7 DevSecOps Best Practices from a Government CISO

Wrap Up from Synack’s Government User Group and Speakeasy

(Note: Includes Recipes for DDoS Daiquiri, Whie Hat Negroni, a Trusted Old Fashioned, Synack Gin Thyme Gimlet!)

Synack has conducted crowdsourced pentesting on over 20 government agencies since kicking off its first programs at Hack the Pentagon and IRS 4 years ago. If there is anything we’ve learned from these engagements over the last 4 years, it’s that the most effective and efficient tests include stakeholders from various departments well beyond the security team. Synack provides a high level of control through a secure VPN gateway for testing, strict confidentiality, and the ability to stop testing at any time — all strong selling points for other internal stakeholders. Synack held its User Group & Speakeasy as a way to consult with various groups that interact with Synack’s products and provide some fun time to let loose for the adventurous bartender in all of us!

During the event, a CISO from a government agency spoke alongside Jeremiah Roe, a Synack Solutions Architect. Together they shared a number of high level insights regarding the importance of security teams working closely with development and operations teams specifically when it comes to pentesting. We put our own spin on how crowdsourced pentesting technology has been critical to that DevSecOps journey by providing not just vulnerabilities, but remediation guidance and a re-test capability. 

7 Best Practices for DevSecOps

1. Build a partnership between the teams – Security teams should not be on an island. They need to work closely with development and operation to be effective. When scheduling meetings, or training on new security products, make sure to include development and operations teams! The security team is an important part of the puzzle, but often aren’t the ones overseeing the remediation, a critical part of the process. Be inclusive with your development and system stakeholders (build ownership)!
2. Have a plan and strategy for where to start; start small with easy wins, don’t over engineer/complicate – Pentesting is too often used as a check box for compliance, but it can be a great tactic for achieving your strategic objectives in DevSecOps. Whether you’re working to improve resiliency in case of an attack, or develop stronger foundational engineering practices, you can use a crowdsourced pentest to help achieve your teams’ goals.
3. Build value for the business and show how Sec can help Dev and Ops with: CIA, regulatory/compliance, certifications, etc. – Synack can help security teams guide operations and engineering toward their compliance objectives and save valuable time. Synack offers OWASP and NIST 800-53 checklists in its Certify offering. Another way the Sec team can contribute is through training on secure development. Many developers and operations team members may not have a skillset in security. Whether that means tracking remediation through Synack’s portal and correlating it to developers’ performance, or helping to train other teams in key foundational principles, continuous improvement is important.
4. Use a Crowdsouced Security Platform as a single source of truth (tools can only do so much) – Third-party crowdsourced pentesting can help illuminate your attack surface, provide an objective perspective rather than a perspective with ulterior motives (i.e. vendors pentesting themselves/developers checking their own code), and help to check cloud configurations.
5. Leverage insights to drive prioritization – Prioritization is a key part of the puzzle. Often, companies are hesitant to test for fear that they don’t have the development or operational resources to patch, but even having the knowledge of where you are vulnerable will help you to prioritize. Often companies will start with critical or high vulns and allocate resources there before patching medium and low vulns. Synack has a number of features that customers can use, including the Attacker Resistance Score (ARS), Coverage, and SmartScan that can be used to get actionable insights. When investing in tools, it’s important to make sure that your team is fully briefed and ready to make sure operations, security, and development are all bought into it.
6. Know the environment – Culturally integrate within your organization, processes, and software development lifecycles – We’ve all seen images of software development lifecycles and understand the importance of security by design. Part of this is automating where feasible. Human talent is limited especially in development and security. In order to scale fully, third party platforms are needed to help surface and manage vulnerabilities. Synack’s integrations, such as ones with Jira and ServiceNow, can help make security and developer communication on remediation much easier.
7. Extrapolate historical data to track progress – analytics driven results – One thing that Synack’s platform does very well is project real-time analytics. Synack offers stats on vulnerability count, remediation timeframes, and patch efficacy among many other things. This helps teams understand and learn from failings – accept failure as there is no growth without it (success can breed complacency). Encourage your team to take risks and to admit when it doesn’t pan out. Whether it’s trying a new feature like Synack’s Missions (discrete tests), a patch that fails a “re-test,” or a new workflow, taking risks needs to be a part of the culture!

We hope these principles and list of best practices demonstrate how a crowdsourced pentest can be seamlessly integrated into your DevSecOps strategy. 

4 Drinks Recipes from the “Speakeasy” Component of the Meeting 

As a bonus, we wanted to include some drink recipes from our Government User Group & Speakeasy session. Tiffany Mai Tran, a bartender at the infamous Ice House in Minneapolis was kind enough to do a cocktail making class to help take the edge off at the end of our Government User Group & Speakeasy.

Tiffany Mai Tran

Bartender, Ice House

Tools we used:

Jigger

Shaker tin

Strainer 

Bar spoon

Stir glass

Y peeler 

DDoS Daiquiri

1.5 oz White rum

3/4 oz Agave or simple syrup

3/4 oz Lime juice

1. Fill shaker tin with ice (about 7 cubes)
2. Add all ingredients above into small tin 
3. Secure your tin tightly and shake until your bottom supporting hand feels extremely cold 
4. Open top and strain into a coupe 

Trusted Old Fashioned 

2oz Whiskey

1/4oz maple syrup

Couple drops or 1/4 tsp of vanilla extract 

7-10 dashes Angostura bitters 

Orange peel (garnish)

1. Fill stir glass with ice (about 4-5 cubes) and all ingredients listed above except garnish
2. Stir in stir glass with bar spoon until ice is diluted and fully submerged in mixture
3. Strain over a large rock or loose ice in a low ball glass. Be sure to evenly distribute mixture over ice 
4. Take bar spoon and sir mixture with the large rock a few rounds
5. cut about 3 inch orange peel and express oil over ice (pinch peel into a taco shape)
6. Rub peel on the inside and outside lip of the glass
7. stir large rock with peel a few rounds and set in glass as garnish

White Hat Negroni

1 1/2oz Gin

3/4 oz Suze 

1oz Dry Vermouth 

Lemon peel or twist (garnish) 

1. Fill stir glass with ice (about 4-5 cubes) and all ingredients listed above except garnish
2. Stir in stir glass with bar spoon until ice is diluted and fully submerged in mixture
3. Strain over a large rock in a low ball glass. Be sure to evenly distribute mixture over large rock
4. Take bar spoon and sir mixture with the large rock a few rounds
5. cut about 3 inch lemon peel or twist and express oil over ice (pinch peel into a taco shape)
6. Rub peel on the inside and outside lip of the glass
7. Stir large rock with peel a few rounds and set in glass as garnish

Synack Gin Thyme Gimlet

1 1/2oz Gin

3/4oz Lime juice

3/4oz Agave or simple syrup

Thyme (garnish)

1. Fill shaker tin with ice (about 5 cubes)
2. Add all ingredients above except garnish
3. Secure your top and lip tightly and shake until your bottom supporting hand feels extremely cold 
4. Open top and strain into low ball glass 
5. Take thyme and slap between hands 
6. Rub thyme on the inside and outside lip of glass. Use as garnish 

Simple Syrup  

Equal parts water and sugar

Something for the adventurous bartender:

Make the simple syrup and add fresh herbs while still hot to infuse. Rosemary, ginger, and mint are favorites to make. You can store them in glass mason jars in the fridge or these bottles. Infused simple syrups can last in the fridge about 10-14 days