CD Summit - Austin, from DevOps Connect Desc: Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn’t sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here. http://www.devopsconnect.com/events/cd-summit-austin/

1. Application Security
Epistemology in a
Continuous Delivery
World
- @wickett

2. @wickett #ruggeddevops
James Wickett
SR. ENGINEER, SIGNAL SCIENCES
AUSTIN, TX
HANDS-ON GAUNTLT BOOK
DEVOPS DAYS GLOBAL ORGANIZER
LASCON ORGANIZER

3. Application Security Telemetry and Monitoring
Plus Defense!
Application Security for the rest of us
An approach that integrates with devops
organizations doesn't inhibit going fast

4. signalsciences.com

5. @wickett #ruggeddevops
Software development is a constant experiment in knowing
Application Security abdicated runtime responsibility and
development responsibility through incoherent
philosophical approaches and fostering silo-thinking
Security now is where Ops was 7 years ago.
Ops found a path to change through devops, security can
too
There are three ways we can add value: at development, at
deploy, at runtime
Summary

6. @wickett #ruggeddevops
Bad-Behavior Driven Development
Weaponizing your CD Pipeline
Application Security Telemetry and Monitoring
Continuous Hardening and Audit
Have a S-BOM! (Software Bill of Materials)
Practices

7. @wickett #ruggeddevops
A study in how we
know anything in
Application Security

8. @wickett #ruggeddevops
Spoiler Alert:
We don’t !

9. @wickett #ruggeddevops
once upon a time…

10. @wickett #ruggeddevops
Epistemological
Problem of Software
Development

11. @wickett #ruggeddevops
We optimize for the
probable

12. @wickett #ruggeddevops
Unit Testing

13. @wickett #ruggeddevops
Integration Testing

14. @wickett #ruggeddevops
Happy Path
Engineering

15. @wickett #ruggeddevops
We also optimize
for the possible

16. @wickett #ruggeddevops
Over Engineering

17. @wickett #ruggeddevops
The scaling algo
that never got used…

18. @wickett #ruggeddevops
There is too much to
choose from in the
realm of possible

19. @wickett #ruggeddevops
Actually, we optimize for
the perceived probable

20. @wickett #ruggeddevops
How do we know
what to create?

21. @wickett #ruggeddevops
This is the problem

22. @wickett #ruggeddevops
Epistemological
Problem of Software
Development

23. @wickett #ruggeddevops
We gather data and
rhetoric to support
our theories

24. @wickett #ruggeddevops
There are 3 major
arcs in the history of
Software Development

25. @wickett #ruggeddevops
First Arc:
Agile

26. @wickett #ruggeddevops
Agile avoids the
problem

27. @wickett #ruggeddevops
Agile reminds that
we dont know what
we are building

28. @wickett #ruggeddevops

29. @wickett #ruggeddevops
Behavior Driven
Development

30. @wickett #ruggeddevops
BDD = Agile +
feedback

31. @wickett #ruggeddevops
Behavior Driven Development is a
second-generation, outside–in, pull-
based, multiple-stakeholder, multiple-
scale, high-automation, agile
methodology. It describes a cycle of
interactions with well-defined
outputs, resulting in the delivery of
working, tested software that matters.
Dan North , 2009

32. @wickett #ruggeddevops
Amplify
Feedback
Loop

33. @wickett #ruggeddevops
Agile emphasizes
feedback to developers
from their overlords and
sometimes even customers

34. @wickett #ruggeddevops
TLDR;
Rapid Iterations Win

35. @wickett #ruggeddevops
Agile is
our guiding
Light

36. @wickett #ruggeddevops
The world has
changed since Agile

37. @wickett #ruggeddevops
We don’t sell
CD’s anymore

38. @wickett #ruggeddevops
Software as a
Service

39. @wickett #ruggeddevops
The last fifteen years have
brought a complete change in
our delivery cadence,
distribution mechanisms and
revenue models

