Security Automation in Agile SDLC Real World Cases

Similar documents

Agile Software Factory: Bringing the reliability of a manufacturing line to software development

Continuous Application Delivery From concept to reality. Carsten Lentz Sr. Solution strategist

Cenzic Product Guide. Cloud, Mobile and Web Application Security

SAS in clinical trials A relook at project management,

IT Home 2015 DevOps 研討會

Jenkins World Tour 2015 Santa Clara, CA, September 2-3

Continuous Integration Optimizing Your Release Management Process

What s new in the HP Functional Testing 11.5 suite Ronit Soen, product marketing John Jeremiah, product marketing

Continuous Integration (CI) for Mobile Applications

Guide to Mobile Testing

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Continuous Integration Processes and SCM To Support Test Automation

How We Implemented Security in Agile for 20 SCRUMs- and Lived to Tell

Paul Barham Program Manager - Java. David Staheli (dastahel@microsoft.com) Software Development Manager - Java

Business Assurance & Testing QEx Automation Platform

HP Application Lifecycle Management

Best Overall Use of Technology. Jaspersoft

Continuous Delivery for Alfresco Solutions. Satisfied customers and happy developers with!! Continuous Delivery!

WebGoat for testing your Application Security tools

Intel IT Cloud Extending OpenStack* IaaS with Cloud Foundry* PaaS

Web UI & Functional Test Automation for Continuous Agile Deliveries

Collaborating for Quality in Agile Application Development From Beginning to End

Federal Secure Cloud Testing as a Service - TaaS Center of Excellence (CoE) Robert L. Linton

Servers. Servers. NAT Public Subnet: /20. Internet Gateway. VPC Gateway VPC: /16

Practicing Continuous Delivery using Hudson. Winston Prakash Oracle Corporation

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

Fundamentals of Continuous Integration

November 12 th 13 th London: Mastering Continuous Integration with Jenkins

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Testing Lifecycle: Don t be a fool, use a proper tool.

Automation and Virtualization, the pillars of Continuous Testing

Software Continuous Integration & Delivery

Better Software Though Expertise, Collaboration & Automation. BDD, DevOps and Testing

On the Edge of Mobility Building a Bridge to Quality October 22, 2013

The AppSec How-To: Achieving Security in DevOps

DevOps. Jesse Pai Robert Monical 8/14/2015

Key Benefits of Microsoft Visual Studio Team System

2015 IBM Continuous Engineering Open Labs Target to better LEARNING

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

The Continuous Delivery Tool Chain: So Many Choices!

! Resident of Kauai, Hawaii

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Bridging Development and Operations: The Secret of Streamlining Release Management

Agile Delivery Framework Automation & Deployment With Puppet

HP ALM11 & MS VS/TFS2010

Copyrighted , Address :- EH1-Infotech, SCF 69, Top Floor, Phase 3B-2, Sector 60, Mohali (Chandigarh),

DevOps: Multiplatform Application Deployment

DevOps: Old-School IT lessons for a New-World of IT Opportunities. February 16, 2012

BMC Service Assurance. Proactive Availability and Performance Management Capacity Optimization

Mastering Continuous Integration with Jenkins

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

CLOUD MANAGED SERVICES FRAMEWORK E-BOOK

DevOps: Advances in release management and automation

Continuous Delivery for Force.com

Development Testing for Agile Environments

TRANSFORMING TO NEXT-GEN APP DELIVERY FOR COMPETITIVE DIFFERENTIATION

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

MANAGEMENT SUMMARY INTRODUCTION KEY MESSAGES. Written by: Michael Azoff. Published June 2015, Ovum

Service Orchestration

White Paper. The Importance of Automating the End to End Pipeline for Continuous Delivery

HP Application Security Center

How To Develop An Org Cloud Based Powerware For An Onpremise Cloud Environment

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Increasing Business Efficiency and Agility for ATGbased. Systems. the business challenge: upgrading the development pipeline

Demand & Requirements Management Software Development QA & Test Management IT Operations & DevOps Change Management Agile, SAFe, Waterfall Support

Continuous Delivery Benefits, Best Practices and Practical Advice

A Sumo Logic White Paper. Harnessing Continuous Intelligence to Enable the Modern DevOps Team

Your guide to building great apps. Upgrade your skills and update your tools to create the next great app

Application Portfolio Risk Ranking Banishing FUD With Structure and Numbers

How To Test On An Hp Mobile Device

The Web AppSec How-to: The Defenders Toolbox

Learning objectives for today s session

Bridge Development and Operations for faster delivery of applications

Load and Performance Load Testing. RadView Software October

CMDB Essential to Service Management Strategy. All rights reserved 2007

Orchestrated. Release Management. Gain insight and control, eliminate ineffective handoffs, and automate application deployments

CloudCenter Full Lifecycle Management. An application-defined approach to deploying and managing applications in any datacenter or cloud environment

IBM Rational AppScan: Application security and risk management

Assuring Application Security: Deploying Code that Keeps Data Safe

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code

Journey to the Cloud and Application Release Automation Shane Pearson VP, Portfolio & Product Management

Mobility. Exploiting and Maintaining the New Face of Engagement. Huseyin Ozel CT, HP EMEA Enterprise Mobility September 2015

