Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Devops security-An Insight into Secure-SDLC


Published on

The integration of Security into DevOps is already happening out of necessity. DevOps is a powerful paradigm shift and companies often don’t understand how security fits. Aim of this session is to give an overview of DevOps security and How security can be integrated and automated into each phases of software development life-cycle.

Published in: Technology
  • Be the first to comment

Devops security-An Insight into Secure-SDLC

  1. 1. DevOps Security-Part1 An insight into S-SDLC SUMAN SOURAV
  2. 2. Agenda  DevOps Security –Introduction  Software Security Toll Gates in DevOps  An inside story of continuous security testing implementation  Challenges
  3. 3. Disclaimer Not endorsing any tools
  4. 4. About me  Software Security Professional having 10+ years of experience  Specialize in Secure SDLC implementation Threat Modeling/Secure Code Review/Penetration Testing/DevOps Security Secure Coding Trainer, SecurityQA Testing Trainer, Speaker  What next for me ? IoT Security SmartCity Security
  5. 5. DevOps-Introduction Faster Release Cycle Shortened Delivery Time Unified Tools and Process Integration between different teams
  6. 6. Secure-SDLC Security Requirements • Requirements Threat Modeling • Design Secure Code Review • Development Vulnerability Scanning/PT • Deployment Monitoring • Operation Time to complete these activities ?
  7. 7. DevOps Security: Pre-Staging Source : Kaspersky Continuous Integration Security Automation Right Process, People, Tools Collaboration & Sharing Metrics and Data Analytics
  8. 8. Security Failures in DevOps Dev Risk
  9. 9. DEVELOPMENT BUILD AND DEPLOY STAGINGREQUIREMENTS External Repositorie s Common Components DESIGN Repository SCM Tools Security Test Automation Threat Modeling SCA Tools/IDE Plugins VS/PT/IASTComponents Monitoring Production Monitoring
  10. 10. Third Party Libraries- Security Report
  11. 11. Collaboration Product 1 Product 3 Product 2 Product 4 Product 5 Product 6 Product 7 Product 8 Product 9 Security Champions
  12. 12. Requirements Security Questionnaire Automated Score Calculation Provide guidance for component selection
  13. 13. Design
  14. 14. Threat Modeling (Demo) Automated Approach
  15. 15. Development
  16. 16. Source Code Management 1. Branching 2. Ownerships
  17. 17. Secure Code Review-IDE Plugins (Demo) Develop and Test Takes couple of mins to generate vulnerability report
  18. 18. Vulnerability Coverage • Detect most obvious vulnerabilities • Quickly Provide Security posture of the applications
  19. 19. Merging Reports • Keep eyes of new issues and fixed issues • Less time in false positive analysis
  20. 20. Build & Deployment
  21. 21. CI Tools Jenkins Hudsons TeamCity etc
  22. 22. CI Tools Integration Third Party libraries analysis Static Analysis Security Unit test Cases Dynamic Analysis
  23. 23. QA Role- in DevOps Security Security Review of Requirements & Design Documents Security Static Code Analysis Results Review Dynamic Security Analysis Penetration testing including Fuzz Testing Third Party Components Review QA Role
  24. 24. Security Unit Test Cases (Demo)
  25. 25. CI Integration-DAST Unit Test Cases Browsers Scanners Reports Reference: testing-with-selenium-and-the-zed-attack-proxy-zap
  26. 26. Static Analysis Integration Build Environment Fix Vulnerabilities Integrate With Build Upload to Server Execute Scan Generate report SA Developers Reporting Server Audit and Re-upload Login
  27. 27. Interactive Application Security Testing (IAST) Accuracy without false positive Testing is fast  Indifferent to the underlying framework.
  28. 28. Vulnerability Management & Hybrid Analysis Static Analysis Dynami c Analysis Security QA VA/PT/I AST Priority Fix
  29. 29. Security Metrics & Data Analytics 10 20 30 40 110 85 71 20 0 20 40 60 80 100 120 Release 1 Release 2 Release 3 Release 4 Training Index Bug Index
  30. 30. Bug Tracking System Keep track of issue remediation Workflow to Automate issues creation & assigning ownership Automated email alert to respective product owners
  31. 31. Limitations & Challenges All manual tests cant be automated Test automations are not sequenced
  32. 32. Stay Tuned…….. DevOps Security-Part 2 --An insight into Security Operation
  33. 33. Suman Sourav @SumanS0urav