As Sonatype prepares for it’s 2019 Nexus User Conference, we’re taking a look back at the sessions that made our first-ever event last year so memorable. Shannon Lietz’s conversation about red teaming, was one we received a ton of great feedback on. Read on to learn more about what she shared.
___________________________________________________________________________Lietz company has developed a maturity model for security that can take a team from “burping” to “flying,” as she puts it. This helps the team move from analyzing security as a snapshot of a point in time to a holistic model for your system. When choosing a CI/CD pipeline, security needs are easy to oversimplify. But there are hidden challenges. Lietz points out that there are a lot of tools to consider, but security should be a first-class citizen. We need to “shift our mindset left.” This will create confidence in our security from the beginning of our source code and onward towards production.
Lietz moves on to discuss how Nexus sees itself as an active participant in the journey to DevSecOps. It can enable teams to reduce their security testing footprint - “Security is about degradation,” Lietz notes. A system filled with security holes is a degraded one, and she points out that Nexus can help teams get a pulse on this degradation. This way, you can get ahead of attackers earlier in your DevOps pipeline. Sonatype gives you a threat level based on research they’ve done into what adversaries are out there. A red team practitioner is constantly on the lookout for threats and vulnerabilities; Sonatype makes potential artifacts interesting to these practitioners. Leitz observed that “there is no such thing as perfect software.” Given this, Sonatype lets red team members find mistakes in software faster.
Leitz then talked through how a security team and a software team have a shared language to find and fix security holes. She demonstrates adversary interest: a way to see security problems before an attacker does. Nexus can let red team members see trends in this interest and get ahead of attackers.
Having these mental models that work together with Nexus lets teams find these needles in the haystack. And a CI/CD pipeline pulls this red team view in with the development view. That lets the team collaborate to eliminate security degradation.
As an example of how this works, Leitz discussed the case study of the Apache Commons Collections library vulnerability; Sonatype researches these potential vulnerabilities, and that lets team members see their dependencies on these vulnerabilities. It’s not enough to just patch a library. You should also build a tree of where it’s being used and assess where it needs to be updated or replaced. Leitz said this can make a red team “extreme.”
Data is not enough. There needs to be a correlation among events and the more code a company has, the more important this assessment is. But, one of the biggest lessons she says people have to learn when embarking on a DevSecOps transformation, is that there’s often an imbalance between how many team members focus on development versus how many specialize in security.
There is still a lot that we as an industry can learn. One way that we can do that, as Lietz explained, is getting involved in a security-minded community. An example is the one that she runs at devsecops.org. But overall, the call to action from Lietz’s was simple: be collaborative!
Shannon Lietz, who serves as the director of DevSecOps at Intuit, and the founder of the DevSecOps Foundation, began her Nexus User Conference conversation by demonstrating how Wardley Mapping lets one predict the future and connect the dots between various technologies and practices, such as DevOps and security. She describes how red teaming is a technique for effective penetration testing against your system. Security has evolved from an infuriatingly tedious checklist to the ideas of red teaming and the practice of DevSecOps. Security is too important to leave out of DevOps, so we need these techniques.