Application Security Center overview

Continuous Integration: A case study

DevOps: Development Challenges and New Approaches

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

A Practical Guide to implementing Agile QA process on Scrum Projects

The Virtualization Practice

Centralized Secure Vault with Serena Dimensions CM

Modern App Architecture for the Enterprise Delivering agility, portability and control with Docker Containers as a Service (CaaS)

Transcription:

Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016

Speaker Security Strategy at Synopsys Founder of Seeker / Pioneer of IAST Hacker at Heart Longtime OWASPer Over 20 Years in Cybersecurity Avid Photographer Yes, Agile can bite

The Agile Security Challenge Too Much Data Prioritizing Risk Understanding the Pain Security by Developers Short Cycles Rapid Delivery

Automation Automated, Continuous, Practical Testing

Case I Insurance Company Transforming to Agile

Case I Background Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Insurance Company. Home grown apps ~15 different systems (Customer/Agent/Internal) Varying level of agile maturity & transformation CI-Only to Full-Agile Focus on new systems

Case I Challenges Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Limited security background for developers, no existing process Different Agile Maturity No one process fits all Insufficient test automation (coverage) Limited security resources Strong regulatory requirements Various technologies (.Net, Java, Legacy MF, more )

Case I Process Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Creating strong cooperation (R&D/DevOps/Security) Security visibility into R&D bugs Weekly approval committee R&D Training (Basic!) Risk Policy (adapting risks, High only blocks) Multiple output channels (tickets, reports, etc.)

Case I Existing CI/DevOps Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium CI Jenkins. Pulls code from Java/.NET Repositories Ticket Tracking HP QC Static Analysis (mainly for quality). Not integrated into the process Artifacts deployed to test env (permanent static) Test automation basic (in progress) Functionality testing mostly manual

Case I Security Automation Insurance Company Agile Maturity: In Transition Automation Maturity: Starting AppSec Maturity: Medium Integrate to launch from CI Integration with both automated (speed) and manual testing (coverage) Multiple Outputs: Jenkins Integration High breaks build (response + HTML data) QC Integration Bug Tracking and Remediation PDF Report for auditing and committee review

Case II UK Retailer, Established Agile Shop

Case II Background UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low UK Retailer with ecommerce Platform Single Platform, 5 Flavors (Customer facing) Run of the mill Agile Shop: Scrum based 3-Weeks long sprints. Strict enforcement Strong automation

Case II Challenges UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low Response to an incident Minimal existing security No security background for developers. Limited security resources No existing process between security & R&D Very strict 3 weeks sprints

Case II Process UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low Process driven by R&D, with security supervision Security Workflow created, testing once a week Week 1 & 2 to identify vulnerabilities in new code Week 3 test provides verification Breaking (Medium or higher) on verification feature pushed out of version Weekly reports (PDF) to security group for auditing

Case II Existing CI/DevOps UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low CI Jenkins. Ticket Tracking JIRA All testing environment is done in cloud (Amazon) Dynamic orchestration of test env new environments every week (4 servers/instance) Automated deployment of build artifacts alongside testing framework (Selenium) Daily execution of test automation (functionality)

Case II Security Automation UK Retailer Agile Maturity: High Automation Maturity: High AppSec Maturity: Low Dedicated security environment Adaption of orchestration scripts (for deploying security testing software) Integration with Selenium Weekly orchestration test environment and execution of tests Tests integrated into CI HTML reports for Jenkins viewing. PDF Reports for processing and audit

Case III ecommerce Giant, Continuous Delivery

Case III Background ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High In Top 10 largest ecommerce sites Following a long, cross-organization Agile Transformation process Highly advanced Agile/DevOps process Modular site with multiple front-end and back-end components Hundreds of engineers (Dev, QA, DevOps, etc.) Heavy investment in security already using various tools

Case III Challenges ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Introduction of security automation in QA/DevOps Multiple components for multiple teams Extremely dynamic testing environments (dynamically orchestrated and changing) Home-Grown DevOps Cloud, CI, Testing, Orchestration, etc. Highly Agile/Rapid environment Continuous Delivery with daily artifacts Security cannot be involved in the daily process

Case III Process ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Process initiated by the security group, with DevOps cooperation QA/DevOps training on process (rather than security) Security tests to run as part as other testing, on a daily basis Prioritization policy Medium or higher blocks. Low scheduled for next version. Verification Metrics Usage of another tool in production must return clean. Security group supervises the process and has visibility to reports.

Case III Existing CI/DevOps ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Homegrown CI/Orchestration/Cloud Ticket Tracking - JIRA Daily builds creation Daily creation of cloud environments with various server roles and elastic scaling Daily orchestration of latest builds and latest test automation versions Hybrid Automation Selenium for web/front-end, Homegrown for WS

Case III Security Automation ecommerce Giant Agile Maturity: Very High Automation Maturity: Very High AppSec Maturity: Very High Orchestration adapted to deploy security testing software as part of existing testing env Full CI integration All existing automation directed to integrate with security testing Security tests run daily Full JIRA bug tracking integration with automated delivery per team Running of additional blackbox scanner on production for reverification

Thank You! Questions?