SlideShare a Scribd company logo
1 of 24
Download to read offline
Preventing
Devoops with
DevSecOps
Kieran Jacobsen
Technical Lead – Infrastructure & Security
Page / Copyright ©2017 by Readify Limited2
2016 was a big year…
Page / Copyright ©2017 by Readify Limited3
2017 is getting of to a bad start…
Page / Copyright ©2017 by Readify Limited4
Before DevOps
Page / Copyright ©2017 by Readify Limited5
DevOps
Page / Copyright ©2017 by Readify Limited6
But Where Is Security?
Page / Copyright ©2017 by Readify Limited7
DevSecOps
› Clear Communication Pathways
› Streamlined Communication
› Security As Code
› Training
› Integrate Security into DevOps cycle
Page / Copyright ©2017 by Readify Limited9
Communication Pathways
Development Operations
Security
Page / Copyright ©2017 by Readify Limited10
Streamlined Communication
NO:
› Excel checklists
› Word document reports
› Email Attachments
Page / Copyright ©2017 by Readify Limited11
Streamlined Communication
YES:
› Backlogs/boards
Page / Copyright ©2017 by Readify Limited12
Streamlined Communication
YES:
› Backlogs/boards
› Support ticketing
Page / Copyright ©2017 by Readify Limited13
Streamlined Communication
YES:
› Backlogs/boards
› Support ticketing
› Markup and Git
Page / Copyright ©2017 by Readify Limited14
Security As Code
› Application Source Code
› Azure ARM and AWS Cloud Formation
› Server Configuration – Chef, Puppet, DSC
Page / Copyright ©2017 by Readify Limited15
ARM Templates
Page / Copyright ©2017 by Readify Limited16
PowerShell DSC
Page / Copyright ©2017 by Readify Limited17
Training
› We can’t be experts in Dev, Sec and Ops
› We need cross pollination of skills
› Starts at day 0
Page / Copyright ©2017 by Readify Limited18
Integrating Security
Page / Copyright ©2017 by Readify Limited19
Plan
› Integrate security into sprint planning and
reviews
› Consider security stories early
Page / Copyright ©2017 by Readify Limited20
Code
› Training!
› Test driven development
› Use of the correct tools
› Pull Requests
Page / Copyright ©2017 by Readify Limited21
Build
› Static code analysis
› Dynamic code analysis
Page / Copyright ©2017 by Readify Limited22
Test
› Develop security test cases
› Fuzzing
› Load testing
Page / Copyright ©2017 by Readify Limited23
Release & Deploy
› Automated scanning upon deployment
Page / Copyright ©2017 by Readify Limited24
Operate & Monitor
› Monitor logs
› Rescan for vulnerabilities
› Track dependencies
Thank You

More Related Content

What's hot

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationVMware Tanzu
 
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019 Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019 Amazon Web Services
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armorDevOps Indonesia
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayEvident.io
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSEric Smalling
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyKevin Gilpin
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Najib Radzuan
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 

What's hot (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Practical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security InstrumentationPractical DevSecOps Using Security Instrumentation
Practical DevSecOps Using Security Instrumentation
 
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019 Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
Modernizing Traditional Security - DEM13 - AWS re:Inforce 2019
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecops
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security Ninja
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and Transparency
 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 

Viewers also liked

Overcoming fear for small biz owners and entrepreneurs
Overcoming fear for small biz owners and entrepreneursOvercoming fear for small biz owners and entrepreneurs
Overcoming fear for small biz owners and entrepreneursdave_deicke
 
Evolving your automation with hybrid workers
Evolving your automation with hybrid workersEvolving your automation with hybrid workers
Evolving your automation with hybrid workerskieranjacobsen
 
Walter russell’s cosmology byJohn EchEl
Walter russell’s cosmology byJohn EchElWalter russell’s cosmology byJohn EchEl
Walter russell’s cosmology byJohn EchElNano Nate
 
Adoption of technology_facilitated_services
Adoption of technology_facilitated_servicesAdoption of technology_facilitated_services
Adoption of technology_facilitated_servicesDr. Amit Kapoor
 
Nervous system injury and regeneration
Nervous system injury and regenerationNervous system injury and regeneration
Nervous system injury and regenerationMunira Shahbuddin
 