40. @wickett #ruggeddevops
Second Arc: DevOps

41. @wickett #ruggeddevops
DEVOPS IS THE APPLICATION OF
AGILE METHODOLOGY TO SYSTEM
ADMINISTRATION
- THE PRACTICE OF CLOUD SYSTEM ADMINISTRATION BOOK

42. @wickett #ruggeddevops
DEVOPS

43. @wickett #ruggeddevops
Agile
Infrastructure

44. @wickett #ruggeddevops
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

45. @wickett #ruggeddevops
Less WIP
Less technical debt

46. @wickett #ruggeddevops
Customers actually using
the feature while the
developer is working on it

47. @wickett #ruggeddevops
Great side effect:
Produces Happy Developers

48. @wickett #ruggeddevops

49. @wickett #ruggeddevops

50. @wickett #ruggeddevops
Devops realized that ops
doesn’t know what devs
know and vice versa

51. @wickett #ruggeddevops
Dev : Ops
10 : 1

52. @wickett #ruggeddevops
DevOps is an Epistemological
breakthrough joining people
around a common problem

53. @wickett #ruggeddevops
Culture is the most
important aspect to devops
succeeding in the enterprise
- Patrick DeBois

54. @wickett #ruggeddevops
Culture is shaped in
part by values

55. @wickett #ruggeddevops

56. @wickett #ruggeddevops
Mutual Understanding
Shared Language
Shared Views
Collaborative Tooling

57. @wickett #ruggeddevops
DEVOPS IS THE INEVITABLE RESULT OF NEEDING
TO DO EFFICIENT OPERATIONS IN A [DISTRIBUTED
COMPUTING AND CLOUD] ENVIRONMENT.
- TOM LIMONCELLI

58. @wickett #ruggeddevops
https://puppetlabs.com/sites/default/files/2015-state-of-devops-report.pdf

59. @wickett #ruggeddevops
TLDR;
High-performing IT
organizations experience 60X
fewer failures and recover from
failure 168X faster than their
lower-performing peers. They
also deploy 30X more frequently
with 200X shorter lead times.

60. @wickett #ruggeddevops
Culture
Automation
Measurement
Sharing
- @damonedwards, @botchagalupe

61. @wickett #ruggeddevops
Devops gone wrong

62. @wickett #ruggeddevops
“THAT THE WORD #DEVOPS GETS REDUCED
TO TECHNOLOGY IS A MANIFESTATION OF
HOW BADLY WE NEED A CULTURAL SHIFT”
- @PATRICKDEBOIS
http://www.slideshare.net/cm6051/london-devops-31-5-years-of-devops

63. @wickett #ruggeddevops
Third Arc:
Continuous
Delivery

64. @wickett #ruggeddevops
Continuous Delivery is not
merely how often you
deliver but how little
you can deliver at a time

65. @wickett #ruggeddevops
Delivery
Pipelines
are rad!

66. @wickett #ruggeddevops
Batch Size of 1

67. @wickett #ruggeddevops
Separation of Duties
Considered Harmful

68. @wickett #ruggeddevops
Give power to the
Developers to deploy

69. @wickett #ruggeddevops
Reduce Code Latency
Increase Code Velocity

70. @wickett #ruggeddevops
3 Arcs:
Agile
DevOps
Continuous Delivery

71. @wickett #ruggeddevops
The next Arc:
Security
Rugged

72. @wickett #ruggeddevops
“…Those stupid developers”
- Security person

73. @wickett #ruggeddevops
“Security prefers a system
powered off and unplugged”
- Developer

74. @wickett #ruggeddevops
Cultural Unrest
with security in
most organizations

75. @wickett #ruggeddevops
Compliance Driven
Culture

76. @wickett #ruggeddevops
“[RISK ASSESSMENT] INTRODUCES A
DANGEROUS FALLACY: THAT STRUCTURED
INADEQUACY IS ALMOST AS GOOD AS
ADEQUACY AND THAT UNDERFUNDED
SECURITY EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT AS GOOD AS
PROPERLY FUNDED SECURITY WORK”

