DevSecOps Process Management

all right how's everyone doing yeah you guys enjoying the conference so far thank you for making it this far uh you know Save The Best For Last right you hope uh my name is Evan Curtis I have a bachelor's of Science and physics from the University of North Carolina at Chapel Hill I have a master's degree in computer science from the Alan Paulson you know it's just it's actually an example right as Security Professionals we have to plan for the worst but um you know we have to have we have to have a backup plan but I digress uh just to give you a little more information about my background here right so I'm a

Security Plus certified information security professional I also hold a certificate in terraform as well I'm a certified terraform associate developer and I'm a certified computer and electrical engineer in the state of Georgia today I'm going to talk to you about how to implement a developer security operations program the right way why didn't the IT team set up their infrastructure on the beach it was cloudy so ask yourself why are you here another mic change you know good things come in threes anyways so all right ask yourself though why are you here

prepare yourself for a paradigm shift you think about developer security operations it's a mindset this is a way for you to think about things differently consider it a renewal of your mind there are five key things that I want you to walk away from after this talk number one automated scanning removes manual labor number two application Security reviews require a security champion number three strong vulnerability reports are most easily articulated to upper management when you can support them with the proper information from platforms like Vera code and x-ray we can use penetration tests to support these findings and we can also use penetration tests to find the vulnerabilities that sassed and dast miss these results combined with the

penetration test can be supported by a very sophisticated logging system

okay how you do anything is how you do everything our process doesn't get people to it doesn't force them to do their job what it does is it actually gets them to want to do their job how many of you have sat in a meeting with a liar how many of you have dealt with a toxic micromanager Johannes yeah we all have right have you ever heard of Schiff left anyone so how do you do shift left the right way we Inspire accountability in our process uses the right questions to get the right people to take action our process is based on Research from the two most referenced papers that describe the challenges by devsecops

from connected papers now we all know that configuration management is a security engineer's worst nightmare it's a very difficult thing to have to work through so there's no standardization for developer security operations at this point we need to find a way to be able to move through this when we don't accept standards then Shadow I.T becomes the norm in most organizations so how do we address these issues you have to make fire walkers [Laughter] okay so processes really don't care about your feelings we convert your security team into fire walkers to give your business a Competitive Edge so that you can land and expand

in other words we take your company from being interested to a mature Dev secops capability our process cares about your feelings these challenges that we're facing here are very important and at the end of this talk I'd love to give you a more detailed overview of the training presented here I want you all to walk away from this talk with understanding of the five key points that we covered at the beginning of the presentation if you want help if you want help implementing this this is where I come in as you can see the weakest link in any chain is the human being

this is one of the papers that I'm referencing here from connected papers what we have found is that we need to provide situational awareness there has to be a bridge between the security team and the development team there has to be someone that can actually handle this role we need to get the right people set up with the right tools so we can get the right things done at the right times to get the right outcomes and this process was developed by analyzing these two papers which describe these challenges and these things need to be done at the beginning of the process they can't be done afterwards so for example we can't push production code out with the

vulnerabilities so how do you do it the papers that we're describing here are very new they're very important and they're the only ones that talk about the humanistic element of a management process I'm happy to share these with you after the talk please just ask so we need a process it's about having a process right we have to have some way of moving forward and making progress so ask yourself how would you like to be 80 more efficient

thank you our process ensures that management sees the progress of achieving specific outcomes and this will help you allocate the financial resources to support your project the key is to build security Champions and these Champions have to be supported with the right tools to be able to show management to articulate in the language of upper management that we're making progress so the keys to making a good team passion accountability clear communication and execution so we have the security we have the Neosporin peer security needs this is an outline of the suite of tools that you can use to achieve these results first we start with Vera code and we Supply Security application testing with Dynamic application security testing and

container scanning supported by executive dashboards we use a custom penetration testing workflow using burp Suite all supported by a free compliance policy framework that can be implemented with infrastructure as code and then the results of these penetration tests can be traced through elastic Sim which provides a whole other Suite of benefits for an organization such as heartbeat alerting monitoring and traceability then communicating the vulnerability reports associated with the specific binaries in application can be shown in x-ray reports then we finally conclude everything with a custom application Security review that features a very specific humanistic management process that gets people to take accountability for their work and move forward with positive momentum so we'll go into very good

adversity is the foundation of strength I implemented this entire thing by myself and I made it look easy you have to find a way to take an organization from chaos to Clarity no one wants to lead but you have to do something at some point we all know that success breeds success and if you aren't first you're last verico provides an all-inclusive platform for managing an organization's security program this organization allowed 254 vulnerabilities associated with Jackson databind to sit into sit in their app sit in their application for years how long do you think it took me to pull this one off how long do you think it took me to exploit Jackson databind

