Moving fast and gently breaking things: a case study presented at DevSecConBoston 2018

by Jay Kelath,

Summary : Implementing DevSecOps practices in an environment with legacy technical debt is not widely discussed. DevSecOps practices are difficult to get off the ground in an environment of heavy technical debt because of the changes required in culture, technology and education. Without automation of security, there is no hope for security teams to keep alongside development velocityWe believe that providing security services to the organization, combined with defined, flexible processes and making security transparent to engineering ensures a high success rate. This talk will focus on areas of our success as we moved from a “scanning team” to a DevSecOps model.We will present two tools used internally in our Secure SDLC. One is a “plug n play” container model which helps us quickly integrate with CICD pipelines and deliver high quality, quick feedback to developers. Another is an internally developed tool for detection of cloud security issues. Both are open sourced and available for use by the larger communityThe talk will focus on the following areas:Quick integration of security testing into CICD pipelines: Static code scans and Dynamic scans have been activities that are easy to deliver on. However, they are notoriously difficult to get going into a CICD pipeline. We developed a container-based plug n play solution that integrates basic security tools into the build process. The support structure built around this includes robust reporting, tracking, policies and governance. The advantage of this model was that we could quickly integrate with a development team an start giving them actionable results on the first day.Cloud based tooling to support testing processes: As companies move toward the cloud, security teams are often saddled with tools that work with the old way of thinking. We developed our own toolset to detect bad security behaviors in the cloud environment. This gives us the ability to check for problems before deployment as well as continuous monitoringIntegration of Product Security and SecOps to build applications that can defend themselves: As the infrastructure fades into the background, all of a Product’s risk is concentrated in the application layer. Then it becomes important that applications are able to take quick actions themselves without waiting for a SecOps analyst to detect problems. We will present a few threat cases we have developed and automated to help applications defend itself.