SlideShare a Scribd company logo

2021-10-14 The Critical Role of Security in DevOps.pdf

Savinder Puri
Savinder Puri

Security in DevOps

Technology
1 of 5
Download to read offline
The Critical Role of Security in DevOps On October 4, 2021, something rather misfortunate event occurred, that nearly stopped the world from turning. Well, not really turning but it did wreak havoc across the social and investment spheres. Facebook and it’s allied portfolio of services - Instagram, WhatsApp, Messenger and Oculus were down for approximately six hours which sent more than just social influencers into a flurry. According to The Guardian “$50B was wiped off the company’s market value by jittery investors, founder Mark Zuckerberg’s own paper fortune shrunk by $7B and more than $13M of the advertising dollars that are its lifeblood disappeared each hour the platform was offline.” Beyond these speculative numbers, the impact of this global outage was very real, and its time we look deeper at our reliance on these services and their intersection with our global economy. Take for example WhatsApp, which has become a critical piece of communications infrastructure in many countries - routinely used to connect doctors and patients, intercompany communications, as well as it used by many for payments. It’s important to not just understand the reliance, but to also be technically prepared should a dependent system or service fail. Millions of people rely on Google DNS servers to reach every server on the planet. Now consider the impact of those servers going down for an extended period of time. That wouldn’t just affect consumers, it would disrupt commerce, production, communication, and your overall IT infrastructure.. Outages like these draw our attention to how vulnerable the entire world is to Enterprise malfunctions – whether it’s related to processes, access, security and system vulnerability. One thing is clear and that is the criticality of the basics – security and consistent processes embedded through the software development lifecycle. The New Normal for DevSecOps In the early 2000’s, I used to work in the “Software Management and Release (SMD)” group of a large Enterprise. We used to create builds that took 18+ hours to compile, running on four parallel blade servers. We used to build on 8 versions on Unix and 3 versions of Windows. For security, the Release Manager would meticulously match the software BOM (Bill Of Material) from their treacherous (extreme color coded) excel sheet. Testing was the bunch that sat on the 3rd floor and who were always whining that they had so much to test and so little time do it properly. Developers would always claim - “but it worked on my machine”. That’s what early-stage DevOps looked like back then and we didn’t know to call it what it is today, DevOps! Jump to early 2010’s when I was doing an independent consulting assignment for a start-up and the goal given to me was simple – “take our line of code from Git to Production in less than 20 min!”. Now, that directive may sound simple but if you unpack that statement, there’s a lot to be considered, understood and then implemented In that request and statement. Jump another ten years and the 2021 Accelerate State of DevOps by DORA (Google Cloud’s DevOps Research and Assessment (DORA)) states the following about Elite performers: Deleted: vulnerabilily Deleted: one
Elite performers now make up 26% of teams in our study, and have decreased their lead times for changes to production. The industry continues to accelerate, and teams see meaningful benefits from doing so. Elite Performers are the Enterprises who meet the following metrics: 1. Deployment frequency – On Demand (multiple deploys/day) 2. Lead time for Changes – less than one hour 3. Time to restore service – less than on hour 4. Change failure rate – 0%-15% DORA 2021 Accelerate State of DevOps report The drivers for this rapid agility are not surprising – accelerated digital economy, creation or migration to modern cloud native applications, cloud-centricity, hybrid cloud operations, hyper automation, and the list goes on. Why “Sec” in DevOps is Becoming More Important The Peter Parker Principle of Spider Man fame states – “With great power comes great responsibility”. As software releases become better and faster, there is a greater responsibility to make them secure and resilient. The Accelerate State of DevOps report also confirms that you must consider a critical fifth metric – Reliability” to the previous four metrics called out in the report section above. It represents the degree to which a team can keep promises and assertions about the software they operate. A key tenet of Reliability is the Security Reliability. That’s the “Sec” in DevSecOps. It’s the ability of an Enterprise to enhance and protect their security posture. The 2020 SolarWinds Orion IT management software attack or 2019 malicious Asus update and several such high incidents are often traced back to a compromised software supply chain. Software Supply Chain is the collective term used to describe the stages of software lifecycle from source to deployment, with all the tooling included. As Enterprises become more cloud native, microservices based, they tend to