Hosam maxillofascial ppt
Hosam maxillofascial pptHosam maxillofascial ppt
Hosam maxillofascial pptHossam atef
 
Problema gestion del capital humano y evaluacion del desempeño laboral
Problema gestion del capital humano y evaluacion del desempeño laboralProblema gestion del capital humano y evaluacion del desempeño laboral
Problema gestion del capital humano y evaluacion del desempeño laboralalixindriago2013
 
IPIX Technologies - Software Development Company
IPIX Technologies - Software Development CompanyIPIX Technologies - Software Development Company
IPIX Technologies - Software Development CompanyIPIX Technologies
 
Evaluación del estado de nutrición
Evaluación del estado de nutriciónEvaluación del estado de nutrición
Evaluación del estado de nutriciónFatimaBriseidaCG
 
Bioquímica – introducción a la bioquímica
Bioquímica – introducción a la bioquímicaBioquímica – introducción a la bioquímica
Bioquímica – introducción a la bioquímicaCUCS, UNAM, UAEH y UM
 
Cat 04-2017-sm
Cat 04-2017-smCat 04-2017-sm
Cat 04-2017-smkarelka091
 
3Com 10000563
3Com 100005633Com 10000563
3Com 10000563savomir
 
Data Warehouse Design Project
Data Warehouse Design ProjectData Warehouse Design Project
Data Warehouse Design ProjectPradeep Yamala
 
阿里研究院- 新零售研究报告
阿里研究院- 新零售研究报告阿里研究院- 新零售研究报告
阿里研究院- 新零售研究报告Tony Ho
 
Научно образовательный центр «Интеллектика»
Научно образовательный центр «Интеллектика»Научно образовательный центр «Интеллектика»
Научно образовательный центр «Интеллектика»vogu35
 
Праздник, посвящённый Дню Защитника Отечества
Праздник, посвящённый Дню Защитника ОтечестваПраздник, посвящённый Дню Защитника Отечества
Праздник, посвящённый Дню Защитника ОтечестваIrina Kutuzova
 
Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...
Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...
Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...Noviyanti Alawiyah
 

Viewers also liked (20)

Overcoming fear for small biz owners and entrepreneurs
Overcoming fear for small biz owners and entrepreneursOvercoming fear for small biz owners and entrepreneurs
Overcoming fear for small biz owners and entrepreneurs
 
Evolving your automation with hybrid workers
Evolving your automation with hybrid workersEvolving your automation with hybrid workers
Evolving your automation with hybrid workers
 
Walter russell’s cosmology byJohn EchEl
Walter russell’s cosmology byJohn EchElWalter russell’s cosmology byJohn EchEl
Walter russell’s cosmology byJohn EchEl
 
Adoption of technology_facilitated_services
Adoption of technology_facilitated_servicesAdoption of technology_facilitated_services
Adoption of technology_facilitated_services
 
Nervous system injury and regeneration
Nervous system injury and regenerationNervous system injury and regeneration
Nervous system injury and regeneration
 
Hosam maxillofascial ppt
Hosam maxillofascial pptHosam maxillofascial ppt
Hosam maxillofascial ppt
 
Problema gestion del capital humano y evaluacion del desempeño laboral
Problema gestion del capital humano y evaluacion del desempeño laboralProblema gestion del capital humano y evaluacion del desempeño laboral
Problema gestion del capital humano y evaluacion del desempeño laboral
 
Business model canvas 2017 YEF Boot Camp
Business model canvas 2017 YEF Boot CampBusiness model canvas 2017 YEF Boot Camp
Business model canvas 2017 YEF Boot Camp
 
IPIX Technologies - Software Development Company
IPIX Technologies - Software Development CompanyIPIX Technologies - Software Development Company
IPIX Technologies - Software Development Company
 
Evaluacion del estado nutricio
Evaluacion del estado nutricioEvaluacion del estado nutricio
Evaluacion del estado nutricio
 
Evaluación del estado de nutrición
Evaluación del estado de nutriciónEvaluación del estado de nutrición
Evaluación del estado de nutrición
 
