Erkang Zheng, profile picture
Uploaded byErkang Zheng
PPTX, PDF1,089 views

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query

The document discusses the DevSecOps approach, emphasizing the need for collaboration between development and security teams to automate security checks within the continuous integration and delivery pipeline. Key principles include adopting a culture of transparency, simplicity, and continuous assurance, as well as leveraging data and automation to manage security effectively. It also outlines various security practices, such as monitoring vulnerabilities, assessing compliance, and implementing security policies as code.

Embed presentation

Downloaded 22 times
Seattle | September 16-17, 2019 Overcoming the old ways of working with DevSecOps ERKANG ZHENG
Seattle | September 16-17, 2019 Security is an organizational challenge. What is DevSecOps? How does security keep up with DevOps?
Seattle | September 16-17, 2019 DevOps | DevSecOps Move fast and automate everything you can, DevOps DevSecOps Continuous Integration / Continuous Delivery (Deployment) CI / CD Continuous Assurance / Continuous Compliance CA / C with confidence Culture Culture CI / CD CA / CC
Seattle | September 16-17, 2019 Manifesto for Modern Cybersecurity https://securitymanifesto.net Assume compromise, but expose no single point of compromise. Track everything since you cannot protect what you can’t see. Engage everyone for there is power in the crowd; two is stronger than one. Automation is key because people don't scale and changes are constant. Build products that are secure by design and secure by default. Favor transparency over obscurity, practicality over process, and usability over complexity. We must keep security simple, open, collaborative, enabling and rewarding. ZERO TRUST ASSET CMDB DEV + BUG BOUNTY SECURITY AS CODE THREAT MODEL OPEN & SIMPLE
Seattle | September 16-17, 2019 What enables DevSecOps?
Seattle | September 16-17, 2019 The two aspects of DevSecOps Security as an enabler for DevOps • Automate security checks, gates and approvals in the DevOps CI/CD pipeline Check out “Fully automated production deployments with HIPAA / HITRUST compliance” by Matt Lavin tomorrow at 1:45pm Development as an enabler for SecOps • Aggregate data from source to gain visibility and insight • Automate security operations and manage artifacts with code • Achieve provable security with CA/CC VISIBILITY GOVERNANCE ASSURANCE
Seattle | September 16-17, 2019 Security Program Pick assessor Perform gap assessment Implement remediation Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEATMonitor, Manage, Optimize START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring YOU YOU AUDITOR
Seattle | September 16-17, 2019 Security Program DATA + GRAPH + QUERY Pick assessor Perform gap assessment Implement remediation Monitor, Manage, Optimize Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEAT START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring YOU AUDITOR CA / CC VISIBILITY GOVERNANCE ASSURANCE
Seattle | September 16-17, 2019 Security is a data challenge. Overcome SecOps complexity with DATA, GRAPH, and QUERY Attackers think in graphs; Defenders operate with lists. That’s why attackers win.
Seattle | September 16-17, 2019 Derive meaningful context from relationships, not lists Stop thinking in lists and tables. Start thinking in entities and relationships.
Seattle | September 16-17, 2019
Seattle | September 16-17, 2019 AWS Cloud Security Which EC2 instances are exposed to the Internet? Find aws_subnet with public=true that HAS aws_instance that PROTECTS aws_security_group that ALLOWS Internet return tree
Seattle | September 16-17, 2019 AWS Cloud Security Are there Internet-facing EC2 instances that are allowed access to non-public S3 buckets? find Internet that ALLOWS aws_security_group that PROTECTS aws_instance with active=true that USES aws_iam_role that ASSIGNED AccessPolicy that ALLOWS (aws_s3|aws_s3_bucket) with classification!='public’ return tree
Seattle | September 16-17, 2019 Cross-Account Trust What are the cross-account IAM trust relationships in my AWS environment? Find aws_iam_role as a that TRUSTS (Account|AccessRole) as b where a.tag.AccountName != b.tag.AccountName return tree
Seattle | September 16-17, 2019 S3 Bucket Access Are there non-public S3 bucket access granted to anybody outside of its account? Find aws_s3_bucket with classification!='public' as bucket that ALLOWS * as grantee where bucket.tag.AccountName != grantee.tag.AccountName return tree
Seattle | September 16-17, 2019 SSO Access Which Okta user is assigned what AWS IAM role? find okta_user that ASSIGNED aws_iam_role return tree
Seattle | September 16-17, 2019 App Components and Data Flow Show the connections and flow diagram from: • CloudFront to API Gateway • CloudFront to S3 • API GW to Lambda Functions • Lambda to other resources
Seattle | September 16-17, 2019 Vulnerability Management Which systems or apps are vulnerable to what CVEs? Find CVE that RELATES TO (Host|HostAgent|Application) return tree
Seattle | September 16-17, 2019 Development Insight Which PRs did Adam open this past week? 'Adam' that OPENED PR with createdOn > date.now-7days return tree
Seattle | September 16-17, 2019 Vulnerability in Code Which PRs / developer introduced new vulnerability findings this past week? Find User that OPENED PR with createdOn > date.now-7days that RELATES TO CodeRepo that HAS (Vulernability|Finding) with _createdOn > date.now-7days return tree
Seattle | September 16-17, 2019 Use query to create alerts and trigger remediation Alert rules from query with actions: • Send Email • Send Slack message • Create Jira issue • Capture Trend Future remediation automation: • Trigger Webhook • Invoke Lambda Function • etc.
Seattle | September 16-17, 2019 Security Artifacts as Code
Seattle | September 16-17, 2019 Security Policy and Procedure Documents github.com/jupiterone/security-policy-templates • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML
Seattle | September 16-17, 2019 Security Policy and Procedure Documents (published) https://security.lifeomic.com/psp
Seattle | September 16-17, 2019 Manual Assessments and Findings • Covers a variety of testing • Manual penetration testing • Risk assessment • Privacy impact assessment • Threat modeling • Assessment objects and findings written in JSON or YAML • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: assessment:prodsec:2019q1 entityType: prodsec_assessment entityClass: Assessment properties: name: internal-pen-test-2019q1 displayName: LifeOmic Internal Penetration Test 2019Q1 summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29th description: Performed a thorough security assessment of the LifeOmic product line. Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android. category: penetration-testing status: complete assessors: - security.team@lifeomic.com open: false classification: confidential completedOn: 2019-04-05 reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src... ... - entityKey: finding:prodsec:2019q1:app-api-1 entityType: pentest_finding entityClass: Finding properties: name: Some made up issue displayName: ’[Medium] What it says’ summary: Summary of the made up issue targets: - Service API description: > Within the application API, .... stepsToReproduce: - '1 - Add ...’ - '2 - Use ...’ - '3 - Verify ...’ impact: ... severity: medium ...
Seattle | September 16-17, 2019 Vendors and External Organizations • Maintain list of vendors as code • Leverage product management and dev leads to help maintain • Trigger third party security review and approval via PR • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: vendor:apple entityType: apple entityClass: Vendor properties: name: Apple displayName: Apple category: - software - mobile - development description: > Provides Developer account and App Store Connect account for mobile apps... validated: true approved: true approvalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2 approvalPRName: security-artifacts/2 website: https://www.apple.com owners: - owner.one@lifeomic.com - owner.two@lifeomic.com mainContactName: mainContactEmail: mainContactPhone: mainContactAddress: breachResponseDays: linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple- Developer-Agreement-English.pdf linkToMSA: https://developer.apple.com/programs/whats-included/ linkToSLA: criticality: 10 risk: 5 tag.PHI: false tag.PII: true tag.PCI: false statusPage: notes: ...
Seattle | September 16-17, 2019 Security and Privacy Considerations in Product Design RFC • Engineering team writes product design RFC documents and check into code • RFC templates includes mandatory sections for • Security Considerations • Privacy Considerations • Bot to detect new RFC PR and alert security team via Slack message bitbucket-pr-detector github.com/jupiterone/bitbucket-pr-detector ... ## Security considerations ### Data Flow Does this feature collect or process additional data? Does it impact the current data flow of the system/application? If so, create new or update the existing data flow diagram and document the data flow. ### Secrets Does this feature involve usage of additional secrets (API keys, tokens, etc.), either external (i.e. storing and using secrets from a provider) or internal (i.e. generating and using secrets as an internal component)? If so, document the secret management process. ### Attack Scenarios How could an attacker abuse this design? What risks does this approach present and what mitigations can be pursued? What security requirements need to be included in the implementation? An example of how to document this: - **Abuse case name** - _Risk_ -- a description of the abuse case and the risks identified - _Mitigation_ -- what is being put in place as mitigation controls This is a practice to ensure that some level of security considerations is always included in the design of a new feature, component or process. ## Privacy Considerations ...
Seattle | September 16-17, 2019 Compliance Evidence Collection • Compliance framework and control requirements defined in JSON • Map policy procedures to each control requirement • Map query questions to each control requirement • Write positive case queries and negative case queries for automated gap analysis • Include evidence associated with manual processes { "standard": "SOC 2", "version": "2019", "sections": [ { "title": "Access Controls", "requirements": [ { "ref": "SOC2-01", "title": "Single Sign On", "summary": "SSO for all users ..." }, ... ] } ] ”domains": [ { "title": ”Control Domain A", ”controls": [ { "ref": ”A-01", "title": ”A technical control", "summary": ”control description ..." }, ... ] } ] } { "title": "Which user accounts do not have multi- factor authentication enabled?", "description": ”...", "queries": [ { "name": "bad", "query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m fa_device" }, { "name": "good", "query": "Find User with mfaEnabled = true" }, { "name": "goodToo", "query": "Find User that (ASSIGNED|USES|HAS) mfa_device" } ], "compliance": [ { "standard": "CIS Controls", "requirements": [ "4.5", "12.11", "16.3" ] }, { "standard": "HITRUST CSF", "controls": [ "01.b", "01.j", "01.q" ] }, { "standard": "PCI DSS", "requirements": [ "8.2", "8.3" ] } ] } github.com/jupiterone/security-policy-templates/tree/master/templates/standards
Seattle | September 16-17, 2019 In Summary, our approach to DevSecOps... • Keep a simple, open, collaborative, enabling and rewarding security culture • Use data, code and graph (not lists) to build a digital knowledgebase of your environment • Use query to gain insights, provide assurance and collect compliance evidence continuously • Automate security gates and approvals in code deployment pipeline (check out tomorrow’s session) Continuous Assurance Provable SecurityContinuous Compliance
Seattle | September 16-17, 2019 Questions? Demo? J U P I T E R O N E . C O M

More Related Content

PPTX
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
byVietnam Open Infrastructure User Group
 
PDF
Gitlab, GitOps & ArgoCD
byHaggai Philip Zagury
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PPTX
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
byÁlvaro Alonso González
 
PDF
GitOps with ArgoCD
byCloudOps2005
 
PDF
Adopting HashiCorp Vault
byNicolas Corrarello
 
PDF
JJUGナイトセミナー OpenJDK祭り「OpenJ9+OpenJDK」
byTakakiyo Tanaka
 
PDF
Alphorm.com Formation Docker (2/2) - Administration Avancée
byAlphorm
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
byVietnam Open Infrastructure User Group
 
Gitlab, GitOps & ArgoCD
byHaggai Philip Zagury
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
byÁlvaro Alonso González
 
GitOps with ArgoCD
byCloudOps2005
 
Adopting HashiCorp Vault
byNicolas Corrarello
 
JJUGナイトセミナー OpenJDK祭り「OpenJ9+OpenJDK」
byTakakiyo Tanaka
 
Alphorm.com Formation Docker (2/2) - Administration Avancée
byAlphorm
 

What's hot

PPTX
Backstage at CNCF Madison.pptx
byBrandenTimm1
 
PDF
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
byVietnam Open Infrastructure User Group
 
PDF
Slide DevSecOps Microservices
byHendri Karisma
 
PDF
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
byJulian Mazzitelli
 
PDF
Kubernetes deployment strategies - CNCF Webinar
byEtienne Tremel
 
PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PPTX
OpenTelemetry For Developers
byKevin Brockhoff
 
PDF
Data persistency (draco, cygnus, sth comet, quantum leap)
byFernando Lopez Aguilar
 
PDF
Continuous Integration/Deployment with Gitlab CI
byDavid Hahn
 
PDF
Infrastructure as Code
byAlbert Suwandhi
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPTX
Elastic Stack Introduction
byVikram Shinde
 
PPTX
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
byVietnam Open Infrastructure User Group
 
PPTX
GitLab.pptx
byLeoulZewelde1
 
PDF
Job Queue in Golang
byBo-Yi Wu
 
PPT
Docker introduction
byPhuc Nguyen
 
PDF
Docker swarm
byAlberto Guimarães Viana
 
PPTX
Elk
byCaleb Wang
 
PPTX
Graylog Engineering - Design Your Architecture
byGraylog
 
PDF
GitHub Actions in action
byOleksii Holub
 
Backstage at CNCF Madison.pptx
byBrandenTimm1
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
byVietnam Open Infrastructure User Group
 
