Application Security
7/20/2017
07:04 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Using DevOps to Move Faster than Attackers

Black Hat USA talk will discuss the practicalities of adjusting appsec tooling and practices in the age of DevOps.

DevOps could be security's biggest boon for quickly mitigating the kinds of vulnerabilities that will be highlighted next week at Black Hat USA in Las Vegas. And in a departure from the show's typical doom-and-gloom demos of scary attacks and exploits, one speaker is taking the podium to explain the practicalities of tuning application security practices to DevOps speeds so organizations can finally get the jump on zero-days and other hard problems in vulnerability management.

The rundown will come from Etsy's former head of security engineering, Zane Lackey, who will explain that the goal is to get faster than the attackers in identifying and fixing security flaws in software. He'll talk about the online retailer's transition from Waterfall development to continuous integration/continuous delivery methodologies. He plans to explain what that kind of evolution means for the standard approach for Web application security, especially when it comes to static analysis and dynamic testing.

"What it really means for vulnerability scanning is that the tools need to change," says Lackey, who since Etsy has moved on to the vendor side of the world, co-founding Signal Sciences. "It's a real evolution with a focus on speed and consumability of results by non-security experts. The real lesson learned on that side is that modern approaches to security tooling and techniques have to be about empowering the development team and the DevOps team to have visibility and that they’re seeing results directly themselves."

During his time at Etsy (2011-2014), the firm was establishing itself as a front-runner and thought leader in DevOps operational patterns while at the same time dealing with the increasing risk and compliance concerns that come with the territory of a rapidly expanding retail business. In order to fit security into the Etsy paradigm, Lackey says he and his team had to learn that they were no longer outsourced gatekeepers, but instead more like consultants to help the developers both run tests and use them to guide future actions for fixing flaws.

While the fast pace initially spooked him, what he found was that once the kinks were worked out it actually ended up improving appsec dramatically.

"When I started as head of security at Etsy and they said 'We deploy to production 20 times a day,' I thought it was crazy and I thought that would be dramatically less secure," he says. "What I really learned over the course of my time building a security program there was that moving faster can actually be a net positive on security."

His observations seem to be reflected in recent statistics. In fact, a survey released earlier this week found that the integration of security into DevOps has helped companies improve their application security risk by approximately 22%.

Lackey will provide some real-world examples of what that kind of quantitative improvement looks like in the real world. He'll talk through one example where his team was able to move so quickly that the improved visibility and response time made it possible for his team to identify an adversary discovering a real-life vulnerability in production - and were able to fix it before the adversary could do anything with it.

"Any organization can get to this point. By embracing DevOps they’re able to move faster and for the first time potentially move faster than the attackers," he says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.