1 / 21

Rethinking Product Security: Cloud Demands a New Way

Rethinking Product Security: Cloud Demands a New Way. Reeny Sondhi. CSV-R11. Chief of Product Security Autodesk Inc. @ reenysondhi. Tony Arous. Head of Application Security Autodesk Inc. @ tonyarous. Agenda. Who is Autodesk and what transformation are they in the middle of?

laurav
Download Presentation

Rethinking Product Security: Cloud Demands a New Way

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rethinking Product Security: Cloud Demands a New Way Reeny Sondhi CSV-R11 Chief of Product Security Autodesk Inc. @reenysondhi Tony Arous Head of Application Security Autodesk Inc. @tonyarous

  2. Agenda Who is Autodesk and what transformation are they in the middle of? Redefining Product Security Lessons Learned How can you apply what you learnt to your job?

  3. Autodesk Digital Transformation • About Autodesk: • Make anything • Autodesk makes software for people who make things. If you’ve ever driven a high-performance car, admired a towering skyscraper, used a smartphone, or watched a great film, chances are you’ve experienced what millions of Autodesk customers are doing with our software • 150+ Products • Digital transformation to the cloud • Teams across the globe • Diverse range of agile approaches

  4. Holistic Approach to Product SecurityArchitecture, Software, Infrastructure, Incident Management PRODUCT LIFECYCLE & ENGINEERING PROCESS Agile Development Continuous Integration Continuous Deployment Respond Develop Build Test Monitor Plan Deploy Release SECURITY PRACTICES & TOOLS Secure Development Lifecycle Train, Secure Design, Secure Coding, Security Testing, Assessment Cloud Security Identify, Protect, Detect, Respond, Recover POLICIES & STANDARDS Product Development Cloud security Response & Incident Mgmt • Access control • Logging • Cryptography, key mgmt • Secure design principles • Input Validation • Coding standards • Fuzzing • Training • Environment hardening • Continuous Monitoring • Operational Enablement • Reporting procedures • Response SLO • Customer Communication

  5. Security Strategy Built on Industry Standards

  6. Product Security: How We Build Security from Development to Production • APPLICATION SECURITY • Standards & Policies • Security Features • Source Code Analysis • Secure Design & Threat Modeling • Open Source Analysis • Security Testing • Education and Awareness • Security Incident Response • CLOUD SECURITY • Threat & Vulnerability Management • Security Hardening & Configuration Management • Identity & Access Management • Threat Prevention, Detection and Containment (Network and Perimeter Security) • End-Point Security (Host Security) • Incident Response • COMPLIANCE • ISO 27001 Certification • SSAE-16 SOC 2 Attestation for all 360 Apps • CSA STAR • FedRAMP Gap Analysis • EU Model Clauses

  7. Objective Reduce security weaknesses in our products by proactively building repeatable/sustainable security practices embedded within our development, deployment and maintenance lifecycle

  8. First: Why CI/CL/CD is Important • Staying competitive in a fast moving world • Quickly adapt software to meet ever-changing shifts in market needs • Greater efficiency, collaboration, and re-use in Engineering • Adjusting to Subscriptions and Solutions • Requires frequent delivery of new functionality • Tighter integration of products & workflows • Encourage collaboration • Engineering tools and workflows highly silo’d • Easier to help on other projects when dev environment is standard

  9. What is CI/CD? (Waterfall -> CI/CD) Requirements Planning Waterfall Develop RTM Test Release Stabilize Develop RTM Requirements Agile“WaterSCRUMFall” Release Plan/Dev/Test Continuous Planning (Kanban?) Requirements CI/CD Continuous Delivery Dev Test RTM (incremental)

  10. Corporate CI/CD: Development Tool Stack • Each tool has: • Ownership • Solutions • Migration support • Metrics • Inner-source dev. modelto encourage contribution Wiki(Documentation) Slack(Chat) Communication Jira(Bug tracking,Agile Project Mgmt.) Project Docker(Containers) Jenkins(Orchestration) CI/CD CI/CD + Build Service + Packaging + Test Automation + … Vault(Secrets) (L10N) Nexus/ WhiteSource(Security) Artifactory(Package Mgmt.) GitHub(Source Code Mgmt.) Content Note: “Our” == Engineering Solutions Group within Engineering Practice

  11. CI/CD: Workflow GitHub Repo Continuous Delivery Flow Definition Deployable Container Contents Source Deployment locations and configs. Deployment scripts Deployable Container Unified Cloud “OS” Infrastructure Triggered on every commit ECR Promote Promote Staging Prod Build Analyze Package Dev YAML file (from GH repo) 3rd party Libs Internal Libs Built OSS packages Build Containers Scripts (from GH repo) Artifactory Artifactory Continuous Integration

  12. Security Integration in Tool Set DEPLOY BUILD COMPONENT SELECTION InternalComponents ExternalSources DESIGN DEVELOP TEST RELEASE

  13. Design – Threat Modeling Typical Threat Model vs. • Comprehensive documentation • Weeks to assess • Constantly changing Simple User Story • Code is Design • Threat model only exceptions to standardized security frameworks

  14. Build – Static Analysis • Security tools seamlessly integrated with automated controls for every build • Automated reporting when security standards deviated • Targeted security vulnerabilities through custom rules • Continues real time feedback • Initially alert then fail builds • Deep static analysis scanning (can be done out of band)

  15. Build – Open Source & Third Party Component Analysis • Software Supply Chain: • implement a software component analysis process to automatically create a bill of materials for a system • Minimize security risks in the software by identifying risk in third- party components • 80 percent of the code in today’s applications comes from libraries and frameworks • More than 50,000 of the software components in the Central Repository have known security vulnerabilities.

  16. Acceptance/Test – DAST, IAST & Fuzzing • Dynamic Analysis Security Testing • useful for testing web and mobile apps, but they don’t always play nicely in CI/CD • Spin off to run out of band • Interaction Application Security Testing • instruments running code and uses control flow and data flow analysis to trace and catch security problems at the point of execution • lower false positives than running static analysis. • Fuzzing • valuable in finding security vulnerabilities (especially injection bugs) • testing of APIs, files (can be done out of band)

  17. Infrastructure as Code • Define and manage system configuration through code that can be versioned and tested in advance using tools like Chef • Increases the speed of building systems that are scalable, consistent and secure • Provides powerful advantages for security: • program security policies directly into the configuration code • building hardening policies into configuration code • detect variances from the expected baseline and alert, assigning a score based on compliance or automatically revert them • patch vulnerabilities quickly and safely

  18. Compliance as Code • Minimize paperwork and overhead • Automated runtime rule-driven compliance • Provides visibility, traceability for support and continuous validation • Audit trail for every change request

  19. Lessons Learned on the Transformation Journey • Move to a single CI/CD solution is key • Efficiency • Consistency • Simplification • Driving towards standards rather than “to each his/her own” is instrumental in containing the scope of what we need to secure • Central management of tools and implementation in the corporate CI/CD framework is critical • Culture is a cop out and bringing people along on the journey is key

  20. Key Takeaways & Application Tips Build a roadmap for your secure development lifecycle transformation Inject security tools within your CI/CD process Start small and experiment the changes with a few small teams Automate every lifecycle step with immediate feedback Appoint security champions across all teams with accountability Spread awareness to help your developers understand and adopt security requirements

  21. Questions?

More Related