Slide DevSecOps Microservices
byHendri Karisma
 
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
byJulian Mazzitelli
 
Kubernetes deployment strategies - CNCF Webinar
byEtienne Tremel
 
2019 DevSecOps Reference Architectures
bySonatype
 
OpenTelemetry For Developers
byKevin Brockhoff
 
Data persistency (draco, cygnus, sth comet, quantum leap)
byFernando Lopez Aguilar
 
Continuous Integration/Deployment with Gitlab CI
byDavid Hahn
 
Infrastructure as Code
byAlbert Suwandhi
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Elastic Stack Introduction
byVikram Shinde
 
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
byVietnam Open Infrastructure User Group
 
GitLab.pptx
byLeoulZewelde1
 
Job Queue in Golang
byBo-Yi Wu
 
Docker introduction
byPhuc Nguyen
 
Docker swarm
byAlberto Guimarães Viana
 
Elk
byCaleb Wang
 
Graylog Engineering - Design Your Architecture
byGraylog
 
GitHub Actions in action
byOleksii Holub
 

Similar to Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query

PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PPTX
Build a complete security operations and compliance program using a graph dat...
byErkang Zheng
 
PDF
DevSecOps for Developers: How To Start
byPatricia Aas
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PDF
ScotSecure 2020
byRay Bugg
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
ODP
Making security-agile matt-tesauro
byMatt Tesauro
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
PPTX
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
byDevSecCon
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
The What, Why, and How of DevSecOps
byCprime
 
How to Get Started with DevSecOps
byCYBRIC
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
Build a complete security operations and compliance program using a graph dat...
byErkang Zheng
 
DevSecOps for Developers: How To Start
byPatricia Aas
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
bySynopsys Software Integrity Group
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
ScotSecure 2020
byRay Bugg
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
byMatt Tesauro
 
Making security-agile matt-tesauro
byMatt Tesauro
 
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
byDevSecCon
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
byDrew Malone
 

Recently uploaded

PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
In this document
Powered by AI

Introduction to DevSecOps, its definition, importance in continuous integration and security as a collaborative challenge.

Discusses the essentials for DevSecOps, highlighting automation and visibility in security processes.

Highlights the complexity of security facing data operations and the shift from lists to entity relationships.

Explains AWS security through examples to manage instances, bucket access, IAM roles, and trust relationships.

Focuses on managing vulnerabilities, tracking pull requests for security issues, and using queries for context.

Utilizing query-driven alerts for remediation and integration of security policies in a collaborative code environment.

Describes procedures for manual assessments, vendor evaluation, creating compliance evidence, and maintaining security standards.Summarizes the DevSecOps approach promoting a collaborative culture and continuous security assurance.