include more of dependencies from open source and vendor projects, thus increasing the attack vector. It would not be a stretch to state that - “Software supply chain is the new food chain” A disturbance in the food chain disturbs the entire life ecosystem. An attack on anyone’s software supply chain impacts the entire digital ecosystem. Each one of us are impacted in more ways than we can begin to imagine, since were all a part of this connected ecosystem. Supply chain attacks often work by breaking the code-signing process. It is crucial that a code signing solution would be agile and evolve with the ever-growing enterprise needs. A robust solution would be one that constantly adds support for: 1. New artifacts 2. New CI/CD tools – on-prem or on the cloud 3. New cryptographic algorithms such as post quantum crypto 4. New functionalities such as scan-before-sign How Can your Organisation Achieve True DevSecOps True DevSecOps was initially seen as the mirage, an illusion that did not exist! However, with the Business demanding faster, cheaper and secure releases coupled with the maturing of toolsets and an evolving culture, this mirage seems to be becoming a reality for more and more Enterprises. Here are six practical steps that you can take to accelerate your journey towards true DevSecOps: 1. Define your north star 2. Audit your security posture 3. Know thy pipelines 4. Security enables velocity 5. Identify gaps & iterate 6. Security is everyone's responsibility
1. Define your north star Like they say - knowing where to go is half the getting there! Not every Enterprises needs to be FAANG replica (Facebook, Amazon, Apple, Netflix, Google), nor should they be. Maybe the business is not such, maybe the requirement is not such, maybe the Enterprise is just not ready yet. Analysing the successful implementations of true DevSecOps and creating your own version, your own north star is the most critical step. And often times, it takes external expertise to create this. They will probably be able to identify your blind spots and create the relevant custom implementation . 2. Audit your security Don’t forget the “Sec” in DevSecOps! Have special focus on security, including auditing each step and tool of your Software Supply Chain. Audit the use and application of cryptographic solutions, including unified key management and protection. And do this for “ALL” Products/Services in Production. In one of my assignments for a South African insurer, we found two Windows NT boxes in load balanced UPS’s, serving a couple of DCOM components, live in Production. The guys who had built these components had retired last year! Take special care of such delicacies! 3. Know thy pipelines The software supply chain pipeline are typically created to ship code. However, that’s only the partial deliverable for the Enterprise. The pipelines should be starting from the infrastructure later (obsoleting the earlier, fragmented legacy cryptographic infrastructure), extending to config, code, database and security. That’s a well-defined pipeline – “Everything as code (XaaC)” 4. Security enables velocity The traditional view is that “waiting” for security reviews through the software lifecycle slows it down. This is not the case with modern tooling, which can be integrated right from Developer’s IDE, to CI systems to Release Cycles. Code signing is another critical element to thwart attempts to distribute malicious software. Security is not a blocker to velocity, it’s an enabler by giving you confidence that what you’re shipping is safe. 5. Identify gaps and iterate DevSecOps embodiments continuous improvement, as you would have realised. You start with where you are and push for automation and security. And keep pushing the envelope to further levels of maturity. It’s a continuous process of identifying the gaps and iterating with the solutions. 6. Security is everyone’s responsibility Gone are the days when security checks were done by a team as part of Pre Release checklist. Today, that “checklist” has shifted left into the Developers IDE, the QA Analyst’s repertoire of tools, into the DBA’s daily diligence and into the DevOps Engineers implementation pattern. Cryptography is used in authentication, encryption of data in many different scenarios (in databases, on storage, as virtual machines), for signing on
business transactions to ensure integrity, for signing on code to prevent the propagation of malware, to protect new digital assets (like crypto assets), and much more. Security is indeed everyone’s responsibility – that’s the only way it “gets done”. Benefits of Adopting True DevSecOps The promise of adopting a true DevSecOps —is that the real integration of security, development and operations is beginning to be well understood. One important offshoot of true DevSecOps, other than the obvious time-to-market, defect reduction etc is the anticipation of significant risk reduction. It is well understood that DevSecOps has helped organizations become more responsive to employee and customer needs by delivering software faster. With cyberattacks escalating dramatically, the risks and consequences associated with flawed code and faulty infrastructure configurations have grown severe. ZeroNorth surveyed over 250 security professionals, engineers, developers and other IT pros from organizations involved in application development and found that security vulnerabilities and flaws which were detected and addressed earlier in the development processes correlated with enhanced user experience and better protection of Enterprise and users from attacks. With the growing trend towards migrating to cloud and its resulting intricate, heterogenous infrastructures, cybersecurity, hence cryptographic practice, is a key attribute of organizational success as is speed and agility and should be addressed and prioritized accordingly. Author: Savinder Puri is the Global Head of Agile, DevSecOps and Cloud platform solutions at Zensar Technologies. With 20+ years of experience helping Enterprises across industry verticals strategize and drive successful DevSecOps transformations and leverage cutting edge technologies, Savinder is a recognized figure in the DevOps space and has been speaking at leading industry events worldwide. He is Global Ambassador of the DevOps Institute and the Continuous Delivery Foundation (CDF). He has been recognized as one of "10 most dynamic leaders to watch in 2021" by Business Sight. Commented [MA1]: Commented [MA2R1]: this sentence and paragraph just dont make sense...

