How Can I Sign Minnesota Banking Presentation

Industry sign banking minnesota presentation secure

well hello everyone hello my name is nancy guerrishi i'm um i'm here from canada i'm uh born and raised in montreal so um my first language is french so if you're wondering what's the accent and you can't pinpoint it that's what it is it's french canadian not quite french from france um i'm part of the security and assessment team uh security assessment and authorization team for the government canada i've been a public servant my whole career and been in security for at least the last 10 years uh so today what i'd like to talk to you about is about security tooling in your devops pipeline so my plan for today um get my slide to move um is to talk to you about uh the foundational security concepts right um things that maybe if you're not in security you're more in the development side that you're you're not familiar with it might be things that you know about already uh but we'll make sure everybody's on the same page then we'll talk about devops and devsecops have some kind of definition are they the same or they different uh then together we'll talk about security objectives and security uh tooling so what are we trying to achieve and what kind of tools do we need to achieve them and uh throughout the talk i'll be talking about a wasp an organization uh that can help you build secure software i'm not sure if you're familiar with it if you're not you should and we'll talk a little bit about it and about my project so that sounds like a plan i hope so okay so first security right so when i ask people that are not like security professionals who define security most of them define confidentiality pretty well they're pretty aware of that we don't want information that is confidential that's not for everyone to be disclosed to somebody that doesn't need to have access to that to that information so that's pretty clear and that's one of the pillar of security but one uh pillar that is not uh two other pillars actually that are not as familiar are integrity and availability so integrity which is i think always important but for some industries or is particularly more important so we don't want our data to be able to change um by anyone or only by authorized user so we don't want our data to be altered i think about industries like science like banking uh and hospital they'll live in maybe uh so these are highly sensitive to integrity and we really want to protect that part of that of information and then there's availability of course it's always an issue or it's always um you know not super convenient when you don't have access to your data or you don't have access to your to your system but some business can continue it's an annoyance but they can continue business as usual they don't have to stop if their data or systems are not available but there are some businesses that absolutely need their data and their system right away and that's availability so those three pillars is what we're talking about when we're talking about security and having a secure system and why i talk about this because it's really the foundation of everything right that's how you make a decision on how uh how you want to protect your information and your systems and how much resources because you can't do everything you can't protect it 100 and you have to prioritize how you want how much resources and energy you want to put in protecting your data and um these three pillars and the ratings that you give them will help you make this decision and from and this can change these ratings may change from business to business from line of business with my business but you need to kind of understand what you're you're dealing with before you start um you know devising a solution to protect your your environment and then another concept that's often said uh and should uh discuss in security is shifting left uh what you might recognize in front of me is a version of a security um a software development life cycle so basically uh when you build software you go through a project you go through different phases uh you know you gather the requirement you design the solution it's then developed you test it and then you deploy it so it goes into production what happens with security for some reason that we'll discuss eventually um we're often not invited to the party or you know they only uh when you see final version the the little purple circle that's usually when we hear about project teams because often in businesses they ask that a system gets authorization from security before it is allowed to go to the to production right so we get a project team a week or two like very soon before they deployed like security can you give us authorization these teams have been working on these systems sometimes months sometimes years and as a security professional you you're supposed to understand what they've done all these uh these years and months and kind of reverse engineer them if they have documentation or not depending and uh ensure that it was done properly that's a difficult task what usually happens is vulnerability assessment and penetration testing exercises that's someone often from external to the company to the organization and sometimes internal that actually uh try to exploit vulnerabilities in the application in the system to prove that it's vulnerable and comes back with a report for things to fix often before to go to production and sometimes the product projects team can decide not to move forward with the recommendation and take the risk to go uh into production or they take the time to fix it but that's not that's not the best way to do it you can imagine why well benefits of shifting left of and let me go back to that slide why shift left because we want um we want teams to come and talk to us as early as possible left in the software development lifecycle as possible so we can early pick up the mistake and why is that helpful because it costs less it costs less to fix a mistake that you catch early if you catch it early according to that graph for example i don't think the numbers are that important but you realize that when you catch it early it's a lot significantly cheaper to to fix the mistake than if you catch it later and also like when you think about it the the comparison that you you'll hear about often when you learn about chef lafayette they say if you build a house and you wait till the end of the building