1. DEVOPS OR DEVSECOPS?
Why do we need to focus on security in development and operations?

2. MICHELANGELO VAN DAM
I'm a senior #php architect, co-founder
and #ceo of @in2itvof, #community leader
at @phpbenelux, coach
at @CoderDojoBelgium, #MVP, #digitalnomad,
likes #coffee.
Follow me on Twitter: @DragonBe

3. DEVOPS
Let’s have a look at DevOps first

4. PATRICK DEBOIS
Patrick Debois coined the term
“DevOps” at the first DevOpsDays in
Ghent (Belgium) and started a very
important movement in the tech industry.

5. THE THREE WAYS
THE PRINCIPLES UNDERPINNING DEVOPS

6. THE THREE WAYS
THE PRINCIPLES UNDERPINNING DEVOPS
System thinking: performance of complete system

7. THE THREE WAYS
THE PRINCIPLES UNDERPINNING DEVOPS
System thinking: performance of complete system
Amplify feedback loops: notify issues early in the process

8. THE THREE WAYS
THE PRINCIPLES UNDERPINNING DEVOPS
System thinking: performance of complete system
Amplify feedback loops: notify issues early in the process
Culture of continuous learning & experimenting

9. DEVOPS

10. DEVOPS
Unifying software development & operations

11. DEVOPS
Unifying software development & operations
Automation & monitoring of software construction

12. DEVOPS
Unifying software development & operations
Automation & monitoring of software construction
Shorter development cycles, increased deployment
frequencies & produce dependable releases

13. DEVELOPMENT & OPERATIONS

14. DEVELOPMENT & OPERATIONS
Project management & development

15. DEVELOPMENT & OPERATIONS
Project management & development
Network & systems engineering

16. DEVELOPMENT & OPERATIONS
Project management & development
Network & systems engineering
Security, testing, legal, compliance & support

17. DEVELOPMENT & OPERATIONS
Project management, development & testing
Network & systems engineering
Security, testing, legal, compliance & support

18. AUTOMATION & MONITORING

19. AUTOMATION & MONITORING
Infrastructure as code

20. AUTOMATION & MONITORING
Infrastructure as code
Increased telemetry on whole application stack

21. AUTOMATION & MONITORING
Infrastructure as code
Increased telemetry on whole application stack
Repeatable processes for continuous improvement

22. SHORTER DEVELOPMENT CYCLES, INCREASED
DEPLOYMENT FREQUENCIES & DEPENDABLE RELEASES

23. SHORTER DEVELOPMENT CYCLES, INCREASED
DEPLOYMENT FREQUENCIES & DEPENDABLE RELEASES
10, 100, 1K, 10K commits a day

24. SHORTER DEVELOPMENT CYCLES, INCREASED
DEPLOYMENT FREQUENCIES & DEPENDABLE RELEASES
10, 100, 1K, 10K commits a day
Each N commits results in a deployment (could be 1)

25. SHORTER DEVELOPMENT CYCLES, INCREASED
DEPLOYMENT FREQUENCIES & DEPENDABLE RELEASES
10, 100, 1K, 10K commits a day
Each N commits results in a deployment (could be 1)
Each release is better than the previous

26. TRUST ME, I’M A PROFESSIONAL
Each commit has the potential of
introducing a new risk or break the
system. Without any safeguards,
we’re just increasing the speed of
creating a Pandora’s Box.

27. DEVSECOPS

28. DEVSECOPS

29. DEVSECOPS
Security integrated part of dev & ops

30. DEVSECOPS
Security integrated part of dev & ops
Each commit & systems change must meet security
standards

31. DEVSECOPS
Security integrated part of dev & ops
Each commit & systems change must meet security
standards
Security by design

32. THIS IS 2018

33. THIS IS 2018

34. THIS IS 2018

35. THIS IS 2018

36. SECURITY FOCUS

37. SECURITY FOCUS
Hackers

38. SECURITY FOCUS
Hackers
Data loss prevention

39. SECURITY FOCUS
Hackers
Data loss prevention
Privacy protection

40. SECURITY FOCUS
Hackers
Data loss prevention
Privacy protection
Bad configuration

41. SECURITY FOCUS
Hackers
Data loss prevention
Privacy protection
Bad configuration
Compliance

42. SECURITY FOCUS
Hackers
Data loss prevention
Privacy protection
Bad configuration
Compliance
Verified trust

43. WHAT’S YOUR
OPINION?
Raise your hand if you feel
security needs to be
emphasised with DevSecOps

44. WHAT’S YOUR
OPINION?
Raise your hand if you feel
security is part of DevOps

45. SECURITY IS PART OF DEVOPS
Project management, development & testing
Network & systems engineering
Security, testing, legal, compliance & support

46. THE DEVOPS CYCLE

47. A TYPICAL BUILD PROCESS

48. A TYPICAL BUILD PROCESS

49. SECURITY TESTING WITH RIPSTECH
Project X
2019-03-02 16:43:11

50. SECURITY TESTING WITH BURP SUITE

51. SECURITY TESTING WITH ARACHNI

52. SECURITY TESTING WITH BEHAT

53. MANUAL SECURITY TESTING

54. SUMMARY

55. SUMMARY
Security integrated part of dev & ops

56. SUMMARY
Security integrated part of dev & ops
TRUE === ($this->DevOps || $this->DevSecOps)

57. SUMMARY
Security integrated part of dev & ops
TRUE === ($this->DevOps || $this->DevSecOps)
Security is a MUST: we can no longer ignore it!

58. REFERENCES

59. SHAMELESS PLUG
DRAGONBE/HIBP

60. QUESTIONS?

61. QUESTIONS?
Slides online
slideshare.net/DragonBe

62. QUESTIONS?
Slides online
slideshare.net/DragonBe
Leave feedback
joind.in/event

63. QUESTIONS?
Slides online
slideshare.net/DragonBe
Leave feedback
joind.in/event
Contact me
twitter.com/DragonBe