SlideShare a Scribd company logo

Software Security Assurance for DevOps

Black Duck by Synopsys
Black Duck by Synopsys

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Related slideshows

The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...
 
1 of 29
Download to read offline
Software Security Assurance for DevOps Mike Pittenger, VP Security Strategy, Black Duck Software
Challenges impacting application security in DevOps Strategies for overcoming these challenges 5 Things you can do tomorrow Agenda
GROWING ATTACK SURFACE NEW DEPLOYMENT MODELS Web, Mobile, Cloud, IoT Containers, IT and Small Security Teams • Which apps are people using? • How do I set internal policy requirements for app security? • Is my private / sensitive data exposed by apps? • Who is developing the apps? • How do we prioritize the work for the resources I have? • What do we test and how do we test it? • How do we staff and improve skills and awareness? OPEN SOURCE Increasing Portion of Code Base • What policies are in place for open source use? • How are those policies enforced? • Who is tracking usage for new vulnerabilities Application Security Challenges
Changing Attack Surface Web applications Cloud applications and services IoT 4 “If perimeter control is to remain the paradigm of cybersecurity, then the number of perimeters to defend in the Internet of Things is doubling every 17 months.” Dan Geer In-Q-Tel RSA 2015
Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors • Could cause problems for the application itself • Could cause more problems if the container is running with the – privileged flag set Agile, Containers and DevOps
Up to 90% Open Source TODAY 50% Open Source 2010 20% Open Source 20051998 10% Open Source Open Source is the Foundation of Modern Applications
@FUTUREOFOSS #FUTUREOSS GROWING OPPORTUNITY FOR POLICIES & PROCEDURES 50% Nearly 2016 INSIGHTS 4 @FUTUREOFOSS #FUTUREOSS UNDERSTANDING YOUR OPEN SOURCE CODE Top ways companies review their code for open source Development teams manually keep track of open source use 48% 30% 21% Ask developers about open source content Use third party tools to scan for open source content 2016 INSIGHTS 4 @FUTUREOFOSS #FUTUREOSS HOW ARE COMPANIES HANDLING KNOWN OPEN SOURCE VULNERABILITIES? of companies have no process for identifying, tracking or remediating known open source vulnerabilities Nearly 1/3 2016 INSIGHTS 4 Everybody is using open source, but many organizations still do not have adequate processes or tools in place to manage it. Open Source Use has Outpaced Process Maturity
Perception v. Reality
OPEN SOURCE CODE DELIVERED CODE Open Source Enters Your Code Through Many Channels… DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS …and security, compliance & quality risks can come with it.
Open Source Vulnerabilities are Increasing Reference: Black Duck Software knowledgebase, NVD, VulnDB FREAK!SSL, TLS Vulnerability 0 500 1000 1500 2000 2500 3000 3500 4000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016NVD Black Duck exclusive
Four Factors That Make Open Source Different Easy access to code Exploits readily availableVulnerabilities are public Used Everywhere
Who’s Responsible for Open Source Security? Commercial Code Open Source Code • Dedicated security researchers • Alerting and notification infrastructure • Regular patch updates Dedicated support team with SLA • “Community”-based code analysis • Monitor newsfeeds yourself • No standard patching mechanism Ultimately, you are responsible
Integrating Application Security in DevOps
Secure Development Security Testing Continuous Monitoring and Protection Security testing technologies for the new SDLC
Inside Out View • “White-box” • Parsing “static” (non-running) code and applying ‘taint analysis’ • Identifies the file and line of code of a vulnerability Static Analysis (SAST) SDLC Ecosystem Analyze Design Implement Test Maintain Static Analysis When Used • Coding phase • Build verification 1x 6.5x 15x 100x
Outside In View • “Black-box” • Sending test HTTP requests to a running application • Simulates a malicious user Dynamic Analysis (DAST) SDLC Ecosystem Analyze Design Implement Test Maintain 1x 6.5x 15x 100x When Used • QA testing • Pre-production testing • Production (with caution) Dynamic Analysis
Identifies all open source to the version level, at any stage of the SDL Provides information on associated: • License Risk • Security Risk • Operational Risk Source Composition Analysis (SCA) When Used • Design • First commit • Continuous monitoring SDLC Ecosystem Analyze Design Implement Test Maintain 1x 6.5x 15x 100x Open Source Selection Detection and Notification
Fortify and Black Duck Integration
Why Static Analysis and SCA? Automated testing finds common vulnerabilities in the code you write They are good, not perfect Different tools work better on different classes of bugs Many types of bugs are undetectable except by trained security researchers All possible security vulnerabilities FREAK! Static Analysis Dynamic Analysis
Fortify + Black Duck Technology Alliance Address pervasive, rapidly-growing Security & Compliance risks with Open Source Gain visibility on risks across Custom Code and Open Source Code Integrate governance and remediation as part of Software Security Assurance Risks in Open Source Code (Black Duck Hub) Manage Risks in Open Source as part of Fortify SSC Risks in Custom Code with SAST, DAST, & RASP
Open Source Vulnerabilities – Black Duck
Overview Shows Black Duck Results Within Fortify SSC Open Source vulnerabilities (3rd Party Components) from Black Duck analysis Custom Code vulnerabilities from Fortify SCA analysis
Detailed View of Black Duck Results Within Fortify SSC
Automating Security Testing in a DevOps Environment
Continuous Integration Environment Binary Repository Management (Artifactory / Nexus) Developers / IDE (Eclipse) Continuous Integration Server (Jenkins / TeamCity / Bamboo) Deployment Environments (Amazon / Docker / VMWare / Openstack) Test Automation Tools (Selenium / JUnit) Quality Management Tools Bug Tracking Tools Source Control Management (Git, CVS / Subversion / Perforce) Build Tools (Maven / Bundler)
Continuous Integration Environment Developers / IDE (Eclipse) Continuous Integration Server (Jenkins / TeamCity / Bamboo) Test Automation Tools (Selenium / JUnit) Quality Management Tools Bug Tracking Tools Source Control Management (Git, CVS / Subversion / Perforce) Build Tools (Maven / Bundler) SAST / DAST / IAST SAST / OSS DAST / OSS DAST / OSS SAST / OSS Binary Repository Management (Artifactory / Nexus) Deployment Environments (Amazon / Docker / VMWare / Openstack)
DELIVERY TEAM VERSION CONTROL BUILD & UNIT TESTS AUTOMATED ACCEPTANCE TESTS USER ACCEPTANCE TESTS RELEASE PIPELINE 1 PIPELINE 2 PIPELINE 3 Automation Differs Between Apps
Speak with your heads of application security and software development and find out… • What policies exist for managing open source? • Is there a list of components used in all applications? • How are they creating the list? • What controls do they have to ensure nothing gets through? • How are they tracking vulnerabilities for all components over time? • How do they account for the different testing requirements for custom code v. open source? • What is the best security automation strategy for your organization? What can you do tomorrow?
Questions?

