3 Experts in Security

WebinarJune 14, 2017

Brought to you by Vivit’s Security and Privacy SIG

➢ Non-profit organization started by customers in 1993.

➢ Over 40,000 members worldwide.

➢ Your only source of information on HPE Software that is completely unbiased, uncensored and field-tested

➢ Vivit is not just for practitioners, but managers and executives, too.

50% practitioners50% in decision-making roles

Melillo Consulting

17 May 2017 – Event Sponsor

We have seen the trends and navigated the evolution of technology for the last 30 years

Today we find ourselves in a position to help our customers now & into the future.

We focus on creating long-term relationships & providing amazing results –

Melillo Consulting can deliver.

Today’s Speakers

Todd DeCapua

CSC

Scott Laderer

Melillo Consulting

Stan Wisseman

HPE

Jeffrey Payne

Coveros

Neil Christie

SageNet

http://www.linkedin.com/in/todddecapua/http://www.linkedin.com/in/scott-laderer-sr-085467/http://www.linkedin.com/in/stan-wisseman-3b7ab/http://www.linkedin.com/in/jeffery-payne-21373/https://www.linkedin.com/in/nechristie/

Webinar Housekeeping

• This “LIVE” session is being recorded

• Recordings are available to all Vivit members

• To enlarge the presentation screen, click on the rectangle in the upper right hand corner of the Presentation pane

Webinar Control Panel

• Session Q&A:

Please type questions in the Q&A pane and click on “Ask”

• Choose the language in which you would like to ask your questions

Agenda

• Topic 1"The true state of security in DevOps“Stan Wisseman, HPE Security Strategist

• Topic 2"Securing DevOps: How to Integrate Security into DevOps Processes“Jeff Payne, Founder & CEO of Coveros

• Topic 3“So, you think your application is secure. Now what?”Neil Christie, Director of Cybersecurity Operations at SageNet

The true state of security in DevOps

Stan Wisseman, Security Strategist. Security & Information Governance [Stan.Wisseman@hpe.com]

DevOps – Definition, Principles and Benefits

9

DevOps- A practice that emphasizes the collaboration and communication between software developers and IT professionals, with the goal of automating the process of software delivery

and infrastructure changes.

Principles• Develop and test in an environment similar to production• Deploy builds frequently• Automate the process of delivering software• Validate quality continuously

Benefits• Faster time to value • Faster time to market with higher quality• Stay ahead in a competitive environment

The studyDevOps and Application Security Research

• Asses the general habits, practices and tools used by those practicing DevOps

• Identify the current state of application security practices within DevOps organizations

MethodologyProject Goal

• 500+ quantitative surveys

• Developer and IT Ops qualitative surveys

• Qualitative interviews with security practitioners and executives

HPE, “AppSec and DevOps research survey: What’s the true state of application security in DevOps environments?” October 2016.

DevOps is gaining Momentum

Why is security being left behind?

HPE, “AppSec and DevOps research survey: What’s the true state of application security in DevOps environments?” October 2016.

Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed

1

Security TestingEmbed scalable security into the development tool chain

2

Continuous Monitoring and ProtectionMonitor and protect software running in Production

3

Improve SDLC Policies

The right approach for the new SDLC – Build it in

This is application security for the new SDLC

End to End Application Security

On-premise

On-demand

Static Runtime

Fortify on Demand

Application Development

App Defender

SecAssistant App Defender

Design Code Test Integration & Staging

Production

Fortify SCA

WebInspect

IT Operations

Dynamic

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15

Agility. Security. Delivered.

Integrating Security Into DevOps

Jeffery Payne

Founder & CEO

Coveros, Inc.

@jefferyepayne

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16

About Coveros

•Coveros helps organizations build and deliver secure software using

agile methods.

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17

Best Practice #1: Continuous Security

Security analysis and testing must be part of your continuous integration process if you are going to

successfully build releasable software on a daily basis

• Lightweight code analysis performed on local development environments prior to code check-ins

• Code analysis and unit level security testing performed as part of check-in builds

• Integrated more detailed secure code analysis and security testing into your hourly/nightly integration and regression testing

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18

Best Practice #2: Push Security Left

The more security testing and compliance that can be performed as part of QA in Sprints, the faster

your release process will be

• Risk-based security testing

• Open source versions / licensing

• Compliance checks, tests and reviews

• On-going penetration testing and system testing if possible

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 19

Best Practice #3: Secure Your Toolchain

DevOps automation provides a vehicle for malicious code

to move into production

• Move to Infrastructure as Code shifts security challenge from environments to code that creates environments

• Security should focus on BOTH code and provisioned environments to provide defense in depth

• Containers must be analyzed & monitored so malcode isn’t along for the ride

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 20

Best Practice #4: Security Team in DevOps

Security teams needs to be part of DevOps teams to be productive!

