Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated...
Transcript of Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated...
© 2017 KPMG Advisory N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263682, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aanKPMG International Cooperative (‘KPMG International’), een Zwitserse entiteit. Alle rechten voorbehouden. De naam KPMG, het logo en 'cutting through complexity' zijn geregistreerde merken van KPMG International.
Agile Security in practiceDo’s and don’tsStichting (ISC)2 Chapter Nederland
KPMG Advisory N.V.9 February 2016
2© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
With you today
Olga Kulikova CCSPSeniorConsultantKPMGCyberPractice
KPMGAdvisoryN.V.LaanvanLangerhuize 11186DS,Amstelveen
Ton Diemont RESeniorManager
KPMGCyberPracticeMob [email protected]
Agile Security in practice
KPMGAdvisoryN.V.LaanvanLangerhuize 11186DS,Amstelveen
3© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
• That’s how not to do agile development – Use case 1
• Security embedded in agile development? Easy! – Use case 2
Talk focusAgile Security in practice
Use case 1 –Agile Don’ts
5© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Client request:
§ #1: Assess the complete environment (IaaS, PaaS, Container apps) for security risks
§ #2: Prepare for the future audits. Goal is to become SOC 2 compliant
Client setupAgile Security in practice
3rd party IaaS
Container Mgt PaaS
(Rancher)
Container Apps
Developers/DevOps team area of
operation
6© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Have a glance –Development environment
MS Azure
Developers and DevOps
Software Factory
Client PaaS Environment
GitLab (Source code
repository)
CoreOS Test Nodes
App X … App Z
Go-CD(Run tests;
deliver Docker containers)
Maven / NPM repository
Phabricator Management dashboard
Docker Registry
MS Azure AD
Test results
Agile Security in practice
7© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Have a glance – PaaSenvironmentAgile Security in practice
3rd Party IaaS VMs
App users
3rd Party Managed DBs
RancherOS
PROD
Docker
Rancher DB
App X … App Z
DevOps
Rancher
Development Environment
HTTPS over VPN
SSH over VPN
UAT
MS Azure AD
App X … App Z
8© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
• Complex setup with multiple parties and open-source software involved:• 3rd parties, e.g. Rancher, do not run the latest available software with required
security patches• Open-source software, even from trustworthy parties, often contains vulnerabilities
• Client relies on Software Development Lifecycle (SDLC), not Secure SDLC:• Security was not part of the underlying processes (e.g. Software Coding, Release
management, UAT).• Roles defined (e.g. tech. development, functional architecture) did not include any
duties related to security.
• The development team did not have a single person trained on security or with the past experience in security.
Risk Assessment – Key observationsAgile Security in practice
9© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Security Baselines usedAgile Security in practice
Topic Domain PaaS SaaS/Development
Container Security Technology XWAF Technology XUp-to-date software Technology X XVulnerability management Technology X XSystem hardening Technology X XSegmentation Technology X XSecurity logging & monitoring Technology X XAutomated configuration integrity checking Technology XIdentity & access management Technology X XHost Identification & authentication Technology XData in transit encryption Technology X XData at rest encryption Technology X XSecurity During Deployment Technology XAdequate governance Processes X XSecurity roles & responsibilities Processes X XIncident management Processes XVendor management Processes XKnowledge management People XOpen-source software security Technology XPenetration tests Technology XSystem Development Lifecycle (SDLC) Technology XSecure coding (incl. standards) Technology XSource Code Reviews Technology XSource Code Testing Technology XSecurity skills People X
10© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
How agile features can be translated to the focus areas of ‘waterfall’ auditors:
Moving to auditing – Agile vs. Waterfall
Agile Security in practice
Agile featureIndividual/Team autonomy
Speed
FlexibilityShort-term focusMinimal documentation, roomfor interpretation
Auditor focusAbility to govern the project. Established rolesand responsibilitiesAbility to demonstrate quality, testing efforts,good communicationAbility to manage changesAbility to execute a long-term strategyAbility to ensure clarity about projectobjectives, approaches, tasks and control theconsistency of performance
11© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Test of Design (ToD), Implemetation (ToI), and Operating Effectiveness (ToE)
Audit principlesAgile Security in practice
12© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
The following areas are highly to be present on the auditors agenda:
• Secure SDLC
• Third party management (with sub contractor(s))
• Change management
• SLA management
• Notifications & Periodic reporting on SLAs
• Privacy (Article 60 of the WBP)
• (Periodic) testing for security
Audit control areas to considerAgile Security in practice
13© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Compliance with controls is not a “one person show” and can be achieved by multiple means:
Controls eco-systemAgile Security in practice
Internal organisationalcontrols
(e.g. established processes & procedures)
Technical controls of the agile system
(e.g. data encryption & tokenization)