More Related Content

Software Security Assurance for DevOps

  • 1. Software Security Assurance for DevOps Mike Pittenger, VP Security Strategy, Black Duck Software
  • 2. Challenges impacting application security in DevOps Strategies for overcoming these challenges 5 Things you can do tomorrow Agenda
  • 3. GROWING ATTACK SURFACE NEW DEPLOYMENT MODELS Web, Mobile, Cloud, IoT Containers, IT and Small Security Teams • Which apps are people using? • How do I set internal policy requirements for app security? • Is my private / sensitive data exposed by apps? • Who is developing the apps? • How do we prioritize the work for the resources I have? • What do we test and how do we test it? • How do we staff and improve skills and awareness? OPEN SOURCE Increasing Portion of Code Base • What policies are in place for open source use? • How are those policies enforced? • Who is tracking usage for new vulnerabilities Application Security Challenges
  • 4. Changing Attack Surface Web applications Cloud applications and services IoT 4 “If perimeter control is to remain the paradigm of cybersecurity, then the number of perimeters to defend in the Internet of Things is doubling every 17 months.” Dan Geer In-Q-Tel RSA 2015
  • 5. Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors • Could cause problems for the application itself • Could cause more problems if the container is running with the – privileged flag set Agile, Containers and DevOps
  • 6. Up to 90% Open Source TODAY 50% Open Source 2010 20% Open Source 20051998 10% Open Source Open Source is the Foundation of Modern Applications
  • 7. @FUTUREOFOSS #FUTUREOSS GROWING OPPORTUNITY FOR POLICIES & PROCEDURES 50% Nearly 2016 INSIGHTS 4 @FUTUREOFOSS #FUTUREOSS UNDERSTANDING YOUR OPEN SOURCE CODE Top ways companies review their code for open source Development teams manually keep track of open source use 48% 30% 21% Ask developers about open source content Use third party tools to scan for open source content 2016 INSIGHTS 4 @FUTUREOFOSS #FUTUREOSS HOW ARE COMPANIES HANDLING KNOWN OPEN SOURCE VULNERABILITIES? of companies have no process for identifying, tracking or remediating known open source vulnerabilities Nearly 1/3 2016 INSIGHTS 4 Everybody is using open source, but many organizations still do not have adequate processes or tools in place to manage it. Open Source Use has Outpaced Process Maturity
  • 9. OPEN SOURCE CODE DELIVERED CODE Open Source Enters Your Code Through Many Channels… DEVELOPER DOWNLOADS OUTSOURCED DEVELOPMENT THIRD PARTY LIBRARIES CODE REUSE APPROVED COMPONENTS COMMERCIAL APPS …and security, compliance & quality risks can come with it.
  • 10. Open Source Vulnerabilities are Increasing Reference: Black Duck Software knowledgebase, NVD, VulnDB FREAK!SSL, TLS Vulnerability 0 500 1000 1500 2000 2500 3000 3500 4000 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016NVD Black Duck exclusive
  • 11. Four Factors That Make Open Source Different Easy access to code Exploits readily availableVulnerabilities are public Used Everywhere
  • 12. Who’s Responsible for Open Source Security? Commercial Code Open Source Code • Dedicated security researchers • Alerting and notification infrastructure • Regular patch updates Dedicated support team with SLA • “Community”-based code analysis • Monitor newsfeeds yourself • No standard patching mechanism Ultimately, you are responsible
  • 14. Secure Development Security Testing Continuous Monitoring and Protection Security testing technologies for the new SDLC
