Successfully reported this slideshow.

DevSecOps overview and what one engineer can do_Dmytro Batiievskyi

1

Share

Loading in …3
×
1 of 21
1 of 21

DevSecOps overview and what one engineer can do_Dmytro Batiievskyi

1

Share

Download to read offline

We will talk about what is DevSecOps and why security matters in context of DevOps and automation as well as general overview of the scope and the approach. Than we will go through cheap yet effective security improvements that can be implemented with a small team without significant extra effort.

We will talk about what is DevSecOps and why security matters in context of DevOps and automation as well as general overview of the scope and the approach. Than we will go through cheap yet effective security improvements that can be implemented with a small team without significant extra effort.

More Related Content

More from Katherine Golovinova

Related Books

Free with a 14 day trial from Scribd

See all

DevSecOps overview and what one engineer can do_Dmytro Batiievskyi

  1. 1. DevSecOps What is DevSecOps? What can one engineer do? By Dmitry Batiievskyi
  2. 2. DevOps  DevOps is a set of practices intended to reduce the time between committing a change to a system and the change being placed into normal production, while ensuring high quality.  DevOps team is a team implementing or aiming to implement these practices.
  3. 3. Full stack  Knowledge of programming language, framework or service is not unique knowledge  Strong knowledge is unique  You cannot build mastery in anything if you don’t have at least basic understanding of adjacent areas  Network, testing, deployment, security
  4. 4. Team structure Cross-functional teams and shared responsibility leads to:  Better quality  Team members are being educated in adjacent areas  People learn not to put extra load on each other
  5. 5. Building basement  Architecture  Setup rules and policies  Setup common toolkit  Setup processes  People who care in each team
  6. 6. Being professional Basics:  Teach by example  Don’t pass by  Care about quality
  7. 7. Development cycle
  8. 8. Modern flow
  9. 9. Modern flow explained
  10. 10. Simple things  Complex passwords and password managers  MFA  Keys, secrets and passwords in git repos  Basic source code checks (SAST)  Least privilege  Security updates  Credentials rotation  Tools/technologies best practices
  11. 11. Software security needs
  12. 12. Zoning  Make users comfortable  Perimeter network security is not possible  Network segmentation
  13. 13. Asset management  Store secrets securely  Log access to secrets  Rotate secrets
  14. 14. Logging  A corner stone to security compliance  Log access  Log changes  Log fails
  15. 15. Next steps  Security as a code  SAST  DAST  IDS/IPS  WAF  Penetration testing
  16. 16. OWASP top 10
  17. 17. OWASP top 10
  18. 18. OWASP top 10
  19. 19. Tools
  20. 20. Resources http://www.devsecops.org http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43231.pdf https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet https://en.wikipedia.org/wiki/Software_asset_management https://www.owasp.org/index.php/Source_Code_Analysis_Tools https://github.com/OWASP/Top10/tree/master/2017 https://docs.gitlab.com/ee/topics/autodevops/index.html https://github.com/danielmiessler/SecLists/tree/master/Passwords https://en.wikipedia.org/wiki/Software_asset_management https://en.wikipedia.org/wiki/Web_application_firewall https://github.com/aelsabbahy/goss https://github.com/garytkainos/Gauntlt-Ubuntu https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
  21. 21. Thank you Dmitry Batiievskyi https://www.linkedin.com/in/dmitry-batiievskyi-aa17aa66/

×