Building Security In – A Tale of Two Stories!LakshRaghavanPayPalInc.@laraghavan

Introduction

2

• Thispresentationis:– AcasestudyonhowPayPal’sSecureProductLifecycle(SLPC)hadtoadapttoAgilewith

afocusonsecuritystories– Vendorneutral– Descriptive– Forlargeenterprisesgrapplingwithscale/processissues

• ThispresentationisNOT:– SilverBulletTM

– Salespitch– Prescriptive- ifyouimplementthesame,YMMVJ

PayPal’sAgileTransformation

3

• SomeinterestingstatsandfactsaboutourAgileTransformation:– BigBangapproachagainstprevailingwisdom– Wentfromprojectdriventoproductaligned– 400+scrumteamsacrosstheglobe– 500+ChangeChampionsand165Transformationteammembers

• Every“industryexpert”weconsultedtolduswecouldn’ttransformatthisscaleinourdesignatedtimelinebutwedidit!

I LOVE DEADLINES. I LIKE THE WHOOSHING SOUND THEY MAKE AS THEY FLY BY…

- DouglasAdams

4

PayPalSPLC- Overview

5

Objective:

Reducethenumberofvulnerabilitiesinourproductsovertimebybuildingrepeatable/sustainableproactivesecuritypracticesembeddedwithinourPLC.

Customersdemandanddeservebettersecurityandprivacyintheirsoftware. PayPalSecureProductLifecycleisthe processthatallowsPayPaltodevelopandtestproductsto help reducesecuritybugs.

SPLCTransformation

6

– Strategy• Institutionalizerisk-basedthinkingandprocesses• SecurebyDefault– Frameworks,Dev.Tools,etc.• Putourbotstowork

– Execution• People– InternalPDsecuritychampionstohelpdrivefocusandattentionon

softwaresecurity• Process– Integrateseamlesslywithour“agile”wayofdeliveringproducts.• Technology– Secureframeworks,librariesandautomatedtoolsthatenablePDto

shipproductsrapidly*and* securely

Anexerciseintesting(andtrusting)theautomatedprocess

7

• Dynamic/In-ContextSecurityRequirements:SecurityStories• Automatedsecuritycontrolsinthelifecycle• SecureFrameworksandSecurityToolsusedforallprojects&

humaninvolvementforcritical-riskprojects• ThreatModelonlythingsthataren’trun-of-the-millwebor

mobileappsand/ornotbuiltonourstandardizedsecureframeworks

Pre-requisite:SecurityControlsAuto-enabledtoProtectDevelopersbyDefault

8

• Ifwerelyon*every*developerinanenterprisedoingtherightthingfromasecurityperspective*every*timehe/shewritescode,wearedoomedtofail!

• Whereverpossible,securitycontrolsaretobemadeavailableautomaticallyandturnedONbydefault

• Developershavegooutoftheirwaytoturnoffsecuritycontrols• Secure-by-defaultinalllayers– Perimeter– Infrastructure– Framework– Libraries– Dev.Tools– Code/Config

IT IS A MISTAKE TO THINK YOU CAN SOLVE ANY MAJOR PROBLEM JUST WITH POTATOES.

- DouglasAdams

9

SecurityStories

10

HolyGrailforanysoftwaresecurityprofessionalèMakefunctionalandnon-functionalrequirementsequalcitizensInAgileSpeak:MakeUserStoriesandSecurityStoriesequalcitizensBefore: After:

YourFavoriteTaxSoftware!

Theapproach…

11

• Aweb-basedtoolthatseamlesslyplugsintoourQuarterlyReleasePlanning(akaMulti-SprintPlanning)process

• Asimplesurveythatdoeslight-weightthreatmodelling,generatessecuritystories,andplacestheminthebacklogofthescrumteam

• TrackingandreportingfromwithinourAgileLifeCycleManagement(ALM)tool

Whatwereourinitialdesigngoals?

12

• Weshouldgowheretheyareandnotmakethemcomebacktoourtoolonadailybasis• Two-waysyncwithourenterpriseALMtool

• Itshouldn’ttakemorethan15minutesforanyproductdevelopertocompletethesurvey• Don’tslowthemdown!

