Developing and Enforcing Cyber Security Policy as Code in a Software Factory

Learn how to implement cybersecurity policies effectively in a software factory by converting them into code, as discussed by Jared Ladner at the 2023 ITEN Wired Summit. This approach ensures the enforcement and compliance of security measures throughout the development process, enhancing overall security posture and promoting a DevSecOps culture. Janna Covitz explores the DevSecOps pipeline and its importance in creating a secure software development environment.

• Cyber Security
• Policy Enforcement
• Software Factory
• DevSecOps
• ITEN Wired Summit

suki Follow

Uploaded on Jul 05, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Developing and Enforcing Developing and Enforcing Cyber Security Policy as Cyber Security Policy as Code in a Software Factory Code in a Software Factory Jared Ladner 2023 ITEN Wired Summit

2. Volume 1: DevSecOps Pipeline Janna Covitz L.2 Agenda Current Situation of Policy as Documentation DevSecOps vs. Software Factories Cyber Security During Development Cyber Security Automation in Operations Case Study Example: DHS USCIS for Risk and Fraud Services Other Examples and Questions 2

3. Current Situation of Policy as Documentation 1. 3 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this task order proposal.

4. Documentation Documentation UP TO DATE DOCUMENTATION NOW THERE IS SOMETHING I HAVEN T SEEN IN A LONG TIME

5. NIST 800 NIST 800- -53 53

6. Step 1 CATEGORIZE System Step 6 MONITOR Security Controls Determine impact of changes to the system and environment Assess selected controls annually Conduct needed remediation Update security plan, SAR and POA&M Report security status to AO AO reviews reported status Implement system decommissioning strategy Step 2 SELECT RMF RMF Categorize the system in accordance with the CNSSI 1253 Initiate the Security Plan Register system with DoD Component Cybersecurity Program Assign qualified personnel to RMF roles Security Controls Common Control Identification Select security controls Develop system-level continuous monitoring strategy Review and approve the security plan and continuous monitoring strategy Apply overlays and tailor Step 5 AUTHORIZE System Step 3 IMPLEMENT Security Controls Step 4 ASSESS Prepare the POA&M Submit Security Authorization Package (security plan, SAR, and POA&M) to AO AO conducts final risk determination AO makes authorization decision Implement control solutions consistent with DoD Component Cybersecurity architectures Document security control implementation in the security plan Security Controls Develop and approve Security Assessment Plan Assess security controls SCA prepares Security Assessment Report (SAR) Conduct initial remediation actions

7. DevSecOps vs. Software Factories 2. 7 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this task order proposal.

8. Evolution to DevSecOps Evolution to DevSecOps CI/CD DevOps Continuous Integration Continuous Testing Continuous Deployment Cybersecurity in Development Continuous Delivery Infrastructure as Code Agile CI/CD DevSecOps

9. Everything as Code Approach Everything as Code Approach Everything as Code Everything as Code is the process and practice of automating the manual, repetitive tasks in all stages of software production. Automation and Reuse Automation and Reuse SLDC Phases: Planning/Requirements/Design Build and Development Testing Operations Security Monitoring

10. Everything as Code Approach Everything as Code Approach Manual Configuration Managed resources via consoles following SOPs In place upgrades/patches Initial use of IaC Scripts are run from workstations IaC with GitOps Git Based Code Reviews/Pull Requests on Infrastructure changes IaC DevSecOps CI tools automate execution of IaC

11. How do we solve this? How do we solve this? More than just Automation Goals and Characteristics o Follow best practices o Apply development methodologies o Not just scripts GitOps Zero access to systems and environments Zero configuration drift Resiliency Ability to completely destroy and recreate entire enterprises/systems On Demand Systems (not just images) Push button provisioning of infrastructure, configuration, deployment and monitoring

12. Declarative vs. Imperative Declarative vs. Imperative YOU KNOW WHAT THIS NEEDS BABY? The difference between the declarative and the imperative approach is The difference between the declarative and the imperative approach is essentially essentially 'what' 'what' versus versus 'how' 'how' Declarative what Imperative -- how The declarative approach defines the desired state and the system executes what needs to happen to achieve that desired state. Terraform and CloudFormation Imperative defines specific commands that need to be executed in the appropriate order to end with the desired conclusion. AWS CLI, Python, Bash MORE YAML S3Bucket: $ BUCKET_NAME="mybucketname" $ if ! `aws s3api list-buckets --query Buckets[*].Name | grep $BUCKET_NAME > /dev/null`; then aws s3api create-bucket --bucket Type: AWS::S3::Bucket Properties: BucketName: mybucketname Tags: - Key: "Owner" Value: "Mike Brooks" $BUCKET_NAME; else echo "Bucket already exists, continuing..."; fi $ aws s3api put- bucket-tagging --bucket $BUCKET_NAME --tagging 'TagSet=[{Key=Owner,Value="Mike Brooks"}]'