77. @wickett #ruggeddevops
Security is where ops
was 7 years ago…

78. @wickett #ruggeddevops
Dev : Ops : Sec
100 : 10 : 1

79. @wickett #ruggeddevops
Understaffing means
no one thinks security
helps the business win

80. @wickett #ruggeddevops
DevOps changed that
for Ops, security can
change too

81. @wickett #ruggeddevops
Netflix
demonstrated
that people
care about
resiliency

82. @wickett #ruggeddevops
Innately, we all care

83. @wickett #ruggeddevops
Rugged Software Movement

84. @wickett #ruggeddevops
#ruggeddevops

85. @wickett #ruggeddevops
https://vimeo.com/54250716

86. @wickett #ruggeddevops
http://www.youtube.com/watch?v=jQblKuMuS0Y

87. @wickett #ruggeddevops
Security’s way forward is to
help developers and help
operations

88. @wickett #ruggeddevops
Start there

89. @wickett #ruggeddevops
Let’s review Security’s
approach thus far

90. @wickett #ruggeddevops
BadIdea #1
Applications can’t be
defended—Web App
Firewalls Suck!
lets do developer training

91. @wickett #ruggeddevops

92. @wickett #ruggeddevops

93. @wickett #ruggeddevops
Awareness campaign
OWASP Top Ten

94. @wickett #ruggeddevops
We abandoned knowing
anything useful about
the Runtime

95. @wickett #ruggeddevops
Instead Add Defense
based on behaviors

96. @wickett #ruggeddevops
BadIdea #2
Developers can’t figure it out.
lets scan for vulnerabilities
instead

97. @wickett #ruggeddevops
“here is a 400 page PDF of
our findings to prove your
developers don't get it!”
- The Pen tester

98. @wickett #ruggeddevops
Even with the emphasis
on appsec training, in
practice we made it a
dark art

99. @wickett #ruggeddevops
Integrated rugged
testing should sit
inside the pipeline

100. @wickett #ruggeddevops
BadIdea #3
With the new alignment
to vulnerability scanning,
there is a tendency to Fix
the Low-Hanging Fruit

101. @wickett #ruggeddevops

102. @wickett #ruggeddevops
we still don't know
who is attacking us

103. @wickett #ruggeddevops
We still don't
actually know what
they are attacking

104. @wickett #ruggeddevops
Real Threats go Unknown
so Developers fix what the
automated tooling detected
at a certain point in time

105. @wickett #ruggeddevops
Add Application
Security Telemetry

106. @wickett #ruggeddevops
badidea #4
Put in tooling that no
one outside of security
can understand

107. @wickett #ruggeddevops
usually in the name
of compliance

108. @wickett #ruggeddevops
“Get a Web App Firewall
dude!”
- PCI-DSS Req 6.6

109. @wickett #ruggeddevops

110. @wickett #ruggeddevops
Choose your own
adventure…

111. @wickett #ruggeddevops
smallest possible
solution you can
consider a WAF…

112. @wickett #ruggeddevops
Our CDN added
ModSecurity Ruleset
Huzzah!

113. @wickett #ruggeddevops
An appliance that
blocks all the things

114. @wickett #ruggeddevops
And now you wonder
why no one eats lunch
with you anymore

115. @wickett #ruggeddevops
“every aspect of managing WAFs is an
ongoing process. This is the antithesis
of set it and forget it technology.
That is the real point of this research.
To maximize value from your WAF you
need to go in with everyone’s eyes open
to the effort required to get and keep
the WAF running productively.”
- a whitepaper from a WAF vendor

116. @wickett #ruggeddevops

117. @wickett #ruggeddevops
Ok, Security has to change…
How do we add value
already?

118. @wickett #ruggeddevops
Two ways!