Bioquímica – introducción a la bioquímica
Bioquímica – introducción a la bioquímicaBioquímica – introducción a la bioquímica
Bioquímica – introducción a la bioquímica
 
Cat 04-2017-sm
Cat 04-2017-smCat 04-2017-sm
Cat 04-2017-sm
 
3Com 10000563
3Com 100005633Com 10000563
3Com 10000563
 
Data Warehouse Design Project
Data Warehouse Design ProjectData Warehouse Design Project
Data Warehouse Design Project
 
阿里研究院- 新零售研究报告
阿里研究院- 新零售研究报告阿里研究院- 新零售研究报告
阿里研究院- 新零售研究报告
 
Научно образовательный центр «Интеллектика»
Научно образовательный центр «Интеллектика»Научно образовательный центр «Интеллектика»
Научно образовательный центр «Интеллектика»
 
Праздник, посвящённый Дню Защитника Отечества
Праздник, посвящённый Дню Защитника ОтечестваПраздник, посвящённый Дню Защитника Отечества
Праздник, посвящённый Дню Защитника Отечества
 
Asas maths campur
Asas maths campurAsas maths campur
Asas maths campur
 
Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...
Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...
Si pi, noviyanti alawiyah, hapzi ali, sistem informasi dalam kegiatan bisnis,...
 

Similar to DevSecOps in 10 minutes

Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramDeborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program DevOps.com
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationLee Eason
 
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...Dárcio Takara
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDiego Gabriel Cardoso
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Software Integrity Group
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container EnvironmentsTwistlock
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: PresidioAlert Logic
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDiego Gabriel Cardoso
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveColin Domoney
 
Gartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid CloudGartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid CloudRosalind Radcliffe
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!DevOps.com
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDiego Gabriel Cardoso
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV ReadyThousandEyes
 
Observability in DevOps with Modern Distributed Applications
Observability in DevOps with Modern Distributed ApplicationsObservability in DevOps with Modern Distributed Applications
Observability in DevOps with Modern Distributed ApplicationsDave Mangot
 

Similar to DevSecOps in 10 minutes (20)

Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Tales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformationTales from an Enterprise DevOps transformation
Tales from an Enterprise DevOps transformation
 
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
SecDevOps: afaste-se dos ciberataques sem complicar o dia a dia dos desenvolv...
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
 
Securing Your Cloud With Check Point's vSEC
Securing Your Cloud With Check Point's vSECSecuring Your Cloud With Check Point's vSEC
Securing Your Cloud With Check Point's vSEC
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Managing Compliance in Container Environments
Managing Compliance in Container EnvironmentsManaging Compliance in Container Environments
Managing Compliance in Container Environments
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
DevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteiraDevSecOps - Colocando segurança na esteira
DevSecOps - Colocando segurança na esteira
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Gartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid CloudGartner EA Architecting for DevOps and Hybrid Cloud
Gartner EA Architecting for DevOps and Hybrid Cloud
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
 
DevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteiraDevSecOps: Colocando segurança na esteira
DevSecOps: Colocando segurança na esteira
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV Ready
 
Observability in DevOps with Modern Distributed Applications
Observability in DevOps with Modern Distributed ApplicationsObservability in DevOps with Modern Distributed Applications
Observability in DevOps with Modern Distributed Applications
 

More from kieranjacobsen

The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
CrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security TalkCrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talkkieranjacobsen
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talkkieranjacobsen
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talkkieranjacobsen
 
Secure Azure Deployment Patterns
Secure Azure Deployment PatternsSecure Azure Deployment Patterns
Secure Azure Deployment Patternskieranjacobsen
 
Ransomware 0, Admins 1
Ransomware 0, Admins 1Ransomware 0, Admins 1
Ransomware 0, Admins 1kieranjacobsen
 
DecSecOps in 10 minutes
DecSecOps in 10 minutesDecSecOps in 10 minutes
DecSecOps in 10 minuteskieranjacobsen
 
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data CentreGlobal Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centrekieranjacobsen
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centrekieranjacobsen
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellkieranjacobsen
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Duckykieranjacobsen
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Enabling Enterprise Mobility
Enabling Enterprise MobilityEnabling Enterprise Mobility
Enabling Enterprise Mobilitykieranjacobsen
 