30 minutes foreign as you can see this process after six months completely removes all those vulnerabilities everything's gone and we're back at a steady state now I implemented all of this but do you think I went through and fixed all this code and updated all these third party problems

so as I said we have to build Champions that's the first step and a champion has to take ownership and they have to lead by example but we have to give them the right tools in the support structure for them to make progress when they have the right tools and they can show not tell because nobody wants to hear someone tell them something they need to see it nobody trusts anyone anymore let's face it ever since covet nobody trusts anyone it just doesn't happen right so you don't have to be an expert in the field but you need to be able to articulate what you're doing to upper management the first step is to Define

that champion right the state of the security software report found that when you provide developers with the proper training they actually want to take accountability for the work they enjoy what they're doing right don't we like learning isn't that fun so the first step is finding that champion and then giving them the right tools that they can be successful now we get to the implementation so the first step is using static application security testing to capture all the vulnerabilities associated with an application SAS gives you the static view of the code it gives you all the specific lines with the vulnerabilities associated with an application so you can go back through the application you can trace

your steps all the way up to the top it's very simple the varico platform select scans analysis static analysis just get started then we use a combined approach with Dynamic analysis now Dynamic analysis allows us to look at the API so we have the static side which is all of the code now we can look at the API with Dynamic analysis who wants to sit there and do a penetration test and repeat the same penetration test over and over and over again the dynamic analysis allows us to save a lot of time because we can just look at the API and we can say oh okay here's where the boner abilities are this is the next step that we need to take here

all right here's an example of a walkthrough of dynamic analysis again if anyone has any questions please stop me at any point in the presentation what I want to show you is that we're looking at the API here where the static scan actually looks at the code and so what this does is it goes through and it runs a scan and then it publishes the results and then you can see the results in the platform and you're able to articulate what you're doing to upper management it's very simple let's go to scansa analysis and click Dynamic scans that's how you get started the next step is implementing container scanning so container scanning can be combined

with the static application security test and the dynamic application security test to provide a comprehensive security overview for your application the container is now one of the most important assets to secure right basically if I want to hack your application I'm going to find a third-party vulnerability in the container bake it into your image and then yeah you get hacked is very simple to implement container scanning and bear code here's an example you just use this Source Clear download which contains an all-in-one bash script and once you launch this bash script it'll give you all the vulnerabilities associated with the application in the container and then in the verico platform you can actually see these

vulnerabilities the next step is supporting all this with executive dashboards as I said nobody believes anyone anymore and Executives aren't going to want to see a giant wordy report what they want to actually see are numbers statistics and graphs that show that you're making progress in what you're doing it's very simple you go to analytics in the platform and then verico dashboards then you can start building out the pre-configured dashboards the next step is actually building out your own custom dashboards to refine what you're actually showing up in management so this is important because it ensures team accountability and using this process we can show progress again real leaders show they do not tell burp Suite is a sword for security

engineers the only things you really need to know about burp suite are the burp proxy the scanner repeater and intruder we can use this custom penetration custom penetration testing workflow to find the vulnerabilities in this application that the SAS and Das Miss once we have this we can hit the application going from line by line all the way up through the report from SAS to find these vulnerabilities to get developers to take accountability for their work first up here is configuring the proxy when you set up your proxy you have a way of seeing what you're sending to the application and you can start to design a payload so you can actually attack the application but the first step is

getting this proxy set up so that you can actually use burp the right way well you gotta learn how to crawl before you ball so the scanner is a powerful tool that allows you to find the scope of your penetration test this gives you all the endpoints associated with the application once you've defined your scope you can start to make a plan this is the first step you get the reconnaissance down you're able to actually see what's in the application and we can use this to look at the web traffic and yeah get ready for it you can use this to generate a PDF report in HTML format as well then you can actually send this to upper

management so they can see the results of this penetration test then you want to use the repeater this repeater will allow you to use a custom payload that you can launch in the application and you can start to attack thentruder will launch the actual attack here's an example of a SQL injection attack as you can see this type of screenshot is what you include in the vulnerability this is what you include in your report as a security engineer and then you rinse and repeat you just keep doing this over and over again and you save time in your penetration test so it's important because we can show team accountability and this process shows progress really

to show they don't tell now we'll go into compliance so you can build a river in a desert essentially you can use the CIS foundation's Benchmark as a free compliance framework to get started with this this dashboard here just uses the guidelines set forth in the CIS foundation's Benchmark combined with terraform to implement these guidelines and allows you to monitor all of your Cloud resources in one location as you can see this also provides you with the logs so you can trace those steps from that custom penetration test right here you can see that I'm actually exploiting the SQL injection in this log so the first step here is selecting that compliance framework in the center for

internet Securities foundations Benchmark is one of the best because it's free it's great for new security Engineers to get started it has easy to read instructions and once it's read it just needs to be implemented with terraform now the things that you'll need you have to control access to these resources so you want to use AWS IM and terraform provides a provider which has access to which allows you to use AWS resources such as IM rules so you can restrict access to these resources then you need to set up storage management once you have your S3 buckets configured you can link them to cloudtrail once these are linked to cloudtrail you can use AWS filebeat the AWS