• Security personnel must be integrated into DevOps teams and work day to day with developers, testers, and release managers to assure the proper security analysis (automated AND manual) is performed frequently

• Security teams role shifts from running security tools to continuous reviews of assurance and testing results, triage with DevOps teams, and assuring any critical security defects are fixed

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 21

Security in the Delivery Process

SCA WebInspect App Defender

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 22

SecureCI

Source code control

Build management

Automated unit &

acceptance testingAutomated

integration and

system testing

Code analysis & metrics

Quality dashboard

CI Server

Repository & lifecycle security

assurance

Security testing

Load & stress

testing

© COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 23

Thank You!

Jeffery Payne

@jefferyepayne

So, you think your application is secure. Now what?

Neil Christie, Director of Cybersecurity Operations

www.sagenet.com © 2017 SageNet Not for redistribution without permission.25

Agenda

• Review of core security principles

• Architecture documentation

• Event Logs

• Access Control

• Configuration Management

• Encryption

• Penetration Testing

www.sagenet.com © 2017 SageNet Not for redistribution without permission.26

Cybersecurity Core Principles

People• Appropriate Skill Set: Leadership

& Technical Delivery

• Enough staff resources

• Security specific roles

• Security Operations Center

• 24x7 capability

Technology• Appropriate toolset

• Security monitoring and

investigation: SIEM

• Perimeter Defenses: UTM,

Firewall, IDS, IPS

• Internal Defenses: Network

Segmentation, Antivirus

• Other: Access control, Data Loss

Prevention, Web & Mail Filter

Process• Comprehensive security policy &

enforcement

• Best practices security framework

(ISO 27001/27002, NIST 800-53)

• Compliance requirements

• Security Operations

• Regular assessment/pen tests

• Incident Response

• Awareness & Education

www.sagenet.com © 2017 SageNet Not for redistribution without permission.27

Architecture Documentation

• Data flows

• Ports used

• System names

• Security components depicted

• Supports the following:

– Compliance

– Architecture reviews

– Micro segmentation

– Etc.

www.sagenet.com © 2017 SageNet Not for redistribution without permission.28

Event Logs

• Audit Policy setting of device for Operating System level monitoring

• Application logs for application level visibility

• Key application files need to be documented for File Integrity Monitoring

Servers

Routers

Security Appliances

DesktopsWeb Services

DatabasesAccess Points

SageNet AWS Platform(Shared or Private Environment)

VPN over Internet

SIEMonster

Customer Security Operations Team/Personnal

SageNet Logger• Aggregates machine data at each

location• Securely transmits data to SIEM• Stores data in event of WAN

outage, forwards when back online• Ability to provide local vulnerabilty

scanning

• SageNet SOC engineers review and evaluate alerts

• Provide context (ie eliminate false positives)

• Forwards alerts as defined by standard operation procedures

Customer Environment

SageNet SOC

Alerts automatically sent to customer per SOP

After SageNet SOC review, alerts sent to customer per SOP

Periodic evaluation and tuning of alerts between customer and SageNet SOC

www.sagenet.com © 2017 SageNet Not for redistribution without permission.29

Access Control

• Separation of Duties should be considered

• Two factor authentication (2FA) for administration activities

• Network Segmentation whenever possible (PCI scope, etc)

• High risk application functions should consider 2FA

• RBAC for applications

• Test privilege separation

www.sagenet.com © 2017 SageNet Not for redistribution without permission.30

Configuration Management

• Operating System hardening guidelines

• Security systems installed and configured

• Patch management process

• Monitoring and/or recertification process

www.sagenet.com © 2017 SageNet Not for redistribution without permission.31

Encryption

• Ensure that application is using encryption where possible

– TLS 1.2 for connection encryption to web interface

– Database encryption

– Communication between systems should be encrypted where

possible

www.sagenet.com © 2017 SageNet Not for redistribution without permission.32

Penetration Testing

• Regular testing required under most compliance programs

• Scope is important

– Test infrastructure

– Test any security controls in place

– Test role based access controls

– Red Team/Blue Team (Purple teaming)

Protect 2017 – Register through Vivit’s URL for Discount

Register by June 21 for HPE’s premier security event of the year and save $200. Protect 2017 takes place September 11-13 at the Marriott Wardman Park in Washington, D.C. Security at the speed of innovation.

✓ 3 days of content, education and networking in a highly immersive and interactive setting.

✓ HPE’s security vision and roadmap

✓ Dozens of sessions and hands-on demos targeted at managing digital risk in all forms

✓ Up to 24 CPE credits at a deep discount

✓ Onsite support from the engineers who build our security solutions

✓ Partner speed dating, cyber games, networking activities

✓ 1:1 meetings with HPE security executives, targeted at your specific needs

Register Now https://software-events.ext.hpe.com/protectindex?utm_social=vivit

https://software-events.ext.hpe.com/protectindex?utm_social=vivithttps://software-events.ext.hpe.com/protectindex?utm_social=vivithttps://software-events.ext.hpe.com/protectindex?utm_social=vivithttps://software-events.ext.hpe.com/protectindex?utm_social=vivit

Thank you

• Complete the short survey enclosed to improve Vivit’s SIG Webinars

www.vivit-worldwide.org

http://www.vivit-worldwide.org/

Thank You