of the construction and you're saying oh i think i'd like to add another bathroom you know what that's possible you can do it right but you're probably going to destroy things that you've already paid for um it's probably going to be awkward right okay let's let's you know move that room and make some space for this so it's not going to be the best design right it's going to be yeah it's going to be awkward it's not going to be as as good as if it was planned for the beginning and it's going to cost much much more money so that's what we're always trying to do yes we need to be involved at each phase sorry that one at each phase but also as early as possible so what did security do for that not to happen not to only be called at the end of the of the project well i call it the security superpower that's gatekeeping um so at every gate so i don't know if you see clearly the numbers there's one two three four five that's at the end of each phase uh and at the beginning of the other one we require a security authorization before the security team uh the the project team the engineering team can move on so that seems to fix the issue right like no team can go to till the end without uh without coming to see us no not quite why because it's impossible because we're outnumbered right for a hundred developers you have ten people in operation and one person in security that's the numbers that are um that are popular and and accepted in the industry but i've seen worse i've seen a bit better but it's never it's never an equal ratio right it's always something similar to this so imagine that person having to go through each single phase and being the gatekeeper for hundreds and hundreds of projects that sometimes don't even um have the same stack the same technology and that's an unfair ask basically and now you can understand why security is not often the favorite person in a project because they're taking so much time not because necessarily we want to sometimes personalities and superior or something else but even if we're the best at our job and our great i are good at it like it's it's nearly impossible to do uh at that ratio and it it keeps getting worse why because teams are engineering team and development teams are are finding ways to get better and better right but security has to catch up with them and has their old way old ways of working so what you see on the right is the waterfall model that's the traditional so you would go to requirements go to design and development it's similar to what i've shown previously but it's one by one and but the problem with the waterfall model is that you don't get quick fee feedback the business uh asks for the requirements gives them to someone to design them to build it and by the time it's built you might have something completely different because you didn't understand the requirement properly but the business didn't have a chance to say hey that wasn't right so that's how agile came along they said let's let's take smaller bites and do the waterfall model but over and over again for each of these models so what does that mean for security so you're you're gonna gatekeep for each single sprint because every time you go around the agile life cycle you call that a sprint that's even harder and it gets worse for security devops them and ops um there's many definitions for devops uh nobody really agrees but i would say something that i think most people would agree is that devops dev and ops the you know the project teams are finally working together uh not in silos it's not the death building on their local machine and sending it to over the wall to to ops to take care of um they figured out that working together and not working as sallows is makes better products product better products and faster delivery as well so you know they're a happy couple and they're quite happy and they're quite they're doing well what about security well that's a famous uh slide you've probably seen it if you've seen other devsecops talks um that's that's how it feels right like they they figured out how to to be a great team but your security your behind and you're just like what am i going to do how do i actually catch up with them well devops is probably uh that helps it's a solution that can the tooling that is developed with devops can help us come to a solution but the hard question we need to ask is given the limited security resources that we have like people time and budget what's the best way for us security to reduce the overall risk for the business right so that's what we need to figure out and what can help us to do that um like i was saying earlier when i talked about the different the three pillars of security is to identify okay what do we need to focus on what's really important for us and to build our pipeline or our security checks along the pipeline um correctly move that over um so before i go to i will go through a few checks security checks that you can put in your pipelines of course the security program has more than that i'm focusing on activities that can be done in a pipeline but first let me define a little bit the ci cd pipeline so ci stands it's short for continuous integration and it's a software development practice in which all developers merge code changes in a central repository multiple times a day so that's ci and the city cd that's the other part it stands for continuous delivery which on top of the continuous integration it adds the practice of automating the entire software release process until it goes to production so with ci each change and code triggers an automated built-in test sequence for the given project and provides feedback to developers who made the change the entire ci feedback loop should run in less than 10 minutes right and then cd the country continuous delivery and it includes more the infrastructure provisioning and deployment uh which may be manual and consists of multiple stages what's important is that all these processes are fully automated and which each run fully logged and visible to the entire team so having benefit of having a pipeline um it's that the developer can stay focused on writing code and monitoring the behavior of the system and productions it gets feedback uh the product updates are not as stressful you can log all the code changes the tested deployments are available for inspection at any time pretty much our rollbacks are easier and really most important is the fast feedback that