following module from elastic to build all these pre-configured dashboards and then essentially you just have to flip a switch it's a simple yaml file and once you configure it you're done now go into elastic Sim so not only does this allow you to trace those steps from that custom penetration testing workflow you can use this to set up alerting you can monitor all those Cloud resources in that dashboard that you saw it allows you to combine multiple tools all in one interface that your organization can see everything that's going on inside of their application so this is important because it ensures team accountability and again using this process we can show progress real leaders show they don't tell

now we'll go over x-ray again you can build a river in a desert this is an example of a devsecops pipeline why is it a devsecops pipeline we push the pain forward pain is a good thing in security it makes us fix things quicker and faster most companies allow their production code to go out with any without any security ahead of time so the steps here are initializing configuring the build info publishing the info to X-ray and then running the scan here is an example of a policy that's set up an x-ray this is visible for everyone in the organization here's an example of a PDF report that shows all of the vulnerabilities associated with

application the steps that they need to take to fix it so these numbers are going to be talk and if you have a good report I'll give you a promotion so no one wants to do these things the hard way if your numbers aren't right you've gone too far and the numbers are easy to read how do you do it my friend Aseem at jfrog provides amazing technical support simply just get the documentation write the code go back to your boss and ask if it's correct and then do it again so here's a step for initializing x-ray you want to use the RT build info plugin from x-ray this takes the server ID the username and the password and the URL to

the server and once you connect to it you're able to initialize x-ray again this plugin allows you to configure your build and launch it you want to use this report in x-ray to communicate to upper management that there are severe vulnerabilities in your application and you want to make sure the developers are going through and actually fixing them those results are shown in the PDF so again it comes back to accountability and showing now I'll go over the application Security review again you can build a river in a desert here are the results from one of our application Security reviews right we've identified a champion we've moved into a new certification level we are consistently scanning and we implemented

Docker container scanning and as you can see here at the end we're moving forward we're actually going to fix things and we're going to provide guidance on the third party vulnerabilities that need to be fixed and we're going to prevent those new vulnerabilities from being introduced and again this comes back to five key specific questions how much time do you spend in meetings nobody wants to waste time you can actually automate this entire process we can automate all of these we can automate the vulnerabilities that we find in varicode and actually assign them to individuals so they can take accountability for their work right and the ticketing system that I would recommend is atlassian jira but

you could also use Trello so for the reviews you can use Google Calendar Microsoft teams or Zoom any platform of your choice the important thing here is that these are recorded using Zoom recordings or manavi screen recorder manavi is about 99 bucks so we can automate the ticketing to save time and this gets individuals to accountability for their Works they don't have to waste time in these meetings because they have their name assigned to these tickets it comes back to leadership how many of you have lost a good leader you have to ask the right questions and there are five specific questions that you have to ask yourself before you ask your team and when you ask your team you

ask them in an open environment you record the meeting you distribute the meeting minutes before the meeting and after the meeting and you start the meeting with the question why you make sure they read the meeting minutes before they came in so this proves that you can move forward but you have to ask the right questions let me know if you want these questions I'm happy to share the details this is important because it comes back to accountability and using this process we can show progress you don't show we tell so let's just do a Victory lap here here we have varicode software composition analysis setup you can see all the vulnerabilities in the platform

here's the developer security operations pipeline shift left push all the pain forward here's the automated ticketing the automated ticketing saves you a bunch of time so you have to sit in meetings wasting a bunch of time here's an example of a ticket that actually shows all the details from a vulnerability making sure that it gets fixed you can see it's unassigned here because typically in my situation I'm gonna go fix this first then come back the other guy I'm going to say hey I fixed it what are you doing here's an example of a varicode certification you can see that this organization was at a horrible State before it was at 58 moved it up to 93.

here's an example of an e-learning curriculum that you can set up in the varico platform teaches developers how to implement secure coding and a ton of other great things you got to get it set up in the right way you got to make sure that you start them out simple and then moves them through more difficult Concepts again here's the AWS filebeat module you can see we have all the API calls we can see the instances across the globe here's an example of me popping SQL injection or some other sort of hack design again this is the beauty of it this guy actually put in here he put SQL injection and you can show him

and then when you go and you say what are you doing here all right and then here's another example of the application uh the software composition analysis right you can see that this has gone down a bit further here's an example continue this is the automated system raising examples over and over again with the shows based on the results of the certification level going up you gained better results the more Sandy run better results you get here's 20 microservices that you

really like here's an example store in a calendar and have to happen and here's an example of an executive dashboard as you can see using this process over 1500 vulnerabilities were closed however 6

now here we go this is the last step here why is it important you can take this entire pipeline and you can secure it with zero trust you don't see the pipeline now you do so if you want more information please let me know please take a picture of this uh this is all my contact information so if you want to reach out um here's a QR code of media wallowing so please uh tweet at me you know thank you besides for posting this and have and uh YouTube channel so this channel thank you here are the references associated with this

here are the resources I'm happy to share this slide with you at the end of the presentation if you like applications any questions yes

uh yeah there are there are quite a few the primary reason behind using America is that it's all music that's the whole point behind it any other questions that's why yeah so I think uh that question deserves a prize here let's go to the next one