This document discusses DevSecOps and integrating security into the development process. It begins with an introduction to methodologies like Waterfall and Agile development. It then explains how DevOps aims to improve speed and collaboration between developers and operations teams. However, security teams are often separate from this process. DevSecOps aims to shift security left into planning, design, and coding to catch vulnerabilities earlier. It outlines how to implement security practices throughout the development cycle, including threat modeling, security scanning tools, training, and testing. The conclusion is that DevSecOps is becoming more important as the need for secure and private software increases.
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
2020 05-tech saturday-devsecops-#2-v03
1. Shaping the
future of digital
business
1CONFIDENTIALGFT GROUP 09/05/20
#Maio - 2020
DevSecOps
Colocando segurança na esteira
___________________________________________
Diego Cardoso – Head of DevSecOps Practices Brazil
diego.cardoso@gft.com
#DevSecOps #BeTransformationAgent #TechSaturday
2. • Orgulhoso Filho, Marido e Pai
• Graduado em Sistemas da Informação na FSA
• Pós-Graduado em Arquitetura de Software na FIAP
• Certificado Microsoft: MCTS
• + 6 anos trabalhando na GFT
• +15 anos Analisando, Codificando e Migrando
• Entusiasta com foco em Arquitetura e Metodologias Ágeis
• Guitarrista enferrujado e gamer nas horas vagas
3. Shaping the
future of digital
business
3CONFIDENTIALGFT GROUP
Agenda
1. Software Development
2. DevOps Enablement
3. CyberSecurity
4. OWASP
5. DevSecOps
4. Shaping the
future of digital
business
4CONFIDENTIALGFT GROUP
API
Management
Aspects
Waterfall
• Over Planning
• Risk Mitigation
• High Costs
• Delivery everything in the end
Agile :
• Experiments and Prototype
• Fail Fast and Low Costs
• Continuous and Evolutive Delivery
Software Development – Methodologies
5. Shaping the
future of digital
business
5CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development – Before DevOps
6. Shaping the
future of digital
business
6CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development – DevOps Enablement
• Squads: Dev + Ops + QA
• Engineering (automating) Agile process
• Quick time to market (ROI)
7. Shaping the
future of digital
business
7CONFIDENTIALGFT GROUP
09/05/2020
DevOps – Landscape 2019
8. Shaping the
future of digital
business
8CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development - But where is security team ?
9. Shaping the
future of digital
business
9CONFIDENTIALGFT GROUP
API
Management
Aspects
Software Development - But where is security team ?
10. Shaping the
future of digital
business
10CONFIDENTIALGFT GROUP
API
Management
Aspects
CyberSecurity – Let’s check the News
11. Shaping the
future of digital
business
11CONFIDENTIALGFT GROUP
CyberSecurity – Landscape 2019
12. Shaping the
future of digital
business
12CONFIDENTIALGFT GROUP
DEVELOPERS : OPERATIONS : SECURITY
100 : 10 : 1
DevSecOps – The Evolution of Security Teams
13. Shaping the
future of digital
business
13CONFIDENTIALGFT GROUP
Understanding Concepts
#DevSecOps #BeTransformationAgent #TechSaturday
14. Shaping the
future of digital
business
14CONFIDENTIALGFT GROUP
Mindset: everyone is responsible for security
Goal: privacy and secure by design
Mission: delivery at speed and scale
without sacrificing the safety required by the context.
DevSecOps = DevOps + Security
15. Shaping the
future of digital
business
15CONFIDENTIALGFT GROUP
API
Management
Aspects
DevSecOps – Security shifting to the left
Requirements
Design/ Architecture
Testing
15X
Coding
7X
Deployments/
Maintenance
30X
CosttoRemediate
We convince & pay the developer
to fix it thereby delaying the
release
QA finds
vulnerabilities
in software
BUILD
insecure
software
We convince
and pay the
developer to
fix it
We are breached or
pay to have someone
tell us our code is bad
IT deploys
the insecure
software
RELEASE
insecure
software
Application scan:
SAST
DAST
Create Evil Stories
High Level of Test
Coverage
16. Shaping the
future of digital
business
16CONFIDENTIALGFT GROUP 09/05/2020
Type here if
add info needed
for every slide
Build
Repositório
de Binários
Repositório
Código
Release
Tests
Quality
Scan
Security
Scan
Configuration
Repo
Key vault /
configuration
Branches
Policies
Monitor
Optmize
User
Stories
PO / BA
DEV
QA
OPS
SEC
Feature
Flag
Promoção
de Pacotes
DEV
HML
PPD
Infra
Performance
Infra
Costs
Observability
PRD
Penetration
Tests
Version = TAG
Release = TAG
Infra
Automation
DevSecOps Services: Development Cycle
17. Shaping the
future of digital
business
17CONFIDENTIALGFT GROUP 09/05/2020
Type here if
add info needed
for every slide
Build
master
hotfix
develop feature
bugfix
Testes
Scan
Qualidade
Scan
Segurança
TAG: 1.0.0
Repositório
de Binários
Versão: 1.0.0.20200318-01
Branch Gate
Release
HML
PPD
PRD
DEV
Repositório
Configuração
Branch Gate
Pull-Request
Pull-Request
Pull-Request
DevSecOps: Build & Release
18. Shaping the
future of digital
business
18CONFIDENTIALGFT GROUP 09/05/2020
Type here if
add info needed
for every slide
Azure Artifacts
Azure Pipelines
DevSecOps: Build & Release
19. Shaping the
future of digital
business
19CONFIDENTIALGFT GROUP
SAST
DevSecOps – Security Scan Tools (part I)
DAST
20. Shaping the
future of digital
business
20CONFIDENTIALGFT GROUP
IAST
DevSecOps – Security Scan Tools (part. II)
OSS
21. Shaping the
future of digital
business
21CONFIDENTIALGFT GROUP
Creating the Mindset :
• Security Awareness and training
• Evil Stories ( ethical hacking)
• Shared knowledge base
• Focused Hackathons
Questions you should be able to answer:
• Are you aware about TOP risks/vulnerabilities (OWASP) ?
• Is my application/product protected ?
• Is my application/product/code exposing sensitive data or secrets ?
• Are my dependencies (3rd party libraries) secure ?
Test
• SAST + DAST + IAST
• Sensitive info scan (SIS)
• Composition Analysis (SCA)
• Fuzzing (random inputs)
• Pen-Test
DevSecOps – Leading the Transformation
22. Shaping the
future of digital
business
22CONFIDENTIALGFT GROUP
Conclusion – State of DevSecOps 2020
23. Shaping the
future of digital
business
23CONFIDENTIALGFT GROUP
Maio - 2020
We Innovate, Transform, Deliver
DevSecOps
Colocando segurança na esteira
___________________________________________
Diego Cardoso – Head of DevSecOps Brazil
diego.cardoso@gft.com
Muito Obrigado! Perguntas?
#DevSecOps #BeTransformationAgent #TechSaturday