Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated...

27
Agile Security in practice Do’s and don’ts Stichting (ISC)2 Chapter Nederland KPMG Advisory N.V. 9 February 2016

Transcript of Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated...

Page 1: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

© 2017 KPMG Advisory N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263682, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aanKPMG International Cooperative (‘KPMG International’), een Zwitserse entiteit. Alle rechten voorbehouden. De naam KPMG, het logo en 'cutting through complexity' zijn geregistreerde merken van KPMG International.

Agile Security in practiceDo’s and don’tsStichting (ISC)2 Chapter Nederland

KPMG Advisory N.V.9 February 2016

Page 2: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

2© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

With you today

Olga Kulikova CCSPSeniorConsultantKPMGCyberPractice

KPMGAdvisoryN.V.LaanvanLangerhuize 11186DS,Amstelveen

Mob [email protected]

Ton Diemont RESeniorManager

KPMGCyberPracticeMob [email protected]

Agile Security in practice

KPMGAdvisoryN.V.LaanvanLangerhuize 11186DS,Amstelveen

Page 3: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

3© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

• That’s how not to do agile development – Use case 1

• Security embedded in agile development? Easy! – Use case 2

Talk focusAgile Security in practice

Page 4: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

Use case 1 –Agile Don’ts

Page 5: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

5© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Client request:

§ #1: Assess the complete environment (IaaS, PaaS, Container apps) for security risks

§ #2: Prepare for the future audits. Goal is to become SOC 2 compliant

Client setupAgile Security in practice

3rd party IaaS

Container Mgt PaaS

(Rancher)

Container Apps

Developers/DevOps team area of

operation

Page 6: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

6© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Have a glance –Development environment

MS Azure

Developers and DevOps

Software Factory

Client PaaS Environment

GitLab (Source code

repository)

CoreOS Test Nodes

App X … App Z

Go-CD(Run tests;

deliver Docker containers)

Maven / NPM repository

Phabricator Management dashboard

Docker Registry

MS Azure AD

Test results

Agile Security in practice

Page 7: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

7© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Have a glance – PaaSenvironmentAgile Security in practice

3rd Party IaaS VMs

App users

3rd Party Managed DBs

RancherOS

PROD

Docker

Rancher DB

App X … App Z

DevOps

Rancher

Development Environment

HTTPS over VPN

SSH over VPN

UAT

MS Azure AD

App X … App Z

Page 8: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

8© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

• Complex setup with multiple parties and open-source software involved:• 3rd parties, e.g. Rancher, do not run the latest available software with required

security patches• Open-source software, even from trustworthy parties, often contains vulnerabilities

• Client relies on Software Development Lifecycle (SDLC), not Secure SDLC:• Security was not part of the underlying processes (e.g. Software Coding, Release

management, UAT).• Roles defined (e.g. tech. development, functional architecture) did not include any

duties related to security.

• The development team did not have a single person trained on security or with the past experience in security.

Risk Assessment – Key observationsAgile Security in practice

Page 9: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

9© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Security Baselines usedAgile Security in practice

Topic Domain PaaS SaaS/Development

Container Security Technology XWAF Technology XUp-to-date software Technology X XVulnerability management Technology X XSystem hardening Technology X XSegmentation Technology X XSecurity logging & monitoring Technology X XAutomated configuration integrity checking Technology XIdentity & access management Technology X XHost Identification & authentication Technology XData in transit encryption Technology X XData at rest encryption Technology X XSecurity During Deployment Technology XAdequate governance Processes X XSecurity roles & responsibilities Processes X XIncident management Processes XVendor management Processes XKnowledge management People XOpen-source software security Technology XPenetration tests Technology XSystem Development Lifecycle (SDLC) Technology XSecure coding (incl. standards) Technology XSource Code Reviews Technology XSource Code Testing Technology XSecurity skills People X

Page 10: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

10© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

How agile features can be translated to the focus areas of ‘waterfall’ auditors:

Moving to auditing – Agile vs. Waterfall

Agile Security in practice

Agile featureIndividual/Team autonomy

Speed

FlexibilityShort-term focusMinimal documentation, roomfor interpretation

Auditor focusAbility to govern the project. Established rolesand responsibilitiesAbility to demonstrate quality, testing efforts,good communicationAbility to manage changesAbility to execute a long-term strategyAbility to ensure clarity about projectobjectives, approaches, tasks and control theconsistency of performance

Page 11: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

11© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Test of Design (ToD), Implemetation (ToI), and Operating Effectiveness (ToE)

Audit principlesAgile Security in practice

Page 12: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

12© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The following areas are highly to be present on the auditors agenda:

• Secure SDLC

• Third party management (with sub contractor(s))

• Change management

• SLA management

• Notifications & Periodic reporting on SLAs

• Privacy (Article 60 of the WBP)

• (Periodic) testing for security

Audit control areas to considerAgile Security in practice

Page 13: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

13© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Compliance with controls is not a “one person show” and can be achieved by multiple means:

Controls eco-systemAgile Security in practice

Internal organisationalcontrols

(e.g. established processes & procedures)

