Application Security

7/20/2017
07:04 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Using DevOps to Move Faster than Attackers

Black Hat USA talk will discuss the practicalities of adjusting appsec tooling and practices in the age of DevOps.

DevOps could be security's biggest boon for quickly mitigating the kinds of vulnerabilities that will be highlighted next week at Black Hat USA in Las Vegas. And in a departure from the show's typical doom-and-gloom demos of scary attacks and exploits, one speaker is taking the podium to explain the practicalities of tuning application security practices to DevOps speeds so organizations can finally get the jump on zero-days and other hard problems in vulnerability management.

The rundown will come from Etsy's former head of security engineering, Zane Lackey, who will explain that the goal is to get faster than the attackers in identifying and fixing security flaws in software. He'll talk about the online retailer's transition from Waterfall development to continuous integration/continuous delivery methodologies. He plans to explain what that kind of evolution means for the standard approach for Web application security, especially when it comes to static analysis and dynamic testing.

"What it really means for vulnerability scanning is that the tools need to change," says Lackey, who since Etsy has moved on to the vendor side of the world, co-founding Signal Sciences. "It's a real evolution with a focus on speed and consumability of results by non-security experts. The real lesson learned on that side is that modern approaches to security tooling and techniques have to be about empowering the development team and the DevOps team to have visibility and that they’re seeing results directly themselves."

During his time at Etsy (2011-2014), the firm was establishing itself as a front-runner and thought leader in DevOps operational patterns while at the same time dealing with the increasing risk and compliance concerns that come with the territory of a rapidly expanding retail business. In order to fit security into the Etsy paradigm, Lackey says he and his team had to learn that they were no longer outsourced gatekeepers, but instead more like consultants to help the developers both run tests and use them to guide future actions for fixing flaws.

While the fast pace initially spooked him, what he found was that once the kinks were worked out it actually ended up improving appsec dramatically.

"When I started as head of security at Etsy and they said 'We deploy to production 20 times a day,' I thought it was crazy and I thought that would be dramatically less secure," he says. "What I really learned over the course of my time building a security program there was that moving faster can actually be a net positive on security."

His observations seem to be reflected in recent statistics. In fact, a survey released earlier this week found that the integration of security into DevOps has helped companies improve their application security risk by approximately 22%.

Lackey will provide some real-world examples of what that kind of quantitative improvement looks like in the real world. He'll talk through one example where his team was able to move so quickly that the improved visibility and response time made it possible for his team to identify an adversary discovering a real-life vulnerability in production - and were able to fix it before the adversary could do anything with it.

"Any organization can get to this point. By embracing DevOps they’re able to move faster and for the first time potentially move faster than the attackers," he says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20168
PUBLISHED: 2018-12-17
Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service ("physical address not valid" panic) via a crafted application.
CVE-2018-20167
PUBLISHED: 2018-12-17
Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. A popmedia control sequence can allow the malicious execution of executable file formats registered in the X desktop share MIME typ...
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.