Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
WHO IS RESPONSIBLE FOR SECURITY?
“According to … NIST, the
average IT security professional
is doing the work of roughly
seven people”
2
Source:
https://bl...
OR . . . How I stopped worrying and learned to love the
automation...
A Little Security Goes A
Long Way In DevOps Culture
...
4
Let me tell
you a story:
This is Anne, and she’s the information security manager at BigCorp.Anne is REALLY smart. She k...
5
DevOps:
Or Better Yet, AllTheThings
6
Where To
Begin?
7
Oh no! How do
I scale this?
8
Am I A
Rock Star?
9
There’s A
Breach!
10
Integrating security into
automation is not going to solve all
of the problems. It IS, however,
going to reduce the fre...
Lessons Learned
11
This story is
just fiction:
But the ideas and practices are real. An amalgamation of
real-life work we ...
12
Practical
Examples:
Application Development Security
13
OWASP
Dependency
Check
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-ch...
Application Development Security
14
NPM
Audit npm install --save-dev npm-audit-ci-wrapper
// package.json
{
“name”: “my-fr...
Application Development Security
15
SonarQube
<!-- sonarqube scanner plugin for Maven -->
<plugin>
<groupId>org.sonarsourc...
Application Development Security
16
OWASP Zed
Attack Proxy
<!-- Maven Failsafe Plugin →
<plugin>
<groupId>org.apache.maven...
Systems Security
17
Patch
Testing
// Jenkinsfile
pipelines {
agent {
vmware {
// Configure VM
}
openstack {
// Configure V...
Lessons Learned
18
<YOUR IDEA HERE>
19
The Robots Are
Coming:
Lessons Learned
20
Questions???
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
Red Hat is the world’...
Upcoming SlideShare
Loading in …5
×

A little security goes a long way in DevOps culture

65 views

Published on

How can we help Security professionals free up time to address more emerging threats? DevOps may be an answer!

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A little security goes a long way in DevOps culture

  1. 1. 1 WHO IS RESPONSIBLE FOR SECURITY?
  2. 2. “According to … NIST, the average IT security professional is doing the work of roughly seven people” 2 Source: https://blog.barracuda.com/2017/08/11/nist-report-helps-explain-why-most-cybersecurity-professionals-are-so-insecure/
  3. 3. OR . . . How I stopped worrying and learned to love the automation... A Little Security Goes A Long Way In DevOps Culture Deven Phillips Senior Consulting Engineer @infosec812 3
  4. 4. 4 Let me tell you a story: This is Anne, and she’s the information security manager at BigCorp.Anne is REALLY smart. She knows network security, disaster recovery, application security, desktop security, understands different threat vectors, and even does some security research when she has time. The problem is that Anne doesn’t really HAVE much time. She’s too busy dealing with problems. Anne is so overwhelmed handling her workload that she cannot even think about emerging threats or scaling the company This is probably why Anne gets frustrated when developers and engineers ask her if they can use some new library or tool. She doesn’t have time to evaluate it! NO! But like I said, Anne is smart…. And she has an idea!
  5. 5. 5 DevOps: Or Better Yet, AllTheThings
  6. 6. 6 Where To Begin?
  7. 7. 7 Oh no! How do I scale this?
  8. 8. 8 Am I A Rock Star?
  9. 9. 9 There’s A Breach!
  10. 10. 10 Integrating security into automation is not going to solve all of the problems. It IS, however, going to reduce the frequency and severity of those problems. Lessons Learned:
  11. 11. Lessons Learned 11 This story is just fiction: But the ideas and practices are real. An amalgamation of real-life work we have been doing with customers for the last 2 years at Open Innovation Labs
  12. 12. 12 Practical Examples:
  13. 13. Application Development Security 13 OWASP Dependency Check <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>5.0.0-M3</version> <configuration> <failBuildOnCVSS>8</failBuildOnCVSS> <suppressionFile>project- suppression.xml</suppressionFile> </configuration> <executions> <execution> <phase>none</phase> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
  14. 14. Application Development Security 14 NPM Audit npm install --save-dev npm-audit-ci-wrapper // package.json { “name”: “my-frontend”, // … SNIP … “scripts”: { “audit”: “npm-audit-ci-wrapper -t high --ignore-dev-dependencies --whitelist left-pad” } // … SNIP … }
  15. 15. Application Development Security 15 SonarQube <!-- sonarqube scanner plugin for Maven --> <plugin> <groupId>org.sonarsource.scanner.maven</groupId> <artifactId>sonar-maven-plugin</artifactId> <version>3.6.0.1398</version> </plugin> // For NPM npm install --save-dev sonar-scanner // package.json { “name”: “my-js-app”, // … SNIP … “scripts”: { “sonar”: “sonar-scanner -Dsonar.projectVersion=${version} -Dsonar.login=$(cat ~/.sonar-token) -Dsonar.host.url=${SONAR_HOST}” } // … SNIP … }
  16. 16. Application Development Security 16 OWASP Zed Attack Proxy <!-- Maven Failsafe Plugin → <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-failsafe-plugin</artifactId> <configuration> <skipITs>${skip.integration.tests}</skipITs> <argLine>-Dhttp.proxyHost=zap-daemon -Dhttp.proxyPort=9080</argLine> </configuration> </plugin> # Start a new session curl -x zap-daemon:9080 “http://zap/JSON/core/action/newSession/?name=${APP_NAME}-${BUILD_ID}&overwrite=true” # Get the Report curl -v -o ./zap-report.html -x zap-daemon:9080 -s -k http://zap/OTHER/core/other/htmlreport # Get the report in JSON format curl -x zap-daemon:9080 -s -k http://zap/OTHER/core/other/jsonreport
  17. 17. Systems Security 17 Patch Testing // Jenkinsfile pipelines { agent { vmware { // Configure VM } openstack { // Configure VM } kubernetes { // Configure Pod } docker { // Configure Container } } stages { // Perform pipeline actions against the system } }
  18. 18. Lessons Learned 18 <YOUR IDEA HERE>
  19. 19. 19 The Robots Are Coming:
  20. 20. Lessons Learned 20 Questions???
  21. 21. linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 21 And special thanks to my friend Anne Dalton, who was kind enough to be my reviewer for this content!

×