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and Query

  • 1.
    Seattle | September16-17, 2019 Overcoming the old ways of working with DevSecOps ERKANG ZHENG
  • 2.
    Seattle | September16-17, 2019 Security is an organizational challenge. What is DevSecOps? How does security keep up with DevOps?
  • 3.
    Seattle | September16-17, 2019 DevOps | DevSecOps Move fast and automate everything you can, DevOps DevSecOps Continuous Integration / Continuous Delivery (Deployment) CI / CD Continuous Assurance / Continuous Compliance CA / C with confidence Culture Culture CI / CD CA / CC
  • 4.
    Seattle | September16-17, 2019 Manifesto for Modern Cybersecurity https://securitymanifesto.net Assume compromise, but expose no single point of compromise. Track everything since you cannot protect what you can’t see. Engage everyone for there is power in the crowd; two is stronger than one. Automation is key because people don't scale and changes are constant. Build products that are secure by design and secure by default. Favor transparency over obscurity, practicality over process, and usability over complexity. We must keep security simple, open, collaborative, enabling and rewarding. ZERO TRUST ASSET CMDB DEV + BUG BOUNTY SECURITY AS CODE THREAT MODEL OPEN & SIMPLE
  • 5.
    Seattle | September16-17, 2019 What enables DevSecOps?
  • 6.
    Seattle | September16-17, 2019 The two aspects of DevSecOps Security as an enabler for DevOps • Automate security checks, gates and approvals in the DevOps CI/CD pipeline Check out “Fully automated production deployments with HIPAA / HITRUST compliance” by Matt Lavin tomorrow at 1:45pm Development as an enabler for SecOps • Aggregate data from source to gain visibility and insight • Automate security operations and manage artifacts with code • Achieve provable security with CA/CC VISIBILITY GOVERNANCE ASSURANCE
  • 7.
    Seattle | September16-17, 2019 Security Program Pick assessor Perform gap assessment Implement remediation Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEATMonitor, Manage, Optimize START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring YOU YOU AUDITOR
  • 8.
    Seattle | September16-17, 2019 Security Program DATA + GRAPH + QUERY Pick assessor Perform gap assessment Implement remediation Monitor, Manage, Optimize Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEAT START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring YOU AUDITOR CA / CC VISIBILITY GOVERNANCE ASSURANCE
  • 9.
    Seattle | September16-17, 2019 Security is a data challenge. Overcome SecOps complexity with DATA, GRAPH, and QUERY Attackers think in graphs; Defenders operate with lists. That’s why attackers win.
  • 10.
    Seattle | September16-17, 2019 Derive meaningful context from relationships, not lists Stop thinking in lists and tables. Start thinking in entities and relationships.
  • 11.
  • 12.
    Seattle | September16-17, 2019 AWS Cloud Security Which EC2 instances are exposed to the Internet? Find aws_subnet with public=true that HAS aws_instance that PROTECTS aws_security_group that ALLOWS Internet return tree
  • 13.
    Seattle | September16-17, 2019 AWS Cloud Security Are there Internet-facing EC2 instances that are allowed access to non-public S3 buckets? find Internet that ALLOWS aws_security_group that PROTECTS aws_instance with active=true that USES aws_iam_role that ASSIGNED AccessPolicy that ALLOWS (aws_s3|aws_s3_bucket) with classification!='public’ return tree
  • 14.
    Seattle | September16-17, 2019 Cross-Account Trust What are the cross-account IAM trust relationships in my AWS environment? Find aws_iam_role as a that TRUSTS (Account|AccessRole) as b where a.tag.AccountName != b.tag.AccountName return tree
  • 15.
    Seattle | September16-17, 2019 S3 Bucket Access Are there non-public S3 bucket access granted to anybody outside of its account? Find aws_s3_bucket with classification!='public' as bucket that ALLOWS * as grantee where bucket.tag.AccountName != grantee.tag.AccountName return tree
  • 16.
    Seattle | September16-17, 2019 SSO Access Which Okta user is assigned what AWS IAM role? find okta_user that ASSIGNED aws_iam_role return tree
  • 17.
    Seattle | September16-17, 2019 App Components and Data Flow Show the connections and flow diagram from: • CloudFront to API Gateway • CloudFront to S3 • API GW to Lambda Functions • Lambda to other resources
  • 18.
    Seattle | September16-17, 2019 Vulnerability Management Which systems or apps are vulnerable to what CVEs? Find CVE that RELATES TO (Host|HostAgent|Application) return tree
  • 19.
    Seattle | September16-17, 2019 Development Insight Which PRs did Adam open this past week? 'Adam' that OPENED PR with createdOn > date.now-7days return tree
  • 20.
    Seattle | September16-17, 2019 Vulnerability in Code Which PRs / developer introduced new vulnerability findings this past week? Find User that OPENED PR with createdOn > date.now-7days that RELATES TO CodeRepo that HAS (Vulernability|Finding) with _createdOn > date.now-7days return tree
  • 21.
    Seattle | September16-17, 2019 Use query to create alerts and trigger remediation Alert rules from query with actions: • Send Email • Send Slack message • Create Jira issue • Capture Trend Future remediation automation: • Trigger Webhook • Invoke Lambda Function • etc.
  • 22.
    Seattle | September16-17, 2019 Security Artifacts as Code
  • 23.
    Seattle | September16-17, 2019 Security Policy and Procedure Documents github.com/jupiterone/security-policy-templates • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML
  • 24.
    Seattle | September16-17, 2019 Security Policy and Procedure Documents (published) https://security.lifeomic.com/psp
  • 25.