Advanced PowerShell Automation
Advanced PowerShell AutomationAdvanced PowerShell Automation
Advanced PowerShell Automationkieranjacobsen
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’tskieranjacobsen
 

More from kieranjacobsen (18)

The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
CrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security TalkCrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talk
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talk
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talk
 
Secure Azure Deployment Patterns
Secure Azure Deployment PatternsSecure Azure Deployment Patterns
Secure Azure Deployment Patterns
 
Ransomware 0, Admins 1
Ransomware 0, Admins 1Ransomware 0, Admins 1
Ransomware 0, Admins 1
 
Ransomware 0 admins 1
Ransomware 0 admins 1Ransomware 0 admins 1
Ransomware 0 admins 1
 
DecSecOps in 10 minutes
DecSecOps in 10 minutesDecSecOps in 10 minutes
DecSecOps in 10 minutes
 
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data CentreGlobal Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centre
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShell
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 
Enabling Enterprise Mobility
Enabling Enterprise MobilityEnabling Enterprise Mobility
Enabling Enterprise Mobility
 
Advanced PowerShell Automation
Advanced PowerShell AutomationAdvanced PowerShell Automation
Advanced PowerShell Automation
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’ts
 

Recently uploaded

Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 

Recently uploaded (20)

Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 

DevSecOps in 10 minutes

  • 2. Page / Copyright ©2017 by Readify Limited2 2016 was a big year…
  • 3. Page / Copyright ©2017 by Readify Limited3 2017 is getting of to a bad start…
  • 4. Page / Copyright ©2017 by Readify Limited4 Before DevOps
  • 5. Page / Copyright ©2017 by Readify Limited5 DevOps
  • 6. Page / Copyright ©2017 by Readify Limited6 But Where Is Security?
  • 7. Page / Copyright ©2017 by Readify Limited7 DevSecOps › Clear Communication Pathways › Streamlined Communication › Security As Code › Training › Integrate Security into DevOps cycle
  • 8. Page / Copyright ©2017 by Readify Limited9 Communication Pathways Development Operations Security
  • 9. Page / Copyright ©2017 by Readify Limited10 Streamlined Communication NO: › Excel checklists › Word document reports › Email Attachments
  • 10. Page / Copyright ©2017 by Readify Limited11 Streamlined Communication YES: › Backlogs/boards
  • 11. Page / Copyright ©2017 by Readify Limited12 Streamlined Communication YES: › Backlogs/boards › Support ticketing
  • 12. Page / Copyright ©2017 by Readify Limited13 Streamlined Communication YES: › Backlogs/boards › Support ticketing › Markup and Git
  • 13. Page / Copyright ©2017 by Readify Limited14 Security As Code › Application Source Code › Azure ARM and AWS Cloud Formation › Server Configuration – Chef, Puppet, DSC
  • 14. Page / Copyright ©2017 by Readify Limited15 ARM Templates
  • 15. Page / Copyright ©2017 by Readify Limited16 PowerShell DSC
  • 16. Page / Copyright ©2017 by Readify Limited17 Training › We can’t be experts in Dev, Sec and Ops › We need cross pollination of skills › Starts at day 0
  • 17. Page / Copyright ©2017 by Readify Limited18 Integrating Security
  • 18. Page / Copyright ©2017 by Readify Limited19 Plan › Integrate security into sprint planning and reviews › Consider security stories early
  • 19. Page / Copyright ©2017 by Readify Limited20 Code › Training! › Test driven development › Use of the correct tools › Pull Requests
  • 20. Page / Copyright ©2017 by Readify Limited21 Build › Static code analysis › Dynamic code analysis
  • 21. Page / Copyright ©2017 by Readify Limited22 Test › Develop security test cases › Fuzzing › Load testing
  • 22. Page / Copyright ©2017 by Readify Limited23 Release & Deploy › Automated scanning upon deployment
  • 23. Page / Copyright ©2017 by Readify Limited24 Operate & Monitor › Monitor logs › Rescan for vulnerabilities › Track dependencies