helps us build a good culture and good product like contrarily to the waterfall model that we spoke about earlier where we'd never had feedback rarely had feedbacks and we could end up with a product that is not at all what we asked for so let's go that's a summary slide of the different tools that we'll go through we'll go to sas you know static analysis security tool uh dynamic das sca for software composition analysis and we'll talk about secret detection in our pipeline i'll talk about container security we'll talk about waff waff stands for web application firewall and then we'll talk about infrastructure uh the new way especially with uh with cloud being the new thing before i move forward with all these things i want to talk about oasp and make sure that everybody knows about that alas stands for open web application security project if i sound like a sales woman i i don't mean to i just really like a wasp and i need to not warn you but tell you that it's a non-profit so i'm not you know paid to tell you all about this so they're a non-profit it operates chapters projects and conferences all over the globe um and it's basically powered by volunteers by brilliant volunteers and they create uh guidance software um and like i said communities there's probably one close in your country in your city uh depending where you are around the world but the they're pretty much everywhere and they have a lot of online resources um if you know most people that heard about owas heard about the oas top 10 uh which are the 10 most um the 10 vulnerabilities that we found most often in software uh but that's only a scratching scratching the surface of a loss it's really just an awareness tool to to because there was a time i think it's a bit different now but there was a time where people were thinking about infrastructure when they were thinking about security and the oauth top 10 really did a good job at making people aware that um that security uh was also important at this at the application level right that it was not only an infrastructure problem that if your application is not secure that's a problem so why the am i talking about oauth they have a lot of tools and some of the tools that we'll be talking about there is that are that are open source are from this organization so um dependency check that is what i am talking about okay so fast what i was talking about first that's the static application security testing so that's designed to analyze source code by code binary so your code is not running that they call it white box because you you know you have access to the code right um so you from the inside out in comparison to the black black box code so some examples of that are check marks which is a paid product pmd it's free bend it when you you program in python breakmen and ruby so and uh pmd is for java bandit for python ruby because it analyzes the source code um static analysis tools uh tend to be um different depending on the programming language that you're using right uh compared to that that we'll talk a little bit later so um yeah so there's security bug brakeman 45 there's different products so it's always important to not rely on only one two tool a good recommendation is sometimes to have an open source tool that is free and maybe a paid product and take the time to um to tune them properly to to not have too many um uh false negative and you may have to try different scan ers before you find a tool that works best for your project so it's worth it's worth that investment initially so that if it doesn't provide good feedback for your developers for your team they won't use it so it will be a waste of money so it's really important and that's that's actually true for all the tools that come in comparison to the sas that's dynamic dynamic application security testing and that those tests are run while the application is running right so that's not depending on the language itself uh most das solution uh tests only the exposed http and html interfaces of web enable application right and because dynamic analysis requires code execution it's much more costly and significantly slower um so like i said it's called a black box and one example of that tool that again is from ospin is free it's called the ola zap you'll have a wasp not a wasp but burp is also a tool that is not from a loss it's a paid tool they have a community version uh you might have still have heard of other people like ibm scan appscan and vera code so they exist also for many languages and framework uh but they're not as dependent as the sas tools so next sca software composition analysis so well stay away from software for a minute but i'm i i like to compare this category with food right like if if you're you're trying to to bake your own pizza to make your own pizza and you take all the ingredients from scratch you know exactly and you're someone with allergies for example right so you you take your own ingredients you you create and you um make your dough you uh you have all your ingredients you know what's in your pizza but sometimes right you want to save time you don't want to reinvent the will so you go and take something ready made but because of your allergies you need to you need to find out what's in there yes you save time but whatever they put in there is going to come into your body and may have an effect on you well that's a similar example with software composition when we're building software more than ever now we're actually combining different components we're not reinventing the wheel all the time we're taking things that already exist and bringing them in a project we're bringing libraries or bringing components but we need the thing we need to understand is that when we were bringing those third-party tools we're also bringing the vulnerabilities they have in them so it's really important for us to check that the the components that were importing that were um that were inheriting our fear of vulnerabilities and how you can do that owasp also has a free tool called the dependency dependency check that can do that for you they'll also pay to a very popular these days product is sneak snyk i don't know if you've heard of that but those are also software composition analysis tool and what's fun with these tools as well they they tend to combine um licensing so even as a if a product is open source there's different type of licenses and it's not always free to use for every use cases so um these are the things that a software uh sca that's our composition analysis tool can help you manage as well so and that's one of my favorite tool because compared to the assassin that it has very low false positive right if you have a a vulnerable component or not it's not as i feel like sas and ask if you um hence you know help you decide um help you look further into an issue and decide um if you need to to fix it or not but sa really gives you a decision on what to do secret detection you're probably familiar with that one but that's a recurring problem that happens a lot is uh when devloping software um you know engineers tend to commit secrets to in into their repository and if their repository is public or somebody uh a malicious malicious user has access to that repository they suddenly have access to these secrets and secrets whatever am i talking about what i'm talking about secrets i'm talking about of course password uh connection strings um tokens so anything that gives you access to something more sensitive so if they have access to that you can imagine that they also will have access to the things that you are trying to protect with those secrets so secret detection tools run into your representatory scans them to make sure that they cannot detect any type of of secrets some things that that go hand-in-hand and hand-in-hand with secret detection is having um a secret store right i don't know if you've heard of tools like hashicorp um vault and even all the cloud provider have their own tools um azure has the azure vault um amazon has one um so this gcp so you can use the one that's more appropriate for your environment but it's basically a way for developers to store their secrets so that they don't they know how to manage them and they know where to put them uh so so that they don't commit them into the repository that doesn't mean it's not because that you have a secret store that you wouldn't run um a secret secret detection tool right you still would do it but i think it's less likely that you will find secret if you have um good processes and habits and a tool and a solution for your developers to store their their um their secrets and i've mentioned the tools the secret store but one of an example of a of a tool that does a detection is called truffle hog and that is also from actual corp again i mentioned different tools just so that you can understand the category i think what i'm trying to focus on is the type of tool um and i'm not endorsing or saying they're bad or good i'm just trying to give you example to to understand what kind of category of tools that you need to to integrate in your pipeline and then there's containers right um containers are not that new anymore we've been using them for a while but you know there's an adoption of of the container orchestration platform you know like kubernetes and openshift and we need to make sure that our our containers are for your vulnerabilities uh so they also have tools for them to be to be scanned and to make sure that they are compliant with the different uh best practices so we have the docker bench for security scans um that exists there is docker security scanning that's an add-on service from docker and there's also claire c-l-a-i-r that's an open source one vulnerability scanner for docker in it for docker images so that's that's one that um um is slowly getting more into your pipeline if you're you're using containers not every business needs containers but if you're you're adopting then you definitely would want to scan them laugh that's a a different one right like waff are usually um we usually implement them in production but a web application in wac is a web application firewall it filters and monitors and blocks http traffic to a web application to and from a web application so it's different from a firewall it's not for infrastructure and it can predict it it can you know detect patterns and realize that it's an attack on your rep application and stops certain attacks but sometimes it is wrong it also has false positive and that can make your application not available which is important right so if you put your wash solution into your pipeline while you're building your application it's an easy way for you to predict how it will react once it's in production so that's a good habit to take to use to to integrate your wash solution in your pipeline so you can predict how it will behave and do the proper adjustments uh before it's put into production uh that also uh open source one mod security and owasp doesn't have a wife of its own but it does open source the rules to um um to configure uh to the remote security and the waf and you can detect and you can um set the paranoia level that they called like the the the sensitive sensitivity level that you want your wife to have and it's really a good way to to make sure that you have the right level by putting your wife and your pipeline next infrastructure that is really for me to me a really uh exciting change in them in technology in general and in in cicd and in devops is that we used to not too long ago have to order servers have to wait for them have to uh wait till they got built and delivered and to build a solution it would cost a fortune and it would cost them time um but now we have access to to cloud uh to the cloud and cloud service provider right and as long as you have a credit card and a bit of fun depending on what you're trying to build you can have access to to to your infrastructure and it's great you can go on the platform and um provision what you need when it's only for for a small business or a few machines a small infrastructure it's not that bad you can do it through the platform but eventually when you have a lot of machinery huge infrastructure it's hard to keep track of how they're supposed to be configured right if you're uh did you really click here then you really click there we've had um a network not not being performed at work for weeks because a check mark wasn't that wasn't uh checked in in uh in the network appliance right and that's because it was done manually at the time but with infrastructure as code you have a source of truth you have all the benefits of software development now where you have version control when you can have drift detection by drift detection i mean well if you've set that you built your infrastructure in a certain way following your your your best practices and compliance rules and maybe someone