"DevSecOps is driving the use of security testing throughout the application lifecycle, from initial development to product monitoring. Application security testing is unlike other forms of security in that it directly impacts the daily routines of developers. John Maski, the former director of DevSecOps at AT&T, discusses securing CI/CD pipelines in enterprise environments and “shifting left” with security. He reveals best practices gained from moving AT&T’s primary DevOps practice to a DevSecOps practice using static and dynamic application security testing. You’ll discover why strong executive sponsorship, a cultural shift, and solid cross-organization teaming are critical and how they can be the way forward to your own DevSecOps success.  "

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating AppSec into your
DevSecOps on AWS
David Wayland
Director, Information Security
Fortune 500 Financial Corporation
S e s s i o n I D

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Who Am I?
What are we talking about?
Application Security Drivers
How did we get here?
AppSec in your DevSecOps
Final Words

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who am I & Why should you care
20 years in the Application Development Space
15 years as a Production Java & .NET Developer
5 years as a Technical Instructor for System Administration & Application Development
5 years Consulting to Fortune 500, 100, and Global 50 companies
15 years architecting and building deployment automation
8 years of DevSecOps experience
4 as an application developer and technical lead
4 as the head of application security

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating AppSec in your DevSecOps
Automation is the key
Shifting Application Security to the Left is the goal
DevSecOps is decreasing the time to implement production changes
The threat environment is increasing rapidly
We will talk about proven processes and tools to secure your DevSecOps

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application Security Drivers
Cost
Significant Financial & Reputational harm will be caused by ANY data breach
$5.4 Million per incident, on average*
$188 - $277 per compromised record*
Threat Environment
Dynamic & evolving!
Vulnerabilities
Most vulnerabilities that are exploited were published for more than a year**
* Veracode, Addressing the Scalability Challenge with Cloud-Based Application Security
** Verizon, Data Breach Investigation Report (DBIR)

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application & Process Journey
Waterfall
Agile
DevOps
DeploymentTimes
Monolithic
SOA
Microservices
Today
2000

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application Security Reality
Increased Threat Environment
Decreased Deployment Time

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application Security Reality
Verizon, 2016 Data Breach Investigations Report
Time to Compromise
Time to Exfiltration

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Environment Considerations
DevSecOps application security is environment agnostic
CI/CD Pipelines
May be environment specific
Ensuring a Secure Landing Zone is the beginning of your journey

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Landing Zone
You are only as secure as the environment you are operating within
Automate the creation of your Landing Zone to ensure it is secure
Ensuring foundational security provides the baseline for Application Security

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps
Left
100x$*x$
* https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20100036670.pdf

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps – The Shift Left that must occur
Developer
$0
Left
100x$*x$
* https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20100036670.pdf

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Competing Imperatives
Development Team
Schedule
Application Security Team
Security of the Application:
No Must-Fix Vulnerabilities
Functionality
Enhancements
Stability

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Application Security developer training
Application Security MUST “speak developer”
Security requirements must be clear, concise, and pertinent
Training must be tailored to the developer
There must be an understanding of the security concerns
If they only understand two (2) things, let them be:
Trust Boundaries
Data Sanitization

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Code
Development
Developer training
Specific to the companies security requirements
Clearly identify what is a Must Fix vulnerability
IDE Integration
“Intellisense” for security vulnerabilities
Ability to provide immediate feedback and training
CI
Automated SAST scan on commit
Vulnerabilities
Reduction in introduced
Immediate identification
Expedited remediation
Schedule
Reduced risk to schedule
Cost
Minimal cost to refactor code
Results

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Build
Automation
Static Scanning
All files associated with the application
Every build of the application
SAST
Compiled application source code
SCA
Third-party & Open Source components
Vulnerabilities
Application specific
3rd party & Open Source component
Identification of vulnerabilities
Remediation of vulnerabilities
Licensing
Component licensing & compliance
Reduction of risk
Results

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Test, Release, Deploy
Static Scanning
All files associated with the application
Every build of the application
SAST
Compiled application source code
SCA
Third-party & Open Source components
DAST
Production-like application URL
Vulnerabilities
Application specific
3rd party & Open Source component
Identification of vulnerabilities
Remediation of vulnerabilities
Licensing
Component licensing & compliance
Reduction of risk
ResultsAutomation

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Operate & Monitor
Secure Landing Zone
Integrated Identity
Integrated Logging
Integrated Infrastructure Security
Secure CI/CD Pipelines
Automated Account Structure
Secure Infrastructure as Code
Automated account deployments
Elimination of manual processes
Security built in to the pipeline
Logging & Monitoring
Centralized logging
Tool specific monitoring
Results

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Operate & Monitor
Automation
Automated Perimeter Monitoring
All IP Ranges associated with the environment
All known Domains
Fuzzy search for new domains/IPs
Non-credentialed dynamic scan of identified sites
Vulnerabilities
External facing site vulnerabilities
Elimination of risk through reduction
in “drive by” vulnerabilities
Reputation
“External Risk Management Reports”
will come back clean
Results

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevSecOps: Plan
Update
Continually revise:
Reference architectures
Documentation
Developer training
Review vulnerabilities and
identify trends
Create customized training to
address weak areas
Monitoring
Utilize monitoring of non-production
environments to address potential
production issues
Identify trends

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrating AppSec in your DevSecOps
✓ Automation allows for velocity and integration
✓ Shifting Security to the Left reduces schedule impacts
✓ Developer training decreases introduced vulnerabilities
✓ Secure Landing Zones and Pipelines are the goal and key to success

26. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
David Wayland
eMail: david.wayland@gmail.com
LinkedIn: https://www.linkedin.com/in/davidwayland