    Seattle | September16-17, 2019 Manual Assessments and Findings • Covers a variety of testing • Manual penetration testing • Risk assessment • Privacy impact assessment • Threat modeling • Assessment objects and findings written in JSON or YAML • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: assessment:prodsec:2019q1 entityType: prodsec_assessment entityClass: Assessment properties: name: internal-pen-test-2019q1 displayName: LifeOmic Internal Penetration Test 2019Q1 summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29th description: Performed a thorough security assessment of the LifeOmic product line. Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android. category: penetration-testing status: complete assessors: - security.team@lifeomic.com open: false classification: confidential completedOn: 2019-04-05 reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src... ... - entityKey: finding:prodsec:2019q1:app-api-1 entityType: pentest_finding entityClass: Finding properties: name: Some made up issue displayName: ’[Medium] What it says’ summary: Summary of the made up issue targets: - Service API description: > Within the application API, .... stepsToReproduce: - '1 - Add ...’ - '2 - Use ...’ - '3 - Verify ...’ impact: ... severity: medium ...
  • 26.
    Seattle | September16-17, 2019 Vendors and External Organizations • Maintain list of vendors as code • Leverage product management and dev leads to help maintain • Trigger third party security review and approval via PR • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: vendor:apple entityType: apple entityClass: Vendor properties: name: Apple displayName: Apple category: - software - mobile - development description: > Provides Developer account and App Store Connect account for mobile apps... validated: true approved: true approvalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2 approvalPRName: security-artifacts/2 website: https://www.apple.com owners: - owner.one@lifeomic.com - owner.two@lifeomic.com mainContactName: mainContactEmail: mainContactPhone: mainContactAddress: breachResponseDays: linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple- Developer-Agreement-English.pdf linkToMSA: https://developer.apple.com/programs/whats-included/ linkToSLA: criticality: 10 risk: 5 tag.PHI: false tag.PII: true tag.PCI: false statusPage: notes: ...
  • 27.
    Seattle | September16-17, 2019 Security and Privacy Considerations in Product Design RFC • Engineering team writes product design RFC documents and check into code • RFC templates includes mandatory sections for • Security Considerations • Privacy Considerations • Bot to detect new RFC PR and alert security team via Slack message bitbucket-pr-detector github.com/jupiterone/bitbucket-pr-detector ... ## Security considerations ### Data Flow Does this feature collect or process additional data? Does it impact the current data flow of the system/application? If so, create new or update the existing data flow diagram and document the data flow. ### Secrets Does this feature involve usage of additional secrets (API keys, tokens, etc.), either external (i.e. storing and using secrets from a provider) or internal (i.e. generating and using secrets as an internal component)? If so, document the secret management process. ### Attack Scenarios How could an attacker abuse this design? What risks does this approach present and what mitigations can be pursued? What security requirements need to be included in the implementation? An example of how to document this: - **Abuse case name** - _Risk_ -- a description of the abuse case and the risks identified - _Mitigation_ -- what is being put in place as mitigation controls This is a practice to ensure that some level of security considerations is always included in the design of a new feature, component or process. ## Privacy Considerations ...
  • 28.
    Seattle | September16-17, 2019 Compliance Evidence Collection • Compliance framework and control requirements defined in JSON • Map policy procedures to each control requirement • Map query questions to each control requirement • Write positive case queries and negative case queries for automated gap analysis • Include evidence associated with manual processes { "standard": "SOC 2", "version": "2019", "sections": [ { "title": "Access Controls", "requirements": [ { "ref": "SOC2-01", "title": "Single Sign On", "summary": "SSO for all users ..." }, ... ] } ] ”domains": [ { "title": ”Control Domain A", ”controls": [ { "ref": ”A-01", "title": ”A technical control", "summary": ”control description ..." }, ... ] } ] } { "title": "Which user accounts do not have multi- factor authentication enabled?", "description": ”...", "queries": [ { "name": "bad", "query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m fa_device" }, { "name": "good", "query": "Find User with mfaEnabled = true" }, { "name": "goodToo", "query": "Find User that (ASSIGNED|USES|HAS) mfa_device" } ], "compliance": [ { "standard": "CIS Controls", "requirements": [ "4.5", "12.11", "16.3" ] }, { "standard": "HITRUST CSF", "controls": [ "01.b", "01.j", "01.q" ] }, { "standard": "PCI DSS", "requirements": [ "8.2", "8.3" ] } ] } github.com/jupiterone/security-policy-templates/tree/master/templates/standards
  • 29.
    Seattle | September16-17, 2019 In Summary, our approach to DevSecOps... • Keep a simple, open, collaborative, enabling and rewarding security culture • Use data, code and graph (not lists) to build a digital knowledgebase of your environment • Use query to gain insights, provide assurance and collect compliance evidence continuously • Automate security gates and approvals in code deployment pipeline (check out tomorrow’s session) Continuous Assurance Provable SecurityContinuous Compliance
  • 30.
    Seattle | September16-17, 2019 Questions? Demo? J U P I T E R O N E . C O M

Editor's Notes