Lean Security A framework of security activities and design factors

Lean Security A framework of security activities and design factors for DevSecOps Dennis Verslegers Strategic Advisor Application Security Orange CyberDefense Research performed under the guidance of:

Motivation

Security is too often treated as an afterthought Approaches based on iterations over small units of work promoting fast feedback and room for experimentation is the best approach to build complex systems Which security activities are relevant to DevSecOps and how do we approach them (differently)?

Problem statement

Convential sequential security activities create detering delays between critically short iterations and inflate development budgets Security is seen as an obstacle for DevOps adoption Mohan, Othmane, 2016 Tashi, 2009 Goel, Shawky, 2009 Sinanaj, Muntermann, 2015 Beznosov, Kruchten, 2004 Relies on experts Documentation driven Performed on finished product Increasing regulatory compliance requirements Potential impact of breaches on market value and reputation Increased speed of response Measurement Automation Repeatability Culture Auditability Sharing Doing DevOps well enables you to do security well Forsgren, Smith, Humble, Frazelle, 2019 Automation improves security Forsgren, Smith, Humble, Frazelle, 2019 Integrate security assurance in DevOps without increasing delay

Research approach

Integrate security assurance in DevOps without increasing delay RQ1a: Definition of DevOps? RQ1b: Definition of DevSecOps? RQ2: Which set of security activities and design factors relevant to DevOps processes can be distinguished from academic literature? RQ3: How do the identified security activities rank in terms of effectiveness and delay from a practitioner point of view? Literature review Literature review Thematic analysis Expert survey 2 definitions Expert survey 33 activities 87 design factors GSS session Prioritised list of activities Effectiveness IQ R 1 Delay 1 Financial 1

Research outcomes

Manage digital supply chain Automated Software Composition Analysis Secrets management Security Requirements Security Configuration Automation Security SLA cloud providers Risk Analysis Automated Container Image Scanning Automated Remediation Practice Incident Response DEPLOY CODE RE L BUILD N OPERATE PL A EA SE Scan artifact and source code repositories Threat modeling Continuous feedback from prod to dev Continuous Monitoring Security Controls MONITOR TEST Ci/CD security metrics Automated Security Testing System metrics Automated Static Testing Integrate security tests with unit testing Run-Time application security testing Establish Security Mindset Application behaviour Security SLAs Manual Security Testing Manual Penetration Testing Manual Security Verifications Establish Security Satellites Centralised dashboards Secure the Ci/CD pipeline Perform Continuous Assurance Self-service capabilities for dev and ops Perform Security Training

Number of experts who perceive the activity as relevant to DevSecOps Prioritised list of activities Effectiveness Relevance Inter-Quartile Range of the expert scores Effectiveness IQR 1 IQ R 1 Delay 1 Delay 1 Financial Financial 1 8 of 10 experts 1 Rounded median score on effectiveness (higher more effective) Rounded median score on delay (higher less delay) Rounded median score on financial impact (higher less impact)

Leverage SecaaS by using cloud provided selfmanaged, automated and scalable security services Integrate the security tools in an automated deployment pipeline Automate as many security controls and verifications as possible Automated Security Testing Ensure the team and management understands and supports the security validations integrated in the automated deployment pipeline Added by expert Fail fast when security validations do not pass Added by expert Integrate the validations in the Definition of Done Ensure APIs (of security verifications) align with organisational processes allowing the implementation to remain easy to understand Added by expert Automated testing is geared towards finding implementation bugs but generally not suited to spot design flaws Added by expert Added by expert

Usage and key takeaways

Provides a toolbox of what (activities) and how (design factors) for DevSecOps Integrate security assurance in DevOps without increasing delay Tailor Model effectiveness delay Framework financial & Assess DevSecOp s roadmap

Establish a security engineering mindset

DevSecOps is not so much about doing different things as it is about doing things differently Feedback loops Integrate security assurance in DevOps without increasing delay Continual experimentation and learning DE V OP S flo w Share security learning experiences and create a security engineering mindset Framework Shift security responsibility to the teams and create supporting mechanisms to get the job done Leverage security automation capabilities wherever possible Establish security measurements to gain insights and create learning opportunities Favor reducing delay over other aspects (cost, licensing, )

SAMM Why Objectives Lean security What How

Potential next steps

Develop a periodic table of the DevSecOps tooling landscape Develop a reference implementation leveraging the existing set of OWASP tools Combine the results of this research with research performed on the relationship between DevSecOps and compliance

https://www.lean-security.org Executive Master in IT Risk & Cyber Security Management @ Antwerp Management School

Thank you Dennis Verslegers Strategic Advisor Application Security Orange CyberDefense Research performed under the guidance of: