Professional Documents
Culture Documents
Secdevops: Description and Primer
Secdevops: Description and Primer
SecDevOps is
◦ Security Automation Security
◦ Security at Scale
◦ Discussing security and business tradeoffs
Operations Development
SecDevOps is not
◦ Only there to Audit code
◦ Ivory tower security
Why Security Automation?
Why Security Automation?
Reduce risk of human error
◦ Automation is effective
◦ Automation is reliable
◦ Automation is scalable
Typical Enterprise Ratio
Developers : Operations : Security
?: ?: ?
Typical Enterprise Ratio
Developers : Operations : Security
100 : 10 : 1
Typical Enterprise Ratio + Security
Champions
Developers : Operations : Security
100 : 10 : (+10) 1
Security Champion: One developer from each team, assuming ten teams, spending a small amount of
time to gain proficiency and lead their team in automating and implementing security
Answer: Security Champions
Best Practice: Teams of 10 or less with all the skills needed to push to production
This person should be the security champion within the team. They should represent the voice
of security while still performing some duties as an application developer.
tldr:
Security Champion developers still ship code
Security Champion developers automate security
Security Champion developers watch for the common security gotchas
Security Champion benefits
◦ Understanding and empathy with the security team aka Trust between teams
◦ Higher level of security within the application
◦ Security in the design phase and throughout the whole lifecycle
◦ Top Risks (severity and estimated % chance of occurring) are identified early and kept top of mind
◦ Higher, more productive discussion with the security team (tradeoffs, etc)
Devs developing security automation
Infrastructure as code
Devops is generally a trend to automate traditional operation tasks such as deploying code and
increasing the availability and uptime of that running code.
Security as code
(Sec)devops is enforcing good security patterns and automating traditional security checks
(ports, sql inject inputs, etc)
How to be a Security Champion?
Learn the basics! OWASP Top 10 application vulnerabilities
How to be a Security Champion?
Learn the basics!
8 secure design principles from Saltzer and Schroeder:
◦ Economy of mechanism: Keep the design simple
◦ Fail-safe defaults: Fail towards denying access
◦ Complete mediation: Check authorization of every access request
◦ Open design: Assume attack knows the system internals
◦ Separation of privilege: require two separate keys or other ways to check authorization (2 factor auth)
◦ Least privilege: Give only necessary rights
◦ Least common mechanisms: Ensure failures stay local
◦ Psychological acceptability: design security mechanism that are easy to use
Basics? Really?
Do apps still get hacked with SQL injection? You betcha!
Web Hacking Incident Database lists these and other public incidents
How to be a Security Champion?
◦ You can likely add
value with OWASP
& Secure Design
Principles
Could a Security Champion defeated the
Equifax attack?
Facts
◦ 143 million breach victims had their names, social security numbers, birth
days, addresses and driver licenses stolen by attackers
◦ The site was hacked in mid-May, and attacked continued to access the data
until late July (breach discovered)
◦ The Equifax breach notification page was using a free shared CloudFlare
SSL, causing many browsers to think it was a phishing site (not terrible, but
not helping)
◦ Signing up for Equifax’s identity theft protection forces uses to accept a
terms of service that waive ability to sue Equifax. (Also not helping)
◦ Finally, an employee portal in Argentina had admin/admin as the
username/password. (indicates a lax security posture)
Action: Equifax Tech Stack
What was the tech stack?
◦ Apache Struts
◦ IBM WebSphere
◦ Java
Web (vulnerability) Scanner - program which communicates with a web application through the
web front-end in order to identify potential security vulnerabilities in the web application and
architectural weaknesses (Wikipedia)
◦ Popular tools
◦ Zaproxy, Cenzic, Appscan, Webinspect, nikto