has access to um to the platform and changes manually the configuration well it is our job to continually check the environment to compare with our source of truth and that's only possible because we have infrastructure esco that is not possible when you're clicking everywhere so that's really exciting so that is not a check in itself that's a new way to provision the infrastructure but with this new language and uh for languages in us it's called cloud formation azure has arm template gcps deployments manager i believe and there is one um actually corp again a very popular set of tools that's called um terraform that is a language that works for multiple cloud provider right so we use infrastructure as code and for each of these languages there is often a testing uh static testing for infrastructure s code to make sure that you follow the best practices and that you're not building something that's insecure and that that can also be in a pipeline so that's a really new area and that brings new possibility uh that is quite exciting to me medium so that's uh the overall categories that we've been through we've entered sas for static code for when you have access to the code that's uh dynamic when it's a black box software composition to understand what are the components that we're building in that we're bringing in into our solutions secret detection making sure that we're not leaking secrets everywhere container making sure they're not vulnerable they're laugh able to predict its behavior once it's in production and we've just seen infrastructure as code there's a few of the things i would want to add to all that i know this presentation is called tooling right the uh security tooling but devsecops and securing a security within devops is not only about tools it's important to know what you're trying to achieve and that there are tools that can do uh what you want to do but you can buy you can you can't buy yourself secure you can't just buy those tools and make sure that they work instantly you need to have the people and processes to support that um to support the results to make sure that they're accepted and they're part of their process so um yes we did focus in this session today on the tools but they're not um they're not that the end of it all and the solution to your desk off strategy don't always break the bill that's that's essential for you to still have friends at work if you start breaking the build breaking the pipeline every time you find something that's inaccurate they're not going to lack like you uh a pipeline is meant to be fast it's meant to be reliable it's meant to um yeah and to be accurate so if you have tests that you're unsure of let's go with point number two three consider an asynchronous security pipeline so that's a parallel pipeline where you can do all those tests that maybe have false negatives maybe take longer than the 10 minutes that it's supposed to take to go through a fast pipeline you may run that maybe once a week you may run that overnight but don't put it in the way don't don't make enemies do you do that on the side and then take the time to to assess the results and bring them back to your your engineering team notes so out and with resources i i said i i will sound like the salesman saleswoman lost the same slide reminding you that it's really a resource everything is free and even just being part of your community is something super amazing because you have people that really care about security of software and they're accessible you join their slack channel you join their their conferences and um you can talk to them and ask for advice it's been really a good resource for me so i really share it with everybody and i'm also a project leader for a wasp and uh what we've done it was not started by me it was started by my friends tanya janka and nicole becker and they they they got they started the project because it was at the beginning of devops and uh it was hard for for the industry to understand how security and it's still hard actually uh could embed itself into security so they created that project and myself and francisca joined them in the project and uh we're building um different guidance and educational um content for people to explore that and one thing that we do pretty regularly is have uh invite professionals from the industry to talk to us about what they've done in desk ops and um problems that they've been through or solutions that they found and go through their use cases and have conversation with them so that we learn and we share what we learn so we're a bit everywhere we're on twitter we're on um dev.t.o and youtube again that's a project with an owasp um that non-profit and that's it for me uh that's my uh thank you slide thank you for being here thank you for i hope that was helpful and that was useful uh my name is nancy garache again here's my email and i can be contacted through linkedin i'm not really on social media but um if you have any questions and that you can ask here feel free to contact me i'm pretty open to that guess i should check my slack [Music] so many channels eight yes eight thank you good talk okay no questions per se i just posted a question in the webex chat see was it the same one as oh as the oasis asps helped in integrity security and devops yes absolutely i love like that's i'm like my heart like that's where i started i started with compliance right so not everybody loves that but asvs was the first standard that actually spoke english to me that i could actually understand uh what they were talking about and helped establish the baseline of what um of what we needed to do to protect our application uh sometimes what makes security not very popular is that we take an incredible amount of time to provide security requirements to the engineering team and that's because you know we deal with standards that sometimes have a bunch of controls that are irrelevant and i feel like asps is a set of controls um that is relevant that is uh clear and that we can select from and that is reasonable to give guidance to our developers on how to build software and uh not everything in the svs is possible to to enter into the pipeline for sure not um what you put in your pipeline is not all your security program right the security program has threat modeling that's not in the pipeline has bug bounties has different activities that are outside of that but some of them definitely come from asbs for sure