Preview only show first 10 pages with watermark. For full document please download

Rethinking Product Security: Cloud Demands A

   EMBED

Share

Transcript

#RSAC SESSION ID: CSV-R11 Rethinking Product Security: Cloud Demands a New Way Reeny Sondhi Tony Arous Chief of Product Security Autodesk Inc. @reenysondhi Head of Application Security Autodesk Inc. @tonyarous Agenda Who is Autodesk and what transformation are they in the middle of? Redefining Product Security Lessons Learned How can you apply what you learned to your job? #RSAC Autodesk Digital Transformation About Autodesk: Make anything Autodesk makes software for people who make things. If you’ve ever driven a high-performance car, admired a towering skyscraper, used a smartphone, or watched a great film, chances are you’ve experienced what millions of Autodesk customers are doing with our software. 150+ Products Digital transformation to the cloud Teams across the globe Diverse range of agile approaches #RSAC #RSAC Holistic Approach to Product Security Architecture, Software, Infrastructure, Incident Management PRODUCT LIFECYCLE & ENGINEERING PROCESS Agile Development Develop Plan Continuous Integration Build Test Continuous Deployment Deploy Release Monitor Respond SECURITY PRACTICES & TOOLS Secure Development Lifecycle Cloud Security Train, Secure Design, Secure Coding, Security Testing, Assessment Identify, Protect, Detect, Respond, Recover POLICIES & STANDARDS Product Development üAccess control üLogging üCryptography, key mgmt üSecure design principles üInput Validation üCoding standards üFuzzing üTraining Cloud security üEnvironment hardening üContinuous Monitoring üOperational Enablement Response & Incident Mgmt üReporting procedures üResponse SLO üCustomer Communication Security Strategy Built on Industry Standards #RSAC Product Security: #RSAC How We Build Security from Development to Production APPLICATION SECURITY CLOUD SECURITY COMPLIANCE § § § § § § § § § Threat & Vulnerability Management § Security Hardening & Configuration Management § Identity & Access Management § Threat Prevention, Detection and Containment (Network and Perimeter Security) § End-Point Security (Host Security) § Incident Response § ISO 27001 Certification § SSAE-16 SOC 2 Attestation for all 360 Apps § CSA STAR § EU Model Clauses Standards & Policies Security Features Source Code Analysis Secure Design & Threat Modeling Open Source Analysis Security Testing Education and Awareness Security Incident Response Objective #RSAC Reduce security weaknesses in our products and infrastructure by proactively building repeatable/sustainable security practices embedded within our development, deployment and maintenance lifecycle Old world vs. where we are headed OLD WORLD GOING FORWARD Many different tools Single tool per function Lack of standardization Centralized operations Slow, ineffective results Standardized process Difficult to Report Track progress Identify risks #RSAC First: Why CI/CD is Important Staying competitive in a fast moving world Quickly adapt software to meet ever-changing shifts in market needs Greater efficiency, collaboration, and re-use in Engineering Requires frequent delivery of new functionality Tighter integration of products & workflows Encourage collaboration Engineering tools and workflows highly siloed Easier to help on other projects when dev environment is standard #RSAC #RSAC What is CI/CD? (Waterfall à CI/CD) Requirements Waterfall Planning Develop Requirements Agile “WaterSCRUMFall” CI/CD Develop RTM Test Stabilize Release RTM Release Plan/Dev/Test Requirements Continuous Planning (Kanban?) Continuous Delivery Dev Test RTM (incremental) #RSAC Autodesk CI/CD: Development Tool Stack Communication Project Content Wiki (Documentation) Each tool has: • Ownership • Solutions • Migration support • Metrics • Inner-source dev. model to encourage contribution Slack (Chat) Jira (Bug tracking, Agile Project Mgmt.) GitHub (Source Code Mgmt.) Jenkins (Orchestration) Artifactory (Package Mgmt.) DockerCI/CD (Containers) CI/CD (L10N) Checkmarx/ Fortify/Nexus/ WhiteSource/etc. (Security) Unified CloudOS Infrastructure Promote Dev Vault (Secrets) … Promote Staging Prod #RSAC Security Integration in Tool Set COMPONENT SELECTION External Sources DESIGN DEPLOY BUILD Internal Components DEVELOP TEST RELEASE #RSAC Design – Threat Modeling Typical Threat Model vs. Simple User