Case Studies on DevSecOps

DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.

01

Organization:   Confidential – Private NYC Start-up
Industry:   FinTech | Next-Gen Financial Services
Size:   150+ employees
Environment:   SaaS (e.g., ServiceNow, Slack, etc.), and Private IaaS Cloud via Ansible, Kubernetes, and VMware
Summary:

The client was developing multiple new applications, APIs, and other software codes daily without a modern application security process or a security strategy. We provided vCISO services to the CTO and Co-Founder of the organization. The client had major regulatory and security concerns.

  • The organization had little security support. Sec Manager had under 4 personnel and was overwhelmed..
  • The organization’s security section not in sync with the many application teams and developer sections. Security was being overlooked because of the need to move at the pace of business.
Actions:
Throughout 9 months, we led several activities to implement many enhancements to the culture between application development and security via DevSecOps' best practices. Communication of risk, the inclusion of security at the inception of app dev., and the average application’s security posture was greatly increased.
  • 100% completion of DevSecOps and CI/CD goals through process upgrades via Ansible and other tools
  • Implemented risk mgmt., change mgmt., and security architecture processes. Prevention of random changes, communication of risk, and application security best practices designed.
  • Separations of Non-Prod and Production and separation of duties for privilege access.​
  • Virtual instance OS baseline security standardization and management process.
  • Managed code repository via a locked down GitHub account.​
  • Automated application security code reviews via Fortify and Jenkins plugins. Use a combination of SCA and Dynamic testing.
  • Use a combination of Skyhigh CASB, Fortify, Nessus, OWASP Threat Dragon, GitLab, Ansible Tower native security tools and automation to harden client’s environment.​
  • 200% increase in the client’s security posture. Implemented NIST CSF and CSA CCM controls.
  • Worked with a security partner to implement an MSSP to help manage DevSecOps daily.

02

Organization:   Confidential Jersey City Web Services
Industry:   B2B Web Services
Size:  3,000+ employees
Environment:   SaaS and Public IaaS Cloud (Google Cloud Platform)
Summary:

The client CIO and CISO wanted a plan to implement DevSecOps and CI/CD best practices. The technology department felt security was the cause of long development delivery time. CISO had a concern with a lack of best practices.

  •  The company had 30+ security department with a moderate maturity level.
Actions:
Within 8 weeks we review the current security posture and capabilities. Combined a mix of IT, DevOps, security solutions in order to create a plan to greatly increase the DevSecOps capabilities
  • Proposed new DevOps, testing, and change management processes
  • Demonstrated how security could improve within a CI/CD processes via additional tools and processes
  • Suggested the use of GCP’s Security Command Center and LogRhythm NextGen SIEM to improve notification anomalies.
  • To improve the discovering and remediating of defects we recommended a combination of GCP security scanner and Veracode services
  • Planned on using Google Cloud solutions for DevSecOps to improve visibility into the development process and feed it into dashboard within GCP and LogRhythm
  • Proposed to the client the use of GCP AACTT threat modeling tool within their change management and security review process
  • Recommended the use of GCP Cloud Build to manage CI/CD process and SAT and DAT of code.
  • Follow-up ten months after engagement – client implemented our plan and was satisfied with results
SOCIAL MEDIA
  • LinkedIn
  • Twitter
Copyrights  2020 by CyberSEC Geek, Inc. All Rights reserved