• Comprehensivegenericbut“actionable”guidanceformosttechnologystacks• Usefulfornon-standardappsandacquisitions

Whatmakesagoodsecuritystory?

13

• Agoodsecuritystoryshouldbe“actionable”bite-sizedchunkthatcanimplementedbyanydeveloper

• ItshouldhaveclearusageguidelinesforyourownsecurityAPIs,frameworks,libraries,etc.

• Whereneeded,itshouldprovidesecurecodesnippets,reusablesecureconfigexamplesforyourcustomframeworks,etc.

• Itshouldspeakdeveloperlingoandnotsecuritylingo!• Itshouldhaveawell-defined“acceptancecriteria”orbetteryetautomateacceptance

withsecuritytests(static/dynamic,etc.)intheCIpipeline• Clearlycalloutevery-sprintvsone-timestories• Inshort,thedevelopersshouldbeabletodoitthemselveswithouthavingtopingthe

securityteamforwell-establishedpatternsandapprovedsecuritycontrols

A LEARNING EXPERIENCE IS ONE OF THOSE THINGS THAT SAYS, “YOU KNOW THAT THING YOU JUST DID? DON'T DO THAT.”

- DouglasAdams

14

Pitfalls,Gotchas,etc.

15

• Don’toverloadyourdeveloperswith100sofsecuritystories• FigureoutyourownTop10(NotOWASPTop10)andfocusonthat

• Don’thardcodeguidancethatcouldpotentiallychangefrequently(e.g.APIs)• Hyperlinkinstead;)

• Prioritizeallsecuritystories– High,Medium,Low• MandateonlyHighprioritystoriestobecompletedinitially• Don’ttrytoboiltheocean- Gettingtheculturegoingismoreimportant

• ExpectsecuritystoriestobemovedaroundinyourALMtool(multiplescrumteamscouldbeworkingonthesameapp!)• Makesuretwo-waysyncdoesn’tbreak

So,whatdoesitlooklike?

16

So,whatdoesitlooklike?

17

Howdowemeasuresuccess?

18

• WideadoptionofthetoolacrossallofourProductDevelopment(PD)organization• Notjustadoptionbutalsoefficacy– aredevelopersalsocompletingthesecuritystoriesoraretheyjustsittinginthe

backlog?

• AutomatedSPLCdashboardthatmakesthesemetricstransparenttoPDleadership• Earlyengagementmeansnoorminimalprojectshitsecurityroadblocksduringlaunch• AquotefromourAndroidApp’sTeamManager:

“Itisgreattoknowthatthepentestdidn’tfindanyblockersanditcanbelargelyattributedtothefactthatwearefollowingSPLC…”

InaNutshell

19

LegacySPLC AgileTransformedSPLC

200+PDF/HTML securitystandardsandprocedures

SecurityStories customizedforthespecificusecase/feature

Manual gatesthroughoutlifecycle Lifecyclerelies onautomatedcontrols

Humaninvolvement forallprojects Lettheframeworksandtoolsdo theheavylifting- humaninvolvementforcriticalriskprojectsonly

Threat Modeleverything Lightweight ThreatModelviaself-servicetoolHumanThreatModelonly whereneeded

I REFUSE TO ANSWER THAT QUESTION ON THE GROUNDS THAT I DON'T KNOW THE ANSWER!

- DouglasAdams

20

Questions?

WE NO LONGER THINK OF CHAIRS AS TECHNOLOGY; WE JUST THINK OF THEM AS CHAIRS. BUT THERE WAS A TIME WHEN WE HADN'T WORKED OUT HOW MANY LEGS CHAIRS SHOULD HAVE, HOW TALL THEY SHOULD BE, AND THEY WOULD OFTEN 'CRASH' WHEN WE TRIED TO USE THEM.

- DouglasAdams

21

Thankyou!

Getmyslidesimmediately

community@alldaydevops.com

TaketheDevSecOps Surveybit.ly/DevSecOps-2017

Oursponsorsspeakyourlanguage…DevOps.