Story • • • Comprehensive documentation Weeks to assess Constantly changing • • Code is Design Threat model only exceptions to standardized security frameworks #RSAC Build – Static Analysis Security tools seamlessly integrated with automated controls for every build Automated reporting when security standards deviated Targeted security vulnerabilities through custom rules Continuous real-time feedback Initially alert, then fail builds Deep static analysis scanning (can be done out of band) Semantic Taint analysis Control flow Structural Data analysis Pattern Analysis Build – Open Source & Third Party Component Analysis Software Supply Chain Implement a software component analysis process to automatically create a bill of materials for a system Minimize security risks in the software by identifying risk in third- party components 80 percent of the code in today’s applications comes from libraries and frameworks More than 50,000 of the software components in the Central Repository have known security vulnerabilities. #RSAC Acceptance/Test – DAST, IAST & Fuzzing Dynamic Analysis Security Testing Useful for testing web and mobile apps, but they don’t always play nicely in CI/CD Spin off to run out of band Interactive Application Security Testing Instruments running code and uses control flow and data flow analysis to trace and catch security problems at the point of execution Lower false positives than running static analysis. Fuzzing Valuable in finding security vulnerabilities (especially injection bugs) Testing of APIs, files (can be done out of band) #RSAC Infrastructure as Code Define and manage system configuration through code that can be versioned and tested in advance using tools like Chef Increases the speed of building systems that are scalable, consistent and secure Provides powerful advantages for security: Program security policies directly into the configuration code Building hardening policies into configuration code Detect variances from the expected baseline and alert, assigning a score based on compliance or automatically revert them Patch vulnerabilities quickly and safely #RSAC Compliance as Code Minimize paperwork and overhead Automated runtime rule-driven compliance Provides visibility, traceability for support and continuous validation Audit trail for every change request #RSAC #RSAC Program Rollout, Metrics & Dashboards #RSAC Product Security Program Rollout: Define security non-negotiables Product Development 1. Designate a Product Security Advocate per Product Family 2. Conduct Threat Modeling and fix critical/high defects (TM) 3. Eliminate Top Issues: NEW Code only All critical/high vulns OAST (Opensource analysis: CLM, White Source) DAST (Dynamic Analysis: WebInspect, Contrast) SAST (Source code analysis: Fortify/Checkmarx) 4. Training: • 100% of employees pass role-specific security exams • New employees must complete goal specific training 5. Reduce Mean Time to Remediation [MTTR] • Desktop products: P0/P1 resolved <30 days • Cloud products: P0/P1 resolved <48 hours Production 1. Hardening • Use Certified Components (Hardened OS’s, tools, etc.) 2. Logging • Collect server logs for event analysis Web, database, application, domain controllers and network systems 3. Secure Identities & Access • Require multi-factor authentication for Developers/Admins/Users 4. Patching • Follow a regular patching cadence for Windows and Linux 5. Endpoint Protection Product Development: Security Dashboard #RSAC Production: Security Dashboard #RSAC Lessons Learned on the Transformation Journey Move to a single CI/CD solution is key Efficiency Consistency Simplification Driving towards standards rather than “to each his/her own” is instrumental in containing the scope of what we need to secure Central management of tools and implementation in the corporate CI/CD framework is critical Dashboards are not boring Culture is a cop out and bringing people along on the journey is key 23 #RSAC Key Takeaways & Application Tips Build a roadmap for your secure development lifecycle transformation Appoint security champions across all teams with accountability Spread awareness to help your developers understand and adopt security requirements Inject security tools within your CI/CD process Start small and experiment the changes with a few small teams Automate every lifecycle step with immediate feedback #RSAC #RSAC Questions?