Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

 Microsoft DevOps Forum 2021 – DevOps & Security Slide 1  Microsoft DevOps Forum 2021 – DevOps & Security Slide 2  Microsoft DevOps Forum 2021 – DevOps & Security Slide 3  Microsoft DevOps Forum 2021 – DevOps & Security Slide 4  Microsoft DevOps Forum 2021 – DevOps & Security Slide 5  Microsoft DevOps Forum 2021 – DevOps & Security Slide 6  Microsoft DevOps Forum 2021 – DevOps & Security Slide 7  Microsoft DevOps Forum 2021 – DevOps & Security Slide 8  Microsoft DevOps Forum 2021 – DevOps & Security Slide 9  Microsoft DevOps Forum 2021 – DevOps & Security Slide 10  Microsoft DevOps Forum 2021 – DevOps & Security Slide 11  Microsoft DevOps Forum 2021 – DevOps & Security Slide 12  Microsoft DevOps Forum 2021 – DevOps & Security Slide 13  Microsoft DevOps Forum 2021 – DevOps & Security Slide 14  Microsoft DevOps Forum 2021 – DevOps & Security Slide 15  Microsoft DevOps Forum 2021 – DevOps & Security Slide 16  Microsoft DevOps Forum 2021 – DevOps & Security Slide 17  Microsoft DevOps Forum 2021 – DevOps & Security Slide 18  Microsoft DevOps Forum 2021 – DevOps & Security Slide 19  Microsoft DevOps Forum 2021 – DevOps & Security Slide 20  Microsoft DevOps Forum 2021 – DevOps & Security Slide 21  Microsoft DevOps Forum 2021 – DevOps & Security Slide 22  Microsoft DevOps Forum 2021 – DevOps & Security Slide 23
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Microsoft DevOps Forum 2021 – DevOps & Security

Download to read offline

DevOps practices for small teams and organizations, with a focus on security

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Microsoft DevOps Forum 2021 – DevOps & Security

  1. 1. DevOps practices for small teams and organizations, with a focus on security Microsoft DevOps Forum 2021 – DevOps & Security
  2. 2. Nico Meisenzahl • Senior Cloud & DevOps Consultant at white duck • Microsoft MVP, Docker Community Leader & GitLab Hero • Container, Kubernetes, Cloud-Native & DevOps © white duck GmbH 2021 Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org
  3. 3. Agenda • Current state of DevSecOps in small teams & orgs • Demo: Implementing quick wins • Get started with DevSecOps • Implement quick wins © white duck GmbH 2021
  4. 4. Current state of DevSecOps DevOps is now widely known and increasingly implemented in small teams & organizations. DevSecOps practices, on the other hand, are not well- known and typically not yet adopted. © white duck GmbH 2021
  5. 5. Current state of DevSecOps in small teams & orgs • overall low Cloud / Cloud-Native security knowledge • same “problems” with security as with QA • no big invests • no real focus until there is breach or issue • no shift-left and fail-fast cultures • no security baseline • like governance, policies and landing zones © white duck GmbH 2021
  6. 6. What we see at clients • traditional IT departments trying to secure cloud-native projects by relying on on-premises and outdated patterns • slowing down of projects & inovation, but no real increased security • an MVP (Minimum Viable Product) is leveraged as a long- term solution • skipped topics (in terms of time-to-market) are not considered anymore © white duck GmbH 2021
  7. 7. What we see at clients • self-managed resources are sometimes preferred over PaaS and SaaS • then, not maintained with the necessary staff to operate them safely • self-implemented Identity management (AuthN, AuthZ) • without utilizing common best practices, managed services, and libraries/frameworks © white duck GmbH 2021
  8. 8. SANS 2021 Cloud Security Survey © white duck GmbH 2021
  9. 9. Demo – Implementing quick wins • “Ping me app”, based on Golang, deployed to ACI and exposed via App Gateway © white duck GmbH 2021
  10. 10. Demo recap • we found a security vulnerability and injected commands • we consulted the docs for security recommendations • we implemented a Web Application Firewall (WAF) to secure our app • we enabled Code Scanning in our GitHub Repo to fix the issue as well as to find future security issues in earlier stages © white duck GmbH 2021
  11. 11. Get started with DevSecOps • start small and grow • introduce security into all DevOps stages • try to shift security to the left • implement zero-trust Tip: Security should be easy to use, integrated and automated © white duck GmbH 2021
  12. 12. Educate yourself • consult documentation • general docs • Cloud Adoption Framework • https://docs.microsoft.com/azure/cloud-adoption-framework • Azure & GitHub at Microsoft Learn • https://docs.microsoft.com/learn • join a local Meetup group • https://www.meetup.com/pro/azuretechgroups Tip: Get certified © white duck GmbH 2021
  13. 13. Stay up-to-date • Azure Updates • https://azure.microsoft.com/updates • GitHub Updates • https://github.blog/changelog • https://github.blog/category/product • Azure Friday • https://azure.microsoft.com/resources/videos/azure-friday © white duck GmbH 2021
  14. 14. Security quick wins through the DevOps cycle © white duck GmbH 2021
  15. 15. Enable your team • integrate security staff in your development lifecycle (Sprint) • educate developers to raise their security awareness • implement pair programming • enforce PR reviews © white duck GmbH 2021
  16. 16. Ensure secure code • automate and enforce code checks • check your code for secret • schedule dependency scanning • Dependabot • enforce Static Application Security Testing (SAST) in PRs • scans your code to identify potential security vulnerabilities © white duck GmbH 2021
  17. 17. SAST Tooling • GitHub CodeQL • https://codeql.github.com • .Net & .Net Core • https://security-code-scan.github.io • Golang • https://securego.io • Kubernetes manifests • https://kubesec.io • Terraform • https://github.com/tfsec/tfsec © white duck GmbH 2021
  18. 18. Ensure secure code (next stage) • implement automated Dynamic Application Security Testing (DAST) • black-box scanning against a running web application • scheduled scan your artifacts and containers • sign your artifacts and containers © white duck GmbH 2021
  19. 19. App Vulnerability Management Tooling • Zed Attack Proxy • https://www.zaproxy.org • DefectDojo • https://www.defectdojo.org © white duck GmbH 2021
  20. 20. Ensure a secure runtime • implement zero-trust • automate everything (App and infrastructure deployments) • prefer PaaS and SaaS over unmanaged services • review Azure Advisor recommendations • opt-in for Azure Security Center to get even more insights • design & implement a Cloud Governance strategy • IAM, Polices, Landing Zone, … © white duck GmbH 2021
  21. 21. Monitor, review and iterate • implementing security is not a one-time job • you need to stay up-to-date • think big, but start small and iterate • as we do in application development © white duck GmbH 2021
  22. 22. Implement best practices • https://docs.microsoft.com/de-de/azure/security/ • https://docs.microsoft.com/en-us/security/cybersecurity- reference-architecture/mcra • https://docs.microsoft.com/de- de/azure/architecture/solution-ideas/articles/devsecops-in- github © white duck GmbH 2021
  23. 23. Questions? Nico Meisenzahl (Senior Cloud & DevOps Consultant) Phone: +49 8031 230159 0 Email: nico.meisenzahl@whiteduck.de Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org © white duck GmbH 2021

DevOps practices for small teams and organizations, with a focus on security

Views

Total views

181

On Slideshare

0

From embeds

0

Number of embeds

36

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×