13. Idempotency Idempotency

14. Idempotency Idempotency Applying multiple times without changing the result beyond the initial application. Applying multiple times without changing the result beyond the initial application. Shell Script Example Idempotent Declarative YAML Example user: name: spock full_name: Spock uid: 1010 gid: 1010 home: /home/spock shell: /bin/bash echo "spock:*:1010:1010:Spock:/home/spock:/bin/bash" \ >> /etc/passwd Running this multiple times would add the user spock multiple times to file /etc/passwd. o No matter how many times you run the tool with this code, it will ensure that only one entry exists in the /etc/passwd file for the user spock. o No unpleasant side effects.

15. Software Factory Software Factory

16. Cyber Security During Development 3. 16 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this task order proposal.

17. Pipelines and Gates Pipelines and Gates

18. Scans Scans Reports Reports and and Docs Docs

19. Cyber Security Automation in Operations 4. 19 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this task order proposal.

20. WORKED FINE IN DEV OPS PROBLEM NOW

21. DevSecOps DevSecOps Operational Picture Operational Picture

22. DevSecOps DevSecOps Operational Policy as Code Operational Policy as Code

23. Case Study Example: DHS USCIS for Risk and Fraud Services 5. 23 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this task order proposal.

24. RFDS Project Spotlight RFDS Project Spotlight Project DHS USCIS Risk and Fraud DevSecOps Services (RFDS) supporting the FDNS group of IRNSD directorate Mission Provide systems to support the detection and investigate of Fraud and national security concerns related to US Immigration benefits adjudication processes. Overview The Department of Homeland Security Citizen and Immigration Services (USCIS) needed to modernize its systems used for immigration status verification. Geocent used DevSecOps methodologies to help replace these burdensome legacy systems with agile, efficient, cloud-based applications that help USCIS process claims more quickly and effectively. Challenge Transform legacy case-centric focused Siebel systems that is difficult to navigate through multiple layers of tabs into a Person-Centric Microservices architecture responsive to rapid changing business rules. Migrate a legacy JMS based ESB solution into a highly available and resilient rules engine capable of supporting over 4 million transactions daily. Solution DevSecOps and Software Factory approach Hybrid Cloud deployment to Rancher OnPrem and EKS Cloud CDK8s Automated Kubernetes manifests 50+ microservices Apigee GateWay Kafka Asynchronous messaging Strangler Pattern AWS ElasticSearch Full Text Searching User Experience and Customer Experience Results 7 Services deployed to production in 6 months Over 100 production deployments in 12 months 100% code coverage Cybersecurity vulnerabilities discovered and mitigated in hours Less than 2-week turnaround from feature develop to production release Log4Shell identified and mitigated in less than 48 hours

25. Examples and Questions 6. 25 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this task order proposal.

26. Volume 1: DevSecOps Pipeline DevSecOps Platforms & Modernizations DevSecOps Platforms & Modernizations Experience Experience L.2 Systems Modernization DevSecOps Platform Engineering NIWC Atlantic Research, Development, & Acquisition Information System (RDAIS) Award-winning DevSecOps implementation using MCBOSS to modernize a major POR in 1 year implementing C-ATO USMC Business Operation Support Services (MCBOSS) Enabled USMC modernization by developing enterprise DSOP Achieved the 1st USMC Continuous ATO for 5 platforms NIWC Pacific Marine Corps Business Operations Optimization Team (MCBOOT) Inspector General Case Action Manager (IGCAM) Major modernization effort using MCBOSS, resulting in a modern microservices implementation in less than 18 months Defense Health Agency DevSecOps Community Cloud (DSOCC) Enabled the DHA DevSecOps transition by developing a reusable, enterprise software factory based on Platform One Big Bang Missile Defense Agency Next Generation Intercept (NGI) Program Developed their enterprise DevSecOps software factory to support complex classified and unclassified embedded systems development Commander, Naval Meteorology and Oceanography Command Flight Weather Briefer (FWB) Using Platform One and Navy DevSecOps platforms to transition METOC enterprise to DevSecOps processes, resulting in first Navy METOC cloud native app US Citizenship Immigration Services Risk & Fraud DevSecOps Services (RFDS) Developed a reusable DevSecOps platform resulting in Team Managed Deployment (C-ATO) for 95 FTE DevSecOps team US Army Logistics Data Analysis Center (LDAC) Used Platform One to implement their DevSecOps culture change US Citizenship and Immigration Services RFDS Pioneered USCIS DevSecOps implementation for rapid prototyping & secure deployment US Coast Guard Software Factory High Efficiency Rapid Modernization Network (HERMN) USCG-operated, contractor-utilized modernization platform CNCF-compliant reusable platform