119. @wickett #ruggeddevops
Add value to Devs
Add value to ops

120. @wickett #ruggeddevops
Pray that someone
notices

121. @wickett #ruggeddevops

122. @wickett #ruggeddevops
Pro-Tip #1
Bad-Behavior Driven Development
(automate those security tools!)

123. @wickett #ruggeddevops
Start with Adding just one
test for XSS on a few pages
in your app

124. @wickett #ruggeddevops

125. @wickett #ruggeddevops
gauntlt is Bad-Behavior
Driven Development

126. @wickett #ruggeddevops
GAUNTLT
Open source, MIT License
Gauntlt comes with pre-canned steps that hook
security testing tools
Gauntlt does not install tools
Gauntlt wants to be part of the CI/CD pipeline
Be a good citizen of exit status and stdout/stderr

127. @wickett #ruggeddevops

128. @wickett #ruggeddevops

129. @wickett #ruggeddevops

130. @wickett #ruggeddevops
Be Mean to Your
Code

131. @wickett #ruggeddevops
Gauntlt Uses Cucumber
and its awesome

132. @wickett #ruggeddevops

133. @wickett #ruggeddevops

134. @wickett #ruggeddevops
here’s an XSS attack
Example

135. @wickett #ruggeddevops
@slow @final
Feature: Look for cross site scripting (xss) using arachni
against a URL
Scenario: Using arachni, look for cross site scripting and
verify no issues are found
Given "arachni" is installed
And the following profile:
| name | value |
| url | http://localhost:8008 |
When I launch an "arachni" attack with:
"""
arachni --modules=xss --depth=1 --link-count=10 --auto-
redundant=2 <url>
"""
Then the output should contain "0 issues were detected."

136. @wickett #ruggeddevops
http://theagileadmin.com/2015/06/09/pragmatic-security-and-
rugged-devops/

137. @wickett #ruggeddevops
github.com/gauntlt/gauntlt-demo

138. @wickett #ruggeddevops
leanpub.com/hands-on-gauntlt
Hands-on Gauntlt
Book

139. @wickett #ruggeddevops
Pro-tip #2
Put security testing in
your continuous
integration system

140. @wickett #ruggeddevops

141. @wickett #ruggeddevops

142. @wickett #ruggeddevops
https://speakerdeck.com/garethr/battle-tested-code-without-the-battle

143. @wickett #ruggeddevops
Pro-Tip #3
Add Application Security
telemetry to devs and ops

144. @wickett #ruggeddevops
Convert App Security
Logs into metrics in the
systems dev and ops use
StatsD

145. @wickett #ruggeddevops
RunTime Correlation
between biz, ops, dev, sec

146. @wickett #ruggeddevops
SQLi Attempts + HTTP 500’s
or
login spikes + transaction
decrease

147. @wickett #ruggeddevops
Runtime
Instrumentation for
Application Security

148. @wickett #ruggeddevops
Pro-Tip #4
Get hugs from the
auditors and add
Hardening and Audit using
config management

149. @wickett #ruggeddevops
Open Source
Hardening Framework
chef/puppet/ansible
http://hardening.io/

150. @wickett #ruggeddevops
Run Nightly Audits of
your Hardening using
Config Management
(Chef audit mode)
https://www.chef.io/blog/2015/04/09/chef-audit-mode-cis-benchmarks/

151. @wickett #ruggeddevops
OS and Config
Management

152. @wickett #ruggeddevops
reverse the trend
Add Value to Devs
Add Value to Ops

153. @wickett #ruggeddevops
Software development is a constant experiment in knowing
Application Security abdicated runtime responsibility and
development responsibility through incoherent
philosophical approaches and fostering silo-thinking
Security now is where Ops was 7 years ago.
Ops found a path to change through devops, security can
too
There are three ways we can add value: at development, at
deploy, at runtime
Summary

154. @wickett #ruggeddevops
Bad-Behavior Driven Development
Weaponizing your CD Pipeline
Application Security Telemetry and Monitoring
Continuous Hardening and Audit
Have a S-BOM! (Software Bill of Materials)
Practices