Transforming Risk

Scenario

Well Funded Startup

60 Developers

Daily Releases

 

#SquadGoals

10 Product Squads

(Generalist role)

2 Platform Squads

(Specialist Role)

Fields of Green

Brand new super cool blockchain project

Releases to Production in 2 weeks

 

Lydia Smith - Lead Dev punk-IPA squad

6 Years Java experience - 2 years security champion

 

Day 1 - Catalogue

Project Name:         crypto-sling

Service Name:         app-backend

Service Type:            backend-spring

Deployment Type:   docker

Team Name:             punk-IPA

Security Champion: lydia-smith

Day 1 - Catalogue

  • Build Pipeline to Prod
  • Git & Artifact Repos
  • Static Analysis
  • Dependency Checking
  • Project Archetype
  • Docker File
  • Terraform Project
  • Threadfix Application
  • JIRA Integration

Generate!

Day 3 - Build In the Risk

 

  • Whiteboard designs complete
  • Rough backlog established
  • STRIDE analysis defines security controls
  • Create stories for controls and link to product stories

Day 6 - Push to Prod

Day 6 - Push To Prod

ThreadFix

JIRA Release gate

  • Aggregates all scanning results
  • Agreed Policy For Pass / Fail (CVSS / CWE)
  • Champion Can Suppress issues
  • Platform Sec Available for expertise
  • Scans code comments for user story numbers
  • Calls JIRA API
  • Fails if any linked security controls are open
  • Product Owner can attach timed Risk with risk owner
  • Creates Confluence Doc for Successful Release

Workflow

US104 - Save User Registration In Database

 

 

SEC285 - Securely Obtain DB Secrets Using Vault

SEC286 - Ensure Public Endpoint Is Rate Limited

 

 

Workflow

US104 - Save User Registration In Database

 

 

  • Platform Squad have created client library and custom Vault documentation

 

  • User story must be reviewed by Platform Security Squad to be closed

 

Workflow

SEC286 - Ensure Public Endpoint Is Rate Limited

 

 

  • Team consider this less of a risk
  • Product Owner works with Risk assessor and Raises Risk Acceptance JIRA ticket for 2 months
  • Champion or Platform Security feed into risk assessment
  • Valid risk ticket allows release gate to pass

JIRA Risks

Could be created from many sources:

  • Pen Test
  • Vulnerable Dependency
  • STRIDE Analysis
  • Deprecated Runtimes

Can All be Enforced! Some linked to stories and some global risks

Result

  • Team Responsibility for Finding and Fixing security Issues and designing securely
  • Product Owner accepts Risks which when expire block builds
  • Virtual Team of Champions extremely useful for incident response, training other team mates etc.
  • All Risks timed, kept alive and in JIRA for reporting
  • Pre-agreed security policy, no surprises

 

Practicalities

  • Can be achieved without automation 
  • Absolutely key is security champion in team and technical security expertise available quickly
  • Something or Somebody has to enforce process - Not the technical security person chasing!
  • Requires co-location or Slack for effective collaboration between teams

 

Share The Load

By Chris Rutter

Share The Load

  • 235