Security Automation in Agile SDLC Real World Cases

Size: px

Start display at page:

Download "Security Automation in Agile SDLC Real World Cases"

Shanna Carroll
10 years ago
Views:

1 Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016

2 Speaker Security Strategy at Synopsys Founder of Seeker / Pioneer of IAST Hacker at Heart Longtime OWASPer Over 20 Years in Cybersecurity Avid Photographer Yes, Agile can bite

3 The Agile Security Challenge Too Much Data Prioritizing Risk Understanding the Pain Security by Developers Short Cycles Rapid Delivery

4 Automation Automated, Continuous, Practical Testing

5 Case I Insurance Company Transforming to Agile

6 Case I Background Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Insurance Company. Home grown apps ~15 different systems (Customer/Agent/Internal) Varying level of agile maturity & transformation CI-Only to Full-Agile Focus on new systems

Home grown apps ~15 different systems (Customer/Agent/Internal) Varying

7 Case I Challenges Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Limited security background for developers, no existing process Different Agile Maturity No one process fits all Insufficient test automation (coverage) Limited security resources Strong regulatory requirements Various technologies (.Net, Java, Legacy MF, more )

Different Agile Maturity No one process fits all Insufficient test automation (coverage)

8 Case I Process Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Creating strong cooperation (R&D/DevOps/Security) Security visibility into R&D bugs Weekly approval committee R&D Training (Basic!) Risk Policy (adapting risks, High only blocks) Multiple output channels (tickets, reports, etc.)

Security visibility into R&D bugs Weekly approval committee R&D Training (Basic!

9 Case I Existing CI/DevOps Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium CI Jenkins. Pulls code from Java/.NET Repositories Ticket Tracking HP QC Static Analysis (mainly for quality). Not integrated into the process Artifacts deployed to test env (permanent static) Test automation basic (in progress) Functionality testing mostly manual

NET Repositories Ticket Tracking HP QC Static Analysis (mainly for quality).

10 Case I Security Automation Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Integrate to launch from CI Integration with both automated (speed) and manual testing (coverage) Multiple Outputs: Jenkins Integration High breaks build (response + HTML data) QC Integration Bug Tracking and Remediation PDF Report for auditing and committee review

(speed) and manual testing (coverage) Multiple Outputs: Jenkins Integration High breaks build

12 Case II UK Retailer, Established Agile Shop

13 Case II Background UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low UK Retailer with ecommerce Platform Single Platform, 5 Flavors (Customer facing) Run of the mill Agile Shop: Scrum based 3-Weeks long sprints. Strict enforcement Strong automation

Platform Single Platform, 5 Flavors (Customer facing) Run of the mill

14 Case II Challenges UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low Response to an incident Minimal existing security No security background for developers. Limited security resources No existing process between security & R&D Very strict 3 weeks sprints

existing security No security background for developers.

15 Case II Process UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low Process driven by R&D, with security supervision Security Workflow created, testing once a week Week 1 & 2 to identify vulnerabilities in new code Week 3 test provides verification Breaking (Medium or higher) on verification feature pushed out of version Weekly reports (PDF) to security group for auditing

1 & 2 to identify vulnerabilities in new code Week 3 test provides verification Breaking (Medium or

16 Case II Existing CI/DevOps UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low CI Jenkins. Ticket Tracking JIRA All testing environment is done in cloud (Amazon) Dynamic orchestration of test env new environments every week (4 servers/instance) Automated deployment of build artifacts alongside testing framework (Selenium) Daily execution of test automation (functionality)

Ticket Tracking JIRA All testing environment is done in cloud (Amazon) Dynamic orchestration of test

17 Case II Security Automation UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low Dedicated security environment Adaption of orchestration scripts (for deploying security testing software) Integration with Selenium Weekly orchestration test environment and execution of tests Tests integrated into CI HTML reports for Jenkins viewing. PDF Reports for processing and audit

security testing software) Integration with Selenium Weekly orchestration test environment and

20 Case III ecommerce Giant, Continuous Delivery

21 Case III Background ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High In Top 10 largest ecommerce sites Following a long, cross-organization Agile Transformation process Highly advanced Agile/DevOps process Modular site with multiple front-end and back-end components Hundreds of engineers (Dev, QA, DevOps, etc.) Heavy investment in security already using various tools

22 Case III Challenges ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Introduction of security automation in QA/DevOps Multiple components for multiple teams Extremely dynamic testing environments (dynamically orchestrated and changing) Home-Grown DevOps Cloud, CI, Testing, Orchestration, etc. Highly Agile/Rapid environment Continuous Delivery with daily artifacts Security cannot be involved in the daily process

23 Case III Process ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Process initiated by the security group, with DevOps cooperation QA/DevOps training on process (rather than security) Security tests to run as part as other testing, on a daily basis Prioritization policy Medium or higher blocks. Low scheduled for next version. Verification Metrics Usage of another tool in production must return clean. Security group supervises the process and has visibility to reports.

24 Case III Existing CI/DevOps ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Homegrown CI/Orchestration/Cloud Ticket Tracking - JIRA Daily builds creation Daily creation of cloud environments with various server roles and elastic scaling Daily orchestration of latest builds and latest test automation versions Hybrid Automation Selenium for web/front-end, Homegrown for WS

25 Case III Security Automation ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Orchestration adapted to deploy security testing software as part of existing testing env Full CI integration All existing automation directed to integrate with security testing Security tests run daily Full JIRA bug tracking integration with automated delivery per team Running of additional blackbox scanner on production for reverification

26 Thank You! Questions?

Agile Software Factory: Bringing the reliability of a manufacturing line to software development

Agile Software Factory: Bringing the reliability of a manufacturing line to software development Today s businesses are complex organizations that must be agile across multiple channels in highly competitive