empowering application security protection in the world of devops
TRANSCRIPT
![Page 1: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/1.jpg)
EMPOWERING APPLICATION SECURITY IN THE WORLD OF
DEVOPS
![Page 2: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/2.jpg)
AGENDA
STATE OF APPLICATION SECURITY
INTEGRATING APPLICATION SECURITY IN DEVOPS
UNIQUE CHALLENGES IN DEVOPS
![Page 3: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/3.jpg)
© 2015 Black Duck Software, Inc. All Rights Reserved.
STATE OF APPLICATION SECURITY: CUSTOM & OPEN SOURCE CODE
![Page 4: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/4.jpg)
WEB APPLICATION VULNERABILITIES XSS AND SQL INJECTION EXPLOITATIONS
XSS AND SQL INJECTION EXPLOITS ARE CONTINUING IN
HIGH NUMBERSSource: IBM X-Force Threat Intelligence Quarterly, 2014
Source: IBM X-Force Threat Intelligence Quarterly, 2014
APPLICATIONS - THE WEAKEST LINK IN THE IT SECURITY CHAIN
25%
20%
15%
10%
5%
0%
2009 2010 2011 2012 2013
WEB APPLICATION VULNERABILITIES
33% OF VULNERABILITY DISCLOSURES ARE WEB
APPLICATION VULNERABILITIES
33%
![Page 5: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/5.jpg)
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
INVESTMENT PRIORITY - “SECURITY RISKS” VS. YOUR “SPEND”
MANY CLIENTS DO NOT PRIORITIZE APPLICATION SECURITY IN THEIR ENVIRONMENTS
35%
30%
25%
20%
15%
10%
5%
APPLICATION
LAYER
DATALAYER
NETWORKLAYER
HUMANLAYER
HOSTLAYER
PHYSICALLAYER
SECURITY RISK
SPENDINGSPENDING DOES NOT EQUAL RISK
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
![Page 6: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/6.jpg)
CUSTOM AND OPEN SOURCE CODE MIX
OPEN SOURCE• Needed functionality
without acquisition costs• Faster time to market• Lower development costs• Broad support from
communities
CUSTOM CODE• Proprietary functionality• Core enterprise IP• Competitive differentiation
OPEN SOURCE
CUSTOM CODE
![Page 7: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/7.jpg)
The shifting application security threat landscapeRISE OF OPEN SOURCE VULNERABILITIESOPEN SOURCE COMPONENTS WITH KNOWN
VULNERABILITIES
Since 2014, over 6,000 new vulnerabilities in open source components.Source: Risk Based Security’s VulnDB
0
200
400
600
800
1,000
1,200 Heartbleed Disclosure
![Page 8: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/8.jpg)
8 CONFIDENTIAL
WHO’S RESPONSIBLE FOR SECURITY?WHO IS RESPONSIBLE FOR SECURITY?
DEDICATED SECURITY RESEARCHERSALERTING AND NOTIFICATION INFRASTRUCTUREREGULAR PATCH UPDATESDEDICATED SUPPORT TEAM WITH SLA
“COMMUNITY”-BASED CODE ANALYSISMONITOR NEWSFEEDS YOURSELFNO STANDARD PATCHING MECHANISMULTIMATELY, YOU ARE RESPONSIBLE
COMMERCIAL CODE OPEN SOURCE CODE
![Page 9: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/9.jpg)
9 CONFIDENTIAL
CONTAINERS AND DEVOPS
Containers can be vulnerable by virtue of the code that runs inside them
• OSS components running inside containers represent potential attack vectors
• Could cause problems for the application itself
• Could cause more problems if the container is running with the –privileged flag set
![Page 10: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/10.jpg)
© 2015 Black Duck Software, Inc. All Rights Reserved.
UNIQUE CHALLENGES IN DEVOPS
![Page 11: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/11.jpg)
11 CONFIDENTIAL
WHAT IS DEVOPS?
• Set of principles• Faster software delivery• Continuous process• Collaborative• Achieved by automation
![Page 12: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/12.jpg)
12 CONFIDENTIAL
CHALLENGES WITH APPLICATION SECURITY IN DEVOPS
• Developers are not security experts• Time pressure• Security can be an afterthought• Application security teams are small• Testing happens too late in the process
![Page 13: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/13.jpg)
13 CONFIDENTIAL
BENEFIT FROM DEVOPS WITHOUT COMPROMISING SECURITY
• Automation of Security Testing
• Security Gates
![Page 14: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/14.jpg)
INTEGRATING APPLICATION SECURITY IN DEVOPS
![Page 15: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/15.jpg)
15 CONFIDENTIAL
CONTINUOUS INTEGRATION ENVIRONMENT
Binary Repository Management(Artifactory / Nexus)
Developers / IDE(Eclipse)
Deployment Environments (Amazon / Docker / VMWare /
Openstack)
Continuous Integration Server
(Jenkins / TeamCity / Bamboo)
Test Automation Tools(Selenium / JUnit)
Quality Management Tools
Bug Tracking Tools
Source Control Management (Git, CVS / Subversion / Perforce)
Build Tools (Maven / Bundler)
![Page 16: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/16.jpg)
16 CONFIDENTIAL
StaticAnalysis
Dynamic Analysis
InteractiveAnalysis
Open Source
Scanning
APPLICATION SECURITY TESTING TECHNOLOGIES
![Page 17: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/17.jpg)
17 CONFIDENTIAL
CONTINUOUS INTEGRATION ENVIRONMENT
Binary Repository Management(Artifactory / Nexus)
Developers / IDE(Eclipse)
Continuous Integration Server
(Jenkins / TeamCity / Bamboo)
Deployment Environments (Amazon / Docker / VMWare /
Openstack)
Test Automation Tools(Selenium / JUnit)
Quality Management Tools
Bug Tracking Tools
Source Control Management (Git, CVS / Subversion / Perforce)
Build Tools (Maven / Bundler)
DAST / IASTSAST / OSS
Bug TrackingIntegration
OSS
IDE integration
![Page 18: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/18.jpg)
18 CONFIDENTIAL
BUILD CUSTOM SECURITY GATES BASED ON NEEDS
DELIVERY TEAM
VERSION CONTROL
BUILD & UNIT
TESTS
AUTOMATED
ACCEPTANCE TESTS
USER ACCEPTANCE TESTS
RELEASE
PIPELINE 1
PIPELINE 2
PIPELINE 3
![Page 19: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/19.jpg)
19 CONFIDENTIAL
CUSTOM CODE VULNERABILITIESIBM AND BLACK DUCK – INTEGRATED VIEW
CUSTOM CODE VULNERABILITIES
OPEN SOURCE VULNERABILITIES
CUSTOM CODE VULNERABILITIES
![Page 20: Empowering Application Security Protection in the World of DevOps](https://reader031.vdocuments.net/reader031/viewer/2022030301/587f79111a28ab3f4e8b590d/html5/thumbnails/20.jpg)
20 CONFIDENTIAL
WHAT CAN YOU DO TOMORROW?WHAT CAN YOU DO TOMORROW?
Speak with your head of application development, DevOps and find out…
What are your current application security practices?
What kinds of security gates do you need to build to ensure nothing gets through?
What tools are you using as part of the development and application security lifecycle?
Are containers like Docker part of your deployment model?
How are you tracking for new vulnerabilities over time?