Editor's Notes

  1. Hi, My name is Kieran Jacobsen, I am the Technical Lead for Infrastructure and Security at Readify. Today I am going to talk about DevSecOps in 10 minutes!
  2. By all accounts, 2016 was a massive year for information security. We saw a significant number of breach disclosures, breaking records in terms of the number and size of the breaches. We saw a number of older breaches appear for the first time, like those impacting LinkedIn, Myspace and Yahoo. We saw the mirai bot net appear, hit Brian Krebs with a record breaking denial of service attack, then target DynDNS and knocking off Spotify, twitter, GitHub PayPal and more. We also saw a number of breaches where database backups made public, including one impacting the Australian Red Cross.
  3. Yet 2017, politics aside, seems to be gearing up to be even worse. Attackers have laid waste to poorly secured Hadoop, MongoDB, ElasticSearch and CouchDB instances; deleting data and leaving ransom notes. A 13 year old worm made a reappearance. That’s right, SQL Slammer is back!
  4. Here we see a representation of development and operations before the introduction of DevOps. Development would catapult new builds at operations, and they would return with a volley of bugs and issues. Our applications were unstable, deployments were a complex mess and overall our organisations suffered.
  5. Along came DevOps, with a promise that we would get two waring factions to act as one. DevOps has largely been a success, applications have become more stable, we now have a faster release cycle, with fixes deployed to production often at an hourly basis. Development and Operations is now moving at a speed to which the rest of the business was wanting.
  6. But in the rush, we missed something, we left out security from the equation. Organisations at all levels rushed to embrace DevOps, yet at times, didn’t include their own security teams. We see insecurely deployed databases and applications, and issues with backups and disaster recovery being over looked. It feels almost like we are back in the 90s.
  7. I love this quote from Jess one of our local MVPs. We’re in customer service. Our users are our customers. Its also clear Here I have one of my favourite quotes about the industry and it comes from a Queensland Microsoft MVP, Jess Dodson; “We’re in customer service. Our users are our customers. We need to understand them & their needs to do our job well. What I love about this quote is that it succinctly sums up some of the issues with the relationship between Development, Operations and Security. We are all in customer service, and its about time we start acting like we were, long gone are they days of the cold face of IT. Its also crucial to realise, that within these three groups, we are both customers, and providers.
  8. Now, its obvious that Development and Operations need to maintain clear communications. If development wish to provide new products, ie code, they need operations to provide them with things like internet. And If Ops wants a stable environment, they need development to write high quality code. Development is a customer of Operations, and Operations is a customer of development. We need clear communication between these groups. What we often miss is the customer relationships with security. The security team needs dev and ops to deploy fixes to discovered security issues, they are a customer of these two teams. What we forget, is reverse. Development and Operations are not security experts, they require support, guidance and assistance from security specialists.
  9. Excel checklists, word policy documents and email attachments, NO NO NO! Excel is clunky, word can be hard to diff, and we should all by now know the risks of documents with macros!
  10. Backlogs and boards encourage collaboration, and ownership of tasks. Security issues and reviews do not produce reports, that produce tasks in a board.
  11. Don’t underestimate the power of support ticket tools. They encourage better working models, ownership of issues and better customer communication.
  12. Markup when combined with GIT allows for a powerful workflows. We can easily diff files and determine changes and we can have a rich review process via pull requests. Git encourages collaboration, multiple people can work on a document simultaneous, and then have then changes pulled together, reviewed and approved then pushed out to the wider organisation.
  13. So the next big takeaway is security as code. Or as I like to put it, here is all of the code that could impact your organisations security. Obviously we have application source code, but what about the other parts of your environment? If your developers are using Azure or AWS, they are probably using templates to deploy infrastructure. Care needs to be taken that these templates are created in a way that the infrastructure they deploy is secure. Does operations review these? What about security? Server configuration tools like Chef, Puppet and PowerShell DSC are all the rage, but are the configurations they are applying secure? Once again, what is the review process?
