Steering a Bullet Train
Santiago Kantorowicz
Security Technical Leader at MercadoLibre
bnbsec.blogspot.com
About Me?
Information Security Technical Leader at MercadoLibre
Software Security + Infrastructure Assessment
Pen Testing & Development Background
Agenda
Traditional SDLC
MercadoLibre’s Context
MercadoLibre goes Devops
Security at Mercadolibre 5 years ago
Our SDL approach
Agenda
Traditional SDLC
MercadoLibre’s Context
MercadoLibre goes Devops
Security at Mercadolibre 5 years ago
Our SDL approach
Agenda
Traditional SDLC
MercadoLibre’s Context
MercadoLibre goes Devops
Security at Mercadolibre 5 years ago
Our SDL approach
Mercadolibre 2010
http://es.slideshare.net/DanielRabinovich/daniel-rabinovich-velocity-2014-santa-clara
Agenda
Traditional SDLC
MercadoLibre’s Context
MercadoLibre goes DevOps
Security at Mercadolibre 5 years ago
Our SDL approach
Today’s Picture
>100 deploys a day
Developers ~ Operations (24/7)
Developers Access to production
Technology Diversity
Developers >> AppSec
Agenda
Traditional SDLC
MercadoLibre’s Context
MercadoLibre goes Devops
Security at Mercadolibre 5 years ago
Our SDL approach
How InfoSec was 5 years ago at
Mercadolibre
Operational tasks
Security Feature?
Not involved in product development
How does DevOps affects InfoSec
No formal security stage
Security unaware of deploys
No formal kick-off of every initiative
Agenda
Traditional SDLC
MercadoLibre’s Context
MercadoLibre goes Devops
Security at Mercadolibre 5 years ago
Our SDL approach
Premises
Security follows the business
Explain impact in their words
Be open and friendly!
Choose your battles: Tradeoffs!
Get feedback & iterate more effective
Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis Security Testing
Internal
Security Testing
External Vulnerability Fixing
Vulnerability
Tracking
WAF
How we envision AppSec
Train every developer! (Mandatory)
8 hour Theory/Practical Training
Developer oriented
Examples in dev language they use
Security Training Culture
Development
Workshops
Threat Modeling
Hacking Infrastructure
Browser Exploitation
Dynamic Security Testing
Whatever devs need to know! or may awake interest!
e-learnings: Short!
Security Training Culture
Development
Security Training Culture
Development
Communicate
Security News
Vulnerabilities
Breaches
Invite Key Developers to security Events &
conferences.
How we envision AppSec
Security Training
Threat Modeling Secure Coding
Culture
Development
Security Features
http://www.microsoft.com/en-us/download/details.aspx?id=12379
http://www.microsoft.com/sdl/
Design stage
Prevent vulnerabilities
Adapt Threat Modeling to your organization
Teach how to do it and ask for invites
Threat Modeling
Security Focal Points
Threat Modeling
Volunteers
Ask managers
Start with Devs you
know
Next: critical Projects
Threat Modeling
AppSec can’t be everywhere
Define criteria for critical projects
Set SFP in each of those
Appsec participates in threat models of
Critical Projects
Secure Coding Security Features
Training!
Security Checklists (Pre/Post) OWASP
TOP 10
Security Advisor position
How we envision AppSec
Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis Security Testing
Internal
Security Code
Review
Agile Guidelines:
Adapt to your organization
Give alternatives
Checklists of what to look for
Centralized
+ InfoSec view
+ All Source code
- Another tool developers need to add to their routine.
Decentralized
+ Integrated with CI
+ Developers don’t have to look at another tool, it’s in their
every day.
- Different CI solutions, sometimes not available.
- Non centralized view of InfoSec
Static Code Analysis
Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis Security Testing
Internal
Security Testing
External Vulnerability Fixing
Vulnerability
Tracking
How we envision AppSec
Security Testing
External
Pen Test all you can!!
White box (even if outsourced)
Educate developers to ask for them
Prioritize!
Use existing tools
Classify!
Type
Manager/Director/etc.
Team
Communicate Approach for help
Vulnerability Fixing Vulnerability
Tracking
Security Training
Threat Modeling
Security Code
Review
Secure Coding
Culture
Development
Security Features
Static Code Analysis Security Testing
Internal
Security Testing
External Vulnerability Fixing
Vulnerability
Tracking
How we envision AppSec
WAF
Metrics, Metrics, Metrics
Open vs Closed in Q
Average fix time
Aging
Distribution (type, manager, project)
Conclusions
Adapt to organization
Evangelize Games
Start with less disruptive (time consuming)
practices
Measure