  • 15. Inside Out View • “White-box” • Parsing “static” (non-running) code and applying ‘taint analysis’ • Identifies the file and line of code of a vulnerability Static Analysis (SAST) SDLC Ecosystem Analyze Design Implement Test Maintain Static Analysis When Used • Coding phase • Build verification 1x 6.5x 15x 100x
  • 16. Outside In View • “Black-box” • Sending test HTTP requests to a running application • Simulates a malicious user Dynamic Analysis (DAST) SDLC Ecosystem Analyze Design Implement Test Maintain 1x 6.5x 15x 100x When Used • QA testing • Pre-production testing • Production (with caution) Dynamic Analysis
  • 17. Identifies all open source to the version level, at any stage of the SDL Provides information on associated: • License Risk • Security Risk • Operational Risk Source Composition Analysis (SCA) When Used • Design • First commit • Continuous monitoring SDLC Ecosystem Analyze Design Implement Test Maintain 1x 6.5x 15x 100x Open Source Selection Detection and Notification
  • 18. Fortify and Black Duck Integration
  • 19. Why Static Analysis and SCA? Automated testing finds common vulnerabilities in the code you write They are good, not perfect Different tools work better on different classes of bugs Many types of bugs are undetectable except by trained security researchers All possible security vulnerabilities FREAK! Static Analysis Dynamic Analysis
  • 20. Fortify + Black Duck Technology Alliance Address pervasive, rapidly-growing Security & Compliance risks with Open Source Gain visibility on risks across Custom Code and Open Source Code Integrate governance and remediation as part of Software Security Assurance Risks in Open Source Code (Black Duck Hub) Manage Risks in Open Source as part of Fortify SSC Risks in Custom Code with SAST, DAST, & RASP
  • 21. Open Source Vulnerabilities – Black Duck
  • 22. Overview Shows Black Duck Results Within Fortify SSC Open Source vulnerabilities (3rd Party Components) from Black Duck analysis Custom Code vulnerabilities from Fortify SCA analysis
  • 23. Detailed View of Black Duck Results Within Fortify SSC
  • 24. Automating Security Testing in a DevOps Environment
  • 25. Continuous Integration Environment Binary Repository Management (Artifactory / Nexus) Developers / IDE (Eclipse) Continuous Integration Server (Jenkins / TeamCity / Bamboo) Deployment Environments (Amazon / Docker / VMWare / Openstack) Test Automation Tools (Selenium / JUnit) Quality Management Tools Bug Tracking Tools Source Control Management (Git, CVS / Subversion / Perforce) Build Tools (Maven / Bundler)
  • 26. Continuous Integration Environment Developers / IDE (Eclipse) Continuous Integration Server (Jenkins / TeamCity / Bamboo) Test Automation Tools (Selenium / JUnit) Quality Management Tools Bug Tracking Tools Source Control Management (Git, CVS / Subversion / Perforce) Build Tools (Maven / Bundler) SAST / DAST / IAST SAST / OSS DAST / OSS DAST / OSS SAST / OSS Binary Repository Management (Artifactory / Nexus) Deployment Environments (Amazon / Docker / VMWare / Openstack)
  • 28. Speak with your heads of application security and software development and find out… • What policies exist for managing open source? • Is there a list of components used in all applications? • How are they creating the list? • What controls do they have to ensure nothing gets through? • How are they tracking vulnerabilities for all components over time? • How do they account for the different testing requirements for custom code v. open source? • What is the best security automation strategy for your organization? What can you do tomorrow?