Security as Code: A New Frontier

Presented at AppSec USA 2015, Sept. 24, 2015, 10:30 a.m. (55 minutes)

Companies are quickly racing towards DevOps and Agile to ensure they meet customer demands for automated solutions. And with this evolution, comes the need to further refine and innovate business processes that support product and service development. Along with other changes like migrations towards software defined environments and the Public Cloud, Security is fast becoming the new frontier for change because it plays a significant role in the deployment lifecycle for most applications, whether it be a gatekeeper or a partner in that process. New tools, products, and platform features are emerging within the security industry that requires a security professional to adapt their way of integrating with the software deployment process. Because of this, Security as Code is no longer just a dream of future nirvana, but a serious reality with a dramatic affect on how security professionals contribute value. Security as Code is new and unchartered territory emerging from the integration of DevOps, Software Defined Environments, and Application Security practices. It is a foundational element for practicing DevSecOps and has inspired many within the security community to revisit the skills they have and the skills they will need for the future. We've been working with Ruby and developing APIs to support the security of a software defined stack and the domain applications deployed to the Public Cloud. This talk aims to bring the audience along on the experience of setting up for a Security as Code environment, the practices that have helped, the tools we use, and what we think is ahead of us. A. Overview We've been working in a mostly virtual environment for the past few years and have found that it has required a total shift in mindset, tooling, and operations to enable security within a software defined environment. With infrastructure and platforms rapidly being developed as APIs for developer and operator consumption, we've also realized that the job of security has grown in complexity, requires significant scale, and increased in speed. Meaning we haven't been able to return to our checklists, manual controls, and assessments in a long time and now we can't imagine going back. But mostly, we realized that the promise of getting better security by integrating with the Software Development Life Cycle and using automation to increase checks and tests as part of the deployment process is spot on. B. Practicing Security as Code Security as Code requires a program that supports organizing, mapping and testing policies, standards, and rules that secure infrastructure and applications within a software defined environment. Essentially, instead of developing perimeters, zones, and policies that get configured once to establish a data center driven by an applications purpose, software defined environments get created and assembled on an ongoing basis with security constantly changing and adapting to address new learnings, attack vectors, and remediation requirements. Security as Code is implemented by establishing a cross-between a Governance and Risk Management system and the Testing tools commonly deployed to support Application Security outcomes. C. Tools of the Trade We use a variety of tools to implement a resource based security controls program that helps with policy management, attack trees, and testing automation. We'll talk about the tools we have developed in Ruby and some of the APIs we leverage from: Nessus, Burp, Maltego, Zap, Chef, and others to help reduce the time we spend automating for tests in our Security as Code pipeline. We'll show how these tools come together to form the basis of our resource-oriented program and how we have developed a Grading system to provide for scaling remediation across our organization. D. What's Next? We think we are at the forefront of change and that there are many new processes and tools to come. We've discovered many unsolved problems and few tools available to help with increasing the speed that security can be delivered when integrated with the Software Development Life Cycle. We'll address the need for greater reconnaissance, some of the challenges of third parties, a lack of network controls, perimeter-less attack discovery, and auto-healing issues that arise from a shared responsibility model.


  • Shannon Lietz - Director, DevSecOps - Intuit
    Award winning leader in security innovation with experience developing emerging security programs for Fortune 500 companies: Intuit, ServiceNow, Sony, Sempra Energy, Savvis, Cable and Wireless, 99 Cents Only, Exodus, Bank of America, among others internationally. Received the Scott Cook Innovation Award in 2014 for developing and cultivating a world class Cloud Security Program that allows for sensitive data to be protected in AWS. Ms. Lietz is currently the Director of DevSecOps for Intuit where she is responsible for setting and driving the company's Cloud Security Strategy, Roadmap, and full-scale Program in support of corporate innovation. She has previous experience as a Master Security Architect, an Entrepreneur, and often volunteers to educate on security topics. Ms. Lietz is a passionate DevSecOps and Rugged evangelist.
  • Christian Price - Security Architect - Intuit | DevSecOps
    Christian Price has over a decade of experience in various information security domains and is passionate about transforming how security teams contribute value and unlock innovation. Mr. Price is currently a security architect on the cloud security engineering team.


Similar Presentations: