SlideShare a Scribd company logo

DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

Anowar Hossain
Anowar Hossain
Anowar HossainSoftware Engineer

🔐 Title: DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle 🚀 Description: Embark on a transformative journey from DevOps to DevSecOps with my presentation at the Developers Conference 2023 in Dhaka. Explore the paradigm shift towards achieving "Secure by Default" in software development and uncover key benefits that fortify your applications. Learn about essential methodologies like SAST, DAST, IAST, SCA, and discover powerful tooling to seamlessly integrate security into your development pipeline. 🌐 Key Takeaways: Strive for "Secure by Default": Strategies to make security an inherent part of your development ethos. Key Benefits Unveiled: Unlock the advantages of a security-centric approach throughout the software development lifecycle. Methodologies Demystified: Dive into the world of SAST, DAST, IAST, and SCA, understanding how each contributes to a robust security posture. Pipeline Integration Strategies: Practical insights into incorporating security measures directly into your development pipeline. 👩‍💻 Who Should Watch: Software developers, DevOps engineers, security professionals, and enthusiasts eager to cultivate a security-first mindset in software development. 🔗 Link to Presentation: https://www.slideshare.net/Anowarcst/devopstodevsecops-enhancing-software-security-throughout-the-development-lifecycle 🚀 #DevOps #DevSecOps #SecureByDefault #SAST #DAST #PipelineSecurity #DevelopersConference2023 #Security

DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

1 of 34
DevOps to DevSecOps
:
Enhancing Software
Security Throughout The
Development Lifecycle
ANOWAR
HOSSAIN
Lead Engineer & Solutions Architect
Brain Station 23
• AWS Certified Solutions Architect
• Lead Backend Developer
• DevOps/DevSecOps Enthusiast
• Buidling blocks with Python, Go &
Terraform for serverless and
microservice architecture
• Highly concerned about Scaling
and Security
2
Agenda
3
DevOps in Action
Challenges of DevOps
DevSecOps in Action
DevSecOps Methodology
DevSecOps Pipeline
DevOps
• A set of practices
• Integrating development and IT operations
• The goal of DevOps:
• Release Quickly
• Improving collaboration and
communication
• Delivering high-quality software faster
and efficiently.
4
DevOps in Action
5
What we missed?
6

Recommended

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DevOps-ITverse-2023-IIT-DU.pptx
DevOps-ITverse-2023-IIT-DU.pptxDevOps-ITverse-2023-IIT-DU.pptx
DevOps-ITverse-2023-IIT-DU.pptxAnowar Hossain
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程Duran Hsieh
 
You build it - Cyber Chicago Keynote
You build it -  Cyber Chicago KeynoteYou build it -  Cyber Chicago Keynote
You build it - Cyber Chicago KeynoteJohn Willis
 
Operating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesOperating a High Velocity Large Organization with Spring Cloud Microservices
Operating a High Velocity Large Organization with Spring Cloud MicroservicesNoriaki Tatsumi
 
Test-Driven-Development for Networking: Making CI Work for You by Colin McNam...
Test-Driven-Development for Networking: Making CI Work for You by Colin McNam...Test-Driven-Development for Networking: Making CI Work for You by Colin McNam...
Test-Driven-Development for Networking: Making CI Work for You by Colin McNam...DevOps4Networks
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Alexey Dremin
 

More Related Content

Similar to DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle ManagementAmazon Web Services
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabadkunwaratul hax0r
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines Abdul_Mujeeb
 
Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?XebiaLabs
 
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit EuropeAutomation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit EuropeAppDynamics
 
DevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The UglyDevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The UglyDevOpsGroup
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New ParadigmTripwire
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce HelixPerforce
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfiantoidsecconf
 
UI Dev in Big data world using open source
UI Dev in Big data world using open sourceUI Dev in Big data world using open source
UI Dev in Big data world using open sourceTech Triveni
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Self Healing blue/green Deployments with Dynatrace and Keptn
Self Healing blue/green Deployments with Dynatrace and KeptnSelf Healing blue/green Deployments with Dynatrace and Keptn
Self Healing blue/green Deployments with Dynatrace and KeptnFlorian Bacher
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodologylaeshin park
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfSteven Carlson
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev opsLen Bass
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
 

Similar to DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle (20)

Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines DevSecOps Basics with Azure Pipelines
DevSecOps Basics with Azure Pipelines
 
Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?
 
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit EuropeAutomation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
Automation: The Good, The Bad and The Ugly with DevOpsGuys - AppD Summit Europe
 
DevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The UglyDevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
DevOpsGuys - DevOps Automation - The Good, The Bad and The Ugly
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New Paradigm
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Introducing Perforce Helix
Introducing Perforce HelixIntroducing Perforce Helix
Introducing Perforce Helix
 
Code review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief KarfiantoCode review and security audit in private cloud - Arief Karfianto
Code review and security audit in private cloud - Arief Karfianto
 
UI Dev in Big data world using open source
UI Dev in Big data world using open sourceUI Dev in Big data world using open source
UI Dev in Big data world using open source
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Self Healing blue/green Deployments with Dynatrace and Keptn
Self Healing blue/green Deployments with Dynatrace and KeptnSelf Healing blue/green Deployments with Dynatrace and Keptn
Self Healing blue/green Deployments with Dynatrace and Keptn
 
12 Factor App Methodology
12 Factor App Methodology12 Factor App Methodology
12 Factor App Methodology
 
ShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdfShiftGearsWithInformationSecurity.pdf
ShiftGearsWithInformationSecurity.pdf
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev ops
 
Open Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are using
 

Recently uploaded

ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdfROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdfRudraPratapSingh871925
 
Student Challange as Google Developers at NKOCET
Student Challange as Google Developers at NKOCETStudent Challange as Google Developers at NKOCET
Student Challange as Google Developers at NKOCETGDSCNKOCET
 
STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...
STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...
STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...MianHusnainIqbal2
 
Presentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxPresentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxasmitaTele2
 
Metrology Measurements and All units PPT
Metrology Measurements and  All units PPTMetrology Measurements and  All units PPT
Metrology Measurements and All units PPTdinesh babu
 
Shankar communication assignment no1 .pdf
Shankar communication assignment no1 .pdfShankar communication assignment no1 .pdf
Shankar communication assignment no1 .pdfshankaranarayanan972
 
20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt
20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt
20CE501PE – INDUSTRIAL WASTE MANAGEMENT.pptMohanumar S
 
sahana sri D AD21046 SELF INTRODUCTION.pdf
sahana sri D AD21046 SELF INTRODUCTION.pdfsahana sri D AD21046 SELF INTRODUCTION.pdf
sahana sri D AD21046 SELF INTRODUCTION.pdfsahanaaids46
 
ELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’s
ELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’sELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’s
ELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’sKuvempu University
 
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...GauravBhartie
 
Plant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdfPlant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdfMianHusnainIqbal2
 
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...IRJET Journal
 
Objectives of Software Engineering and phases of SDLC.pptx
Objectives of Software Engineering and phases of SDLC.pptxObjectives of Software Engineering and phases of SDLC.pptx
Objectives of Software Engineering and phases of SDLC.pptxGraceDenial
 
Final Year Project - Automated web based form filling using OCR.pptx
Final Year Project - Automated web based form filling using OCR.pptxFinal Year Project - Automated web based form filling using OCR.pptx
Final Year Project - Automated web based form filling using OCR.pptxswarajkakade83
 
Into the World of AI GDSC YCCE PPTX.pptx
Into the World of AI GDSC YCCE PPTX.pptxInto the World of AI GDSC YCCE PPTX.pptx
Into the World of AI GDSC YCCE PPTX.pptxGDSCYCCE
 
Pharaonic Petroleum Company I BP Training Certificate I 2017
Pharaonic Petroleum Company I BP Training Certificate I 2017Pharaonic Petroleum Company I BP Training Certificate I 2017
Pharaonic Petroleum Company I BP Training Certificate I 2017Abdelrahman Al-Gammal
 
Module 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptxModule 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptxnikshaikh786
 

Recently uploaded (20)

ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdfROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
ROBOT PERCEPTION FOR AGRICULTURE AND GOOD PRODUCTION1.1.pdf
 
Student Challange as Google Developers at NKOCET
Student Challange as Google Developers at NKOCETStudent Challange as Google Developers at NKOCET
Student Challange as Google Developers at NKOCET
 
STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...
STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...
STRETCHABLE STRAIN SENSORS BASED ON POLYPYRROLE AND THERMOPLASTIC POLYURETHAN...
 
Presentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptxPresentation of Helmet Detection Using Machine Learning.pptx
Presentation of Helmet Detection Using Machine Learning.pptx
 
Metrology Measurements and All units PPT
Metrology Measurements and  All units PPTMetrology Measurements and  All units PPT
Metrology Measurements and All units PPT
 
Shankar communication assignment no1 .pdf
Shankar communication assignment no1 .pdfShankar communication assignment no1 .pdf
Shankar communication assignment no1 .pdf
 
20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt
20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt
20CE501PE – INDUSTRIAL WASTE MANAGEMENT.ppt
 
Solar PPT.pdf
Solar PPT.pdfSolar PPT.pdf
Solar PPT.pdf
 
sahana sri D AD21046 SELF INTRODUCTION.pdf
sahana sri D AD21046 SELF INTRODUCTION.pdfsahana sri D AD21046 SELF INTRODUCTION.pdf
sahana sri D AD21046 SELF INTRODUCTION.pdf
 
Mobile Hacking Unit 1
Mobile Hacking Unit 1Mobile Hacking Unit 1
Mobile Hacking Unit 1
 
ELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’s
ELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’sELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’s
ELH-1.3 PIC & ARM MICROCONTROLLER UNIT I Microcontroller’s
 
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
Microstrip Bandpass Filter Design using EDA Tolol such as keysight ADS and An...
 
Plant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdfPlant Design for bioplastic production from Microalgae in Pakistan.pdf
Plant Design for bioplastic production from Microalgae in Pakistan.pdf
 
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
 
Objectives of Software Engineering and phases of SDLC.pptx
Objectives of Software Engineering and phases of SDLC.pptxObjectives of Software Engineering and phases of SDLC.pptx
Objectives of Software Engineering and phases of SDLC.pptx
 
Going Staff
Going StaffGoing Staff
Going Staff
 
Final Year Project - Automated web based form filling using OCR.pptx
Final Year Project - Automated web based form filling using OCR.pptxFinal Year Project - Automated web based form filling using OCR.pptx
Final Year Project - Automated web based form filling using OCR.pptx
 
Into the World of AI GDSC YCCE PPTX.pptx
Into the World of AI GDSC YCCE PPTX.pptxInto the World of AI GDSC YCCE PPTX.pptx
Into the World of AI GDSC YCCE PPTX.pptx
 
Pharaonic Petroleum Company I BP Training Certificate I 2017
Pharaonic Petroleum Company I BP Training Certificate I 2017Pharaonic Petroleum Company I BP Training Certificate I 2017
Pharaonic Petroleum Company I BP Training Certificate I 2017
 
Module 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptxModule 2_ Divide and Conquer Approach.pptx
Module 2_ Divide and Conquer Approach.pptx
 

DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

  • 1. DevOps to DevSecOps : Enhancing Software Security Throughout The Development Lifecycle
  • 2. ANOWAR HOSSAIN Lead Engineer & Solutions Architect Brain Station 23 • AWS Certified Solutions Architect • Lead Backend Developer • DevOps/DevSecOps Enthusiast • Buidling blocks with Python, Go & Terraform for serverless and microservice architecture • Highly concerned about Scaling and Security 2
  • 3. Agenda 3 DevOps in Action Challenges of DevOps DevSecOps in Action DevSecOps Methodology DevSecOps Pipeline
  • 4. DevOps • A set of practices • Integrating development and IT operations • The goal of DevOps: • Release Quickly • Improving collaboration and communication • Delivering high-quality software faster and efficiently. 4
  • 8. When we do the Security Test? 8
  • 10. Impact? 10 • Back and forth • Incomplete • Rush • Disrupt business operations • Limited scope
  • 12. • Inadequate access control • Lack of security testing • Lack of infrastructure-related security practices • Insufficient security monitoring • Third-party vulnerabilities • Increased testing and remediation costs • Delayed delivery 12 Challenges of DevOps
  • 14. DevSecOps • Development, security, and operations • Integration of security into the SDLC • Continuous delivery and deployment of secure software 14
  • 15. DevSecOps Strive for "Secure by Default" 15 • Integrate Security via tools • Create Security as Code culture • Implement automated process Security
  • 16. DevOps to DevSecOps • Integration of security tasks with DevOps • Shifting Security to the "Left" • Prioritizing Security from Design Phase 16
  • 17. Benefits Key benefits of DevSecOps: • Faster delivery • Improved security posture • Reduced costs • Increase traceability • Compliance 17
  • 18. Methodology Tools we use mostly • Secret Scanning & Management • Static Analysis Security Testing(SAST) • Dynamic Analysis Security Testing(DAST) • Interactive Application Security Testing (IAST) • Software Composition Analysis (SCA) • Security in Infrastructure as Code • Vulnerability Management • Alert and Monitoring in Security 18
  • 19. Secret Scanning & Management Integrate security into the development process • Access Security Hardening • Secret Management • Adopting Role-Based Access Control • Ensuring Private Cloud Security • Container Security Scanning Tools: • GitHub Secrets • AWS Secret Manager • Azure key vault • Hashicorp vault 19
  • 20. SAST 20 Static analysis software testing • White box testing using automated tools • Reviewing code • Need manual oversight Tools: • Sonarqube • Gitlab SAST Tools • Jit.io
  • 21. DAST 21 • White box testing using automated tools • Can send variety of requests to web application • Do not require access to source code • Interact with application and find vulnerabilities Tools: • Detectify • Acunetix • BurpSuite • MetaSploit Dynamic analysis software testing
  • 22. IAST 22 • Real-time analysis of the threats in the build and in runtime • Also Helps the developer fix these issues while it scans the source code when running. • Tools: • Bandit by Jit.io • Invicti Interactive analysis software testing
  • 23. SCA 23 • Manage and secure open source and third- party software components • Assist organizations in understanding • Dependency scanning • Vulnerability scanning • License compliance analysis • Reporting • Tools: • Black Duck • WhiteSource Software Composition Analysis
  • 24. Security in Infrastructure as Code(IAC) 24 IAC allows - • To document and version of infra • To perform audit on the infra Tools: • Terraform • Ansible • Chef • Puppet
  • 25. Vulnerability Management 25 • A central Dashboard is required to normalized data • Integrated to bug tracking system • Tools: • Grafana • Detectify • Defect Joho
  • 26. Alert and monitoring 26 • Detect, Mitigation and Maintain Continuous Security • What and Where we need to improve • Tools: • Grafana • Prometheus • Kibana
  • 27. Who will ensure the security? 27
  • 32. Q&A?
  • 34. SOCIAL MEDIA LINKS 34 • Website: anowar.dev • Email: anowar.cst@gmail.com • https://www.linkedin.com/in/anowarcst • https://www.facebook.com/Anowar.cst