Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

7/20/2017
07:04 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Using DevOps to Move Faster than Attackers

Black Hat USA talk will discuss the practicalities of adjusting appsec tooling and practices in the age of DevOps.

DevOps could be security's biggest boon for quickly mitigating the kinds of vulnerabilities that will be highlighted next week at Black Hat USA in Las Vegas. And in a departure from the show's typical doom-and-gloom demos of scary attacks and exploits, one speaker is taking the podium to explain the practicalities of tuning application security practices to DevOps speeds so organizations can finally get the jump on zero-days and other hard problems in vulnerability management.

The rundown will come from Etsy's former head of security engineering, Zane Lackey, who will explain that the goal is to get faster than the attackers in identifying and fixing security flaws in software. He'll talk about the online retailer's transition from Waterfall development to continuous integration/continuous delivery methodologies. He plans to explain what that kind of evolution means for the standard approach for Web application security, especially when it comes to static analysis and dynamic testing.

"What it really means for vulnerability scanning is that the tools need to change," says Lackey, who since Etsy has moved on to the vendor side of the world, co-founding Signal Sciences. "It's a real evolution with a focus on speed and consumability of results by non-security experts. The real lesson learned on that side is that modern approaches to security tooling and techniques have to be about empowering the development team and the DevOps team to have visibility and that they’re seeing results directly themselves."

During his time at Etsy (2011-2014), the firm was establishing itself as a front-runner and thought leader in DevOps operational patterns while at the same time dealing with the increasing risk and compliance concerns that come with the territory of a rapidly expanding retail business. In order to fit security into the Etsy paradigm, Lackey says he and his team had to learn that they were no longer outsourced gatekeepers, but instead more like consultants to help the developers both run tests and use them to guide future actions for fixing flaws.

While the fast pace initially spooked him, what he found was that once the kinks were worked out it actually ended up improving appsec dramatically.

"When I started as head of security at Etsy and they said 'We deploy to production 20 times a day,' I thought it was crazy and I thought that would be dramatically less secure," he says. "What I really learned over the course of my time building a security program there was that moving faster can actually be a net positive on security."

His observations seem to be reflected in recent statistics. In fact, a survey released earlier this week found that the integration of security into DevOps has helped companies improve their application security risk by approximately 22%.

Lackey will provide some real-world examples of what that kind of quantitative improvement looks like in the real world. He'll talk through one example where his team was able to move so quickly that the improved visibility and response time made it possible for his team to identify an adversary discovering a real-life vulnerability in production - and were able to fix it before the adversary could do anything with it.

"Any organization can get to this point. By embracing DevOps they’re able to move faster and for the first time potentially move faster than the attackers," he says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...
CVE-2019-13545
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
CVE-2019-13541
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.