  14. So Azure Resource Manager Templates, or ARM Templates for short. Allow us to deploy services within Azure in a repeatable manner. This includes things like storage, networks, addresses, virtual machines, web apps, SQL databases and much more. In this example, we see a configuration element relating to a Network Security Group, basically this is an ACL. I have taken this from the Azure Quick start templates. This NSG specified that the only traffic allowed to this system is RDP, port 3389. Unfortunately, they have allowed all the internet as a source address, so I guess someone will start brute forcing this box soon enough. Now I am not surprised by this one, from experience, this is actually better than the majority of templates I see. The majority of templates do not even apply network security groups, resulting in all services, from RDP to SSH to SMB to SQL left exposed to all in sundry. Do you know if your developers are deploying from examples like this?
  15. So let’s take a quick look at another example, this type its PowerShell DSC. This example is snipped of a much larger DSC configuration that all of our servers at Readify comply to. This will disable insecure ciphers being used for HTTPS connections. Imagine the effectiveness if you pushed this out to all of your web servers, or better yet, every server in your fleet? This is security as code. We are making our environment more secure using code.
  16. Training is super critical, we can’t be experts, but we need to have awareness of the other parts of our team. Training needs to start for all areas of IT from day 0, and not just the basics. Developers need to be aware of your organisations of code quality, and this includes security. If you don’t believe me, take a look at Troy Hunt’s blog for more justification on the value of training.
  17. So back we are to the infinite loop that is DevOps. So where should we integrate? The answer is, at every single step along the way. Security is something we need to consider at every step, we use to say security is as strong as the weakest link in the chain, well this loop here is your new chain, lets make sure everything is as strong as it can be. Automation is crucial here, we need to be able to integrate our security tools with the rest of the continuous build and release pipeline. If your tool needs to be manually triggered, or cannot feed its results back into a backlog, or into a support ticket system, it isn’t going to succeed.
  18. When we plan, we need to involve security in both our sprint planning and reviews. I recommend considering security stories early due to their complexity; you don’t want to leave them till the end of a release cycle.
  19. Training is crucial to writing secure code, but its also worth considering methodologies like test driven development. Using the right tools is crucial; most IDEs have tools or plugins that will assist developers by highlighting potential security risks. Pull Requests are also crucial, code that contains security issues, doesn’t get merged.
  20. The security industry has differing views on which is better, I personally think its dependant upon your team and your project. My concern with dynamic code analysis has been ensuring that we have full coverage of the source code. Now people will come to me and say, “but last time we used one of these tools, it generated a billion errors and we were flooded”, well that might be the case, but with DevOps, the focus is on small check-ins, and small code changes. This should reduce the chances of a flood of issues, and if you do get a flood, DevOps and small commits should also assist in highlighting the individual commit that caused the flood gates to open. If you are using Visual Studio, look at using the Code Analysis tools that it contains. Whilst they are not going to pick up everything, they are a great place to start. A build that fails its security checks isn’t of high enough quality to proceed further down the pipeline. Ensure that everyone is aware that the expectation is for high quality code to proceed to testing and onwards.
  21. Automated testing is so critical for a DevOps and a DevSecOps project. Testing is how we ensure that our code is up to scratch and its of quality that we would want to deploy it. When Testing, be it unit testing, or automated UI testing, or even formal manual user acceptance testing, include security test cases, that is cases that can be used to ensure the system is performing securely. A simple example of this might be that if a user was to enter SQL injection into a webform, that the form doesn’t output SQL errors. Fuzzing is another technical that is becoming popular, it’s the process of sending random inputs to software to spot security holes. A number of vendors are producing not only great fuzzing tools, but ones that allow for automated tests with integration into our build and release pipelines. Microsoft recently announced Project Springfield, a tool its been testing in house and with customers. Another bit of testing that can be automated, and is so often overlooked is load testing. I can’t believe its 2017, and people still don’t do load testing. Load Testing not only proves that the application infrastructure can handle the load, but it can also help us determine if it can handle more than what is expected, say in the event of an attack. Microsoft includes support for load testing in their VSTS platform. Once again, if the app fails in testing, it doesn’t proceed.
  22. When an application gets to the release and deployment stages, we might think there is nothing for us to do; this isn’t the case, at this point, we may have deployed an application into a development or pre-production environment prior to deployment on production. Why not perform an end-to-end vulnerability assessment, scan not just the application but the entire stack, from servers, to databases, to load balancers. This is potentially your first time seeing the application and its supporting elements in its entirety, make use of the opportunity.