Your Security Tools are Just a Stop-Gap to Secure DevOps presented at lascon 2017

by Kevin Fealey,

Summary : Many organizations are taking a tools-first approach to verifying the security of applications in their CI/CD pipelines. Usually, after the build, [functional] test, and deploy pipelines are finished, security teams are asked to get involved to decide which security tools should be integrated into those pipelines to detect vulnerabilities. Unfortunately, while integrating SAST (or DAST) into a CI pipeline might result in a quick win, the security posture of applications in the pipeline is still largely unknown. Additionally, integrating SAST often leads to manual triage activities which can slow the pipeline tremendously, or results are aggressively filtered to combat false-positives, which leads to real vulnerabilities being untracked.
To truly gain insight into the security of your applications, start by thinking about your greatest risks. Consider the business risks of a successful attack (i.e. what you need to protect) and the threat models of your applications (i.e. how you might be attacked). Use that information to decide how your applications should be built to reduce those risks (i.e. required security controls). Now, think about how to test that the necessary controls exist and are used properly. Last, choose a tool to perform those tests. You may be able to leverage an existing commercial or open source tool, or you may be better off writing custom scripts or plugins for existing tools.
Sound familiar? The above is not just how to secure your DevOps pipeline – for nearly a decade, it's been standard guidance for building an application security program. The required pace of security activities has increased dramatically with the move to CI/CI, but the overall goal has not.
This talk will explain more deeply:
why a tools-first approach to securing a CD pipeline will end in a headache;
the security components/activities necessary for securing applications in a CD pipeline; and
where to start and how to build momentum within your organization.
I'll provide case studies from industry experience to illustrate common challenges and how they can be overcome.This talk will also introduce a high-level maturity model for setting goals and tracking progress while building an application security program that operates at hyper-speed.