Automating Security with

DevSecOps
DJ Schleen, DevSecOps Evangelist and Security Architect
March 20, 2018

©2018 CVS Health and/or one of its affiliates

Disclaimer

Portions of this presentation are discussions from “Heritage Aetna”, and do not necessarily reflect the views of CVS
Health or its affiliates.

©2018 CVS Health and/or one of its affiliates. 2

About CVS Health

At a Glance
HEADQUARTERS – WOONSOCKET, RI
• Revenues $54.3b (Q4 2018)
• 9900+ Retail Locations in 49 States, the District of
Columbia, Puerto Rico, and Brazil
• 22M medical benefit members
• 295K+ colleagues
• 5M customers per day
• Acquisition of Aetna completed November 28, 2018

©2018 CVS Health and/or one of its affiliates 3

Three Pillars – The Core of
DevSecOps

©2018 CVS Health and/or one of its affiliates 4

Source: enter source copy and/or notes in this live text box
Text will wrap up from bottom of text box. Do not resize or reposition this text box.
Culture
©2018 CVS Health and/or one of its affiliates 5
 Technique
©2018 CVS Health and/or one of its affiliates 6
 Tools
©2018 CVS Health and/or one of its affiliates 7
Security Controls

©2018 CVS Health and/or one of its affiliates 8

 Open Source
OSSM Software
Management

©2018 CVS Health and/or one of its affiliates 9

 1550
1450
1350
1250
1150
1050
950
850
750
650
550
2016

May

Oct

2017

Oct

2018
Nov
Dec

Feb
Mar

May

Nov
Dec

Feb
Apr

Aug
Sep

Apr

Aug
Sep
June
July

June
July
©2018 CVS Health and/or one of its affiliates 10
 Visibility.

©2018 CVS Health and/or one of its affiliates 11

 Container
CVA Vulnerability
Analysis

©2018 CVS Health and/or one of its affiliates 12

 Don’t pin
versions.

DON’T DO IT

©2018 CVS Health and/or one of its affiliates. 14

 Know your
Enemy

©2018 CVS Health and/or one of its affiliates. 15

 Dynamic Analysis
DAST and Security
Testing

©2018 CVS Health and/or one of its affiliates 16

 Static Analysis
SAST and Security
Testing

©2018 CVS Health and/or one of its affiliates 17

Integrating Technology

©2018 CVS Health and/or one of its affiliates 18

 MASTER

©2018 CVS Health and/or one of its affiliates. 19

 Binary Container
OSSM
Scramble Vulnerability
SAST Scanning Registry
SCM Staging
DAST
OSSM Build
Architecture Packaging Automated Container
Tests Vulnerability
Design Registry
Development Acceptance Scanning
DAST
(continuous)
Work Code SAST
Item Application
Release

Product
Owner
Ethical
Change Code Unit Hacking
Threat Infrastructure Testing
Model ALM
Container RASP
Cycling

Duration: Minutes to Hours

Information Gathering: Constant
Vulnerability Data
Analysis and SOC
Consolidation
Security
Modeling
20

@djschleen
Measure. Everything.

©2018 CVS Health and/or one of its affiliates 21

 Module Score (750-1000)
Defect Density (< 0.006) – Value???
% of Security Related Work Items (< 15%)
Security Build Time Delay (< 5 min execution)
Security Failed Builds / Security Drag (< 5%)
Security Defect Escape Rate (< 10 %)

©2018 CVS Health and/or one of its affiliates. 22

Challenges

©2018 CVS Health and/or one of its affiliates 23

 "Don't be afraid to fail. Don't
waste energy trying to cover up
failure. Learn from your failures
and go on to the next challenge.
It's OK to fail. If you're not failing,
you're not growing."

H. Stanley Judd

©2018 CVS Health and/or one of its affiliates.

Thank You
DJ Schleen
DevSecOps Evangelist and Security Architect
Integrated Global Security and Resilience

@djschleen

©2018 CVS Health and/or one of its affiliates: 25