Technical controls of the agile system

(e.g. data encryption & tokenization)

Contracts with 3rd parties (e.g. in case you subcontract a

part of your operations)

3rd party assurance (e.g. subcontractor compliance with recognized standards like

SOC2 or ISO27001)

Page 14: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

14© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Client case: the agile platform utilizes 3rd party IaaS for their own PaaS and containers

Controls eco-systemAgile Security in practice

Internal organisationalcontrols

(e.g. established processes & procedures)

Technical controls of the agile system

(e.g. data encryption & tokenization)

Contracts with 3rd parties (e.g. in case you subcontract a

part of your operations)

3rd party assurance (e.g. subcontractor compliance with recognized standards like

SOC2 or ISO27001)

Possible controls:• Patch management• Backups management

Possible controls:• Dual factor authentication for

administrators

Possible controls:• Notifications in case of

government requests to your data

Possible controls:• Employees’ screening• Datacenter physical security

Page 15: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

15© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The following schema will be used to “translate” agile principles for auditor examination:

Auditing – Let’s try to put it all togetherAgile Security in practice

Agile principle

Translation to established Control

Tools ToD evidence (name or link)

ToE evidence (list of collected samples)

Flexibility #1.0 Agile Tool - internal change management procedure

#2.0 SLAs on changes with the third party provider(s)

<Tools used to support this control, e.g. software used by the agile team to request and implement changes>

Names and/or Link(s) to the relevant documents on:

• change management

• contracts with the third partyprovider(s)

Link(s) to:

• change tickets and approvals (can be stored within the change management system)

• Communication with the third partyprovider(s)

Page 16: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

Use case 2 –Agile Do’s

Page 17: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

17© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Well I used to play rugby myself and still like the game and rules

Why do I like Agile / Scrum?Agile Security in practice

Page 18: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

18© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Why do I like Agile / Scrum?Agile Security in practice

You are seen as supporter and player of the next gen improvements, how can you help and enable?

Page 19: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

19© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

A question we got a lot of time, let me share some personal experiences

How do I as a security specialist deal with Agile / Scrum?

Agile Security in practice

Page 20: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

20© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Of course you need to be able to make the mind-swap

Agile Security in practice

Introduction ISO

Introduction CISO

How do I as a security specialist deal with Agile / Scrum?

Page 21: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

21© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Ensure the required pre-conditions are in place

Think of the following:1. Develop solid security culture and training target groups (e.g. DevOps)2. Be part of the scrum team, think like and with them and have trust!3. Train people to think in User Stories – what could happen? Apply threat modelling4. Develop security or incident response plan/processes5. Security baselines (CIA, IAM, continues monitoring, data masking, etc.) + additional capabilities in

place (MFA, PAM, encryption, etc.)6. BIA = medium or low à apply baselines. Critical? Apply ↑↗High risk? detailed risk assessment7. Translate Information Security Policy principles in (security) architecture design principles etc.8. Develop security criteria and apply good practices (code & security conventions, OWASP), support

the next gen-thinking in IT processes (e.g. automated code-review in SDLC)9. Improve and measure the maturity and hygiene of supporting processes (uCMDB, vulner.mgt)10. Automate security testing and processes (don’t forget to secure your tools J)

Agile Security in practice

How do I as a security specialist deal with Agile / Scrum?

Page 22: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

22© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Full automation, guess what, developers are allowed to put code in production (at the end)

What is the ultimate dream?Agile Security in practice

Automated code reviewsPenetration testing etc.Static code scanning as part of SDLC

MonitorKRIsKPIs

Automated and controlled change management

Page 23: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

23© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Only limit to IT projects or teams?

Try to apply this to your risk management or security teams

What is the ultimate dream?Agile Security in practice

Page 24: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

Conclusions

Page 25: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

25© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Don'ts:

• Practice Secure SDLC; just SDLC is not enough!

• Don’t count on “security by design” features of used technologies. They are relatively new, develop fast, and often open source based, increasing the chance of running vulnerable code in the end .

• Don’t panic or be skeptical about future audits. No need to adjust processes, play a translator role – help the auditor to match audit controls to your own practices.

Take-aways from the use-casesAgile Security in practice

Page 26: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

26© 2017 KPMG N.V., a Dutch limited liability company, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

Do’s:

• Think in solutions, enablers and accelerators

• Support and create good security culture

• Apply threat modelling

• Improve the supporting and monitoring processes

• Automated what is possible (apply the agreed criteria)

• Have trust

Take-aways from the use-casesAgile Security in practice

Page 27: Agile Security in practice - ISC)2 · the next gen-thinking in IT processes (e.g. automated code-review in SDLC) 9. Improve and measure the maturity and hygiene of supporting processes

© 2017 KPMG Advisory N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263682, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aanKPMG International Cooperative (‘KPMG International’), een Zwitserse entiteit. Alle rechten voorbehouden. De naam KPMG, het logo en 'cutting through complexity' zijn geregistreerde merken van KPMG International.

Questions?