagging code that is legal but not safe
(secure)
• Requiring constructs like validation and
proper encryption in the code
Arthur Hicken
@codecurmudgeonShift-left Approach to Security = Sec>Dev>Ops
Define Secure Coding Policy
Security vulnerabilities
Dev Stream drive policy
improvements
Dev Stream
QA/Integration Security Deploy
Dev Stream
Apply Security Policy
Early stage Pen testing to
throughout the
validate Policy, using QA test
development process with
Dev Stream cases applied continuously
developer-centric
during standard QA cycles
technology
Arthur Hicken
@codecurmudgeonShift-left Approach to Security = Sec>Dev>Ops
Policy
Define Improvements
Secure Coding Policy
Iterative
application =
early detection
Security vulnerabilities
Dev Stream drive policy
Developer
improvements
centric
documentation
Dev Stream
Policy based
decisions QA/Integration Security Deploy
Dev Stream
Apply policy when Code traceability
developing provides root-
cause analysis
Dev Stream
Less late-cycle security vulnerabilities and quicker remediation Arthur Hicken
@codecurmudgeonGetting static analysis right
The right checkers
The right code
The right findings
The right people
The right time & place
Arthur Hicken
@codecurmudgeonThe right checkers (rules)
(checkers – rules – guidelines)
• Standards & Compliance requires
• Comprehensive coverage for standard
• Audit and reporting
• What are you trying to do
• Things happening in the field
• Things happening in the news
• Things you worry will happen
Arthur Hicken
@codecurmudgeonOWASP – Open Web Application Security Project
• Web oriented standard
• Language independent
• Top 10 list
• About 50 sub-items
• Not all statically analyzable
• Used by FDA and UL 2900
• Risk scoring system
• Current version 2017
Arthur Hicken
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project @codecurmudgeonCWE – Common Weakness Enumeration
CWE Top 25 – and on-the-cusp
• Created by government and industry
• managed by Mitre
• Hierarchical tree of “weaknesses”
• Symptom focused
• Over 800 rules
• Top 25
• Cusp (16 more)
• And the rest
• Risk scoring
• Technical Impact
• What kind of thing will happen?
Arthur Hicken
http://cwe.mitre.org/ @codecurmudgeonSEI / CERT Secure Coding Guidelines
Software Engineering Institute / Computer Emergency Readiness Team
• Developed with community involvement
• Focus on engineering and prevention
• Secure Coding Guidelines
• Lots of static analysis rules
• C, C++, Java, Perl, Android
• Two categories
• Rules (strict)
• critical and detectable
• Recommendation (less strict)
• lower impact
• difficult to analyze
• Practical risk scoring
• Likelihood, cost, severity -> priority
Arthur Hicken
https://www.securecoding.cert.org @codecurmudgeonSecure coding metrics
• Compliance with policy and/or regulation
• Issues by severity, category
• Common problem hotspots
• Are of code with many issues
• Common issues in many places
• What is the risk associated with particular SAST
violations?
Arthur Hicken
@codecurmudgeonData by role
• Complete support for critical standards
• Map-less implementation
• Standard-centric reporting & auditing
• Risk model specific to each standard
2 Directly line of code to fix
3 Check-in
1 Results as uniform view within IDE
Arthur Hicken
@codecurmudgeonCompliance audit-ready reports
The click of a button
• Cover
• Overview
• Detection plan
• Deviations
• Build audit report
Arthur Hicken
@codecurmudgeonRisk helps manage priority and control noise
Value Meaning Examples of Vulnerability
1 low denial-of-service attack, abnormal
Severity—How serious are the consequences of termination
the rule being ignored? 2 medium data integrity violation, uninten-
tional information disclosure
3 high run arbitrary code
Value Meaning
Likelihood—How likely is it that a flaw introduced
1 unlikely
by ignoring the rule can lead to an exploitable vul-
nerability? 2 probable
3 likely
Value Meaning Detection Correction
1 high manual manual
Cost—The cost of mitigating the vulnerability.
2 medium automatic manual
3 low automatic automatic
CWSS – ISO 27010 CERT Risk
OWASP Risk Arthur Hicken
@codecurmudgeon‘Trust but Verify’ by gating the CI pipeline
Provides a safety net to ensure vulnerabilities do not make it out of ‘development’
1. Performs analysis of the ‘entire code
base’
2. Command-line interface for easy
integration into the build process
3. CI plugins for displaying results and
gating the CI pipeline
4. Sends data to reporting and analytics
dashboard
Arthur Hicken
@codecurmudgeonCommon traps
Analyzing code you wont fix
Running checkers you won’t fix
Blocking the check-in
Turning all static violations into “bugs”
Turning on all the checkers
Noise & false positives
Arthur Hicken
@codecurmudgeonTHANK YOU
Arthur “Code Curmudgeon” Hicken
Parasoft evangelist
codecurmudgeon@parasoft.com
Follow him @codecurmudgeon
Arthur Hicken
@codecurmudgeonYou can also read