Contracts with 3rd parties (e.g. in case you subcontract a
part of your operations)
3rd party assurance (e.g. subcontractor compliance with recognized standards like
SOC2 or ISO27001)
14© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Client case: the agile platform utilizes 3rd party IaaS for their own PaaS and containers
Controls eco-systemAgile Security in practice
Internal organisationalcontrols
(e.g. established processes & procedures)
Technical controls of the agile system
(e.g. data encryption & tokenization)
Contracts with 3rd parties (e.g. in case you subcontract a
part of your operations)
3rd party assurance (e.g. subcontractor compliance with recognized standards like
SOC2 or ISO27001)
Possible controls:• Patch management• Backups management
Possible controls:• Dual factor authentication for
administrators
Possible controls:• Notifications in case of
government requests to your data
Possible controls:• Employees’ screening• Datacenter physical security
15© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
The following schema will be used to “translate” agile principles for auditor examination:
Auditing – Let’s try to put it all togetherAgile Security in practice
Agile principle
Translation to established Control
Tools ToD evidence (name or link)
ToE evidence (list of collected samples)
Flexibility #1.0 Agile Tool - internal change management procedure
#2.0 SLAs on changes with the third party provider(s)
<Tools used to support this control, e.g. software used by the agile team to request and implement changes>
Names and/or Link(s) to the relevant documents on:
• change management
• contracts with the third partyprovider(s)
Link(s) to:
• change tickets and approvals (can be stored within the change management system)
• Communication with the third partyprovider(s)
Use case 2 –Agile Do’s
17© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Well I used to play rugby myself and still like the game and rules
Why do I like Agile / Scrum?Agile Security in practice
18© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Why do I like Agile / Scrum?Agile Security in practice
You are seen as supporter and player of the next gen improvements, how can you help and enable?
19© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
A question we got a lot of time, let me share some personal experiences
How do I as a security specialist deal with Agile / Scrum?
Agile Security in practice
20© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Of course you need to be able to make the mind-swap
Agile Security in practice
Introduction ISO
Introduction CISO
How do I as a security specialist deal with Agile / Scrum?
21© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Ensure the required pre-conditions are in place
Think of the following:1. Develop solid security culture and training target groups (e.g. DevOps)2. Be part of the scrum team, think like and with them and have trust!3. Train people to think in User Stories – what could happen? Apply threat modelling4. Develop security or incident response plan/processes5. Security baselines (CIA, IAM, continues monitoring, data masking, etc.) + additional capabilities in
place (MFA, PAM, encryption, etc.)6. BIA = medium or low à apply baselines. Critical? Apply ↑↗High risk? detailed risk assessment7. Translate Information Security Policy principles in (security) architecture design principles etc.8. Develop security criteria and apply good practices (code & security conventions, OWASP), support
the next gen-thinking in IT processes (e.g. automated code-review in SDLC)9. Improve and measure the maturity and hygiene of supporting processes (uCMDB, vulner.mgt)10. Automate security testing and processes (don’t forget to secure your tools J)
Agile Security in practice
How do I as a security specialist deal with Agile / Scrum?
22© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Full automation, guess what, developers are allowed to put code in production (at the end)
What is the ultimate dream?Agile Security in practice
Automated code reviewsPenetration testing etc.Static code scanning as part of SDLC
MonitorKRIsKPIs
Automated and controlled change management
23© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Only limit to IT projects or teams?
Try to apply this to your risk management or security teams
What is the ultimate dream?Agile Security in practice
Conclusions
25© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Don'ts:
• Practice Secure SDLC; just SDLC is not enough!
• Don’t count on “security by design” features of used technologies. They are relatively new, develop fast, and often open source based, increasing the chance of running vulnerable code in the end .
• Don’t panic or be skeptical about future audits. No need to adjust processes, play a translator role – help the auditor to match audit controls to your own practices.
Take-aways from the use-casesAgile Security in practice
26© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.
Do’s:
• Think in solutions, enablers and accelerators
• Support and create good security culture
• Apply threat modelling
• Improve the supporting and monitoring processes
• Automated what is possible (apply the agreed criteria)
• Have trust
Take-aways from the use-casesAgile Security in practice
© 2017 KPMG Advisory N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263682, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aanKPMG International Cooperative (‘KPMG International’), een Zwitserse entiteit. Alle rechten voorbehouden. De naam KPMG, het logo en 'cutting through complexity' zijn geregistreerde merken van KPMG International.
Questions?