Recommended

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxXavor Corporation - Redefining Health Technology
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxXavor Corporation - Redefining Health Technology
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 

Recommended

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxXavor Corporation - Redefining Health Technology
 
10 things to get right for successful dev secops
10 things to get right for successful dev secops10 things to get right for successful dev secops
10 things to get right for successful dev secopsMohammed Ahmed
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxXavor Corporation - Redefining Health Technology
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfNathanDjami
 
10 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 202310 Best DevSecOps Tools for 2023
10 Best DevSecOps Tools for 2023SofiaCarter4
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 
Iac evolutions
Iac evolutionsIac evolutions
Iac evolutionsPrancer Io
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
DevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfDevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfEnov8
 
Emerging Trends in Software Development-Aug-2019
Emerging Trends in Software Development-Aug-2019Emerging Trends in Software Development-Aug-2019
Emerging Trends in Software Development-Aug-2019Nevill Nguyen
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceSource Code Control Limited
 
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...Urolime Technologies
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaperwardell henley
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfTechugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOpsRavindu Fernando
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged James Wickett
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 

More Related Content

Similar to 2021-10-14 The Critical Role of Security in DevOps.pdf

Iac evolutions
Iac evolutionsIac evolutions
Iac evolutionsPrancer Io
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
DevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfDevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfEnov8
 
Emerging Trends in Software Development-Aug-2019
Emerging Trends in Software Development-Aug-2019Emerging Trends in Software Development-Aug-2019
Emerging Trends in Software Development-Aug-2019Nevill Nguyen
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceSource Code Control Limited
 
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...Urolime Technologies
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaperwardell henley
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfTechugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsJames '​-- Mckinlay
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged James Wickett
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdfEnov8
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSAmazon Web Services
 

Similar to 2021-10-14 The Critical Role of Security in DevOps.pdf (20)

Iac evolutions
Iac evolutionsIac evolutions
Iac evolutions
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
DevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdfDevOps trends to look out for in 2022.pdf
DevOps trends to look out for in 2022.pdf
 
Emerging Trends in Software Development-Aug-2019
Emerging Trends in Software Development-Aug-2019Emerging Trends in Software Development-Aug-2019
Emerging Trends in Software Development-Aug-2019
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
DevSecOps Trends in 2022 How to Stay Secured, Innovative, and Productive in D...
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devops
 
DevOps for the Discouraged
DevOps for the Discouraged DevOps for the Discouraged
DevOps for the Discouraged
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Best practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWSBest practices for automating cloud security processes with Evident.io and AWS
Best practices for automating cloud security processes with Evident.io and AWS
 

Recently uploaded

2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 

Recently uploaded (20)

2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 

2021-10-14 The Critical Role of Security in DevOps.pdf

  • 1. The Critical Role of Security in DevOps On October 4, 2021, something rather misfortunate event occurred, that nearly stopped the world from turning. Well, not really turning but it did wreak havoc across the social and investment spheres. Facebook and it’s allied portfolio of services - Instagram, WhatsApp, Messenger and Oculus were down for approximately six hours which sent more than just social influencers into a flurry. According to The Guardian “$50B was wiped off the company’s market value by jittery investors, founder Mark Zuckerberg’s own paper fortune shrunk by $7B and more than $13M of the advertising dollars that are its lifeblood disappeared each hour the platform was offline.” Beyond these speculative numbers, the impact of this global outage was very real, and its time we look deeper at our reliance on these services and their intersection with our global economy. Take for example WhatsApp, which has become a critical piece of communications infrastructure in many countries - routinely used to connect doctors and patients, intercompany communications, as well as it used by many for payments. It’s important to not just understand the reliance, but to also be technically prepared should a dependent system or service fail. Millions of people rely on Google DNS servers to reach every server on the planet. Now consider the impact of those servers going down for an extended period of time. That wouldn’t just affect consumers, it would disrupt commerce, production, communication, and your overall IT infrastructure.. Outages like these draw our attention to how vulnerable the entire world is to Enterprise malfunctions – whether it’s related to processes, access, security and system vulnerability. One thing is clear and that is the criticality of the basics – security and consistent processes embedded through the software development lifecycle. The New Normal for DevSecOps In the early 2000’s, I used to work in the “Software Management and Release (SMD)” group of a large Enterprise. We used to create builds that took 18+ hours to compile, running on four parallel blade servers. We used to build on 8 versions on Unix and 3 versions of Windows. For security, the Release Manager would meticulously match the software BOM (Bill Of Material) from their treacherous (extreme color coded) excel sheet. Testing was the bunch that sat on the 3rd floor and who were always whining that they had so much to test and so little time do it properly. Developers would always claim - “but it worked on my machine”. That’s what early-stage DevOps looked like back then and we didn’t know to call it what it is today, DevOps! Jump to early 2010’s when I was doing an independent consulting assignment for a start-up and the goal given to me was simple – “take our line of code from Git to Production in less than 20 min!”. Now, that directive may sound simple but if you unpack that statement, there’s a lot to be considered, understood and then implemented In that request and statement. Jump another ten years and the 2021 Accelerate State of DevOps by DORA (Google Cloud’s DevOps Research and Assessment (DORA)) states the following about Elite performers: Deleted: vulnerabilily Deleted: one
  • 2. Elite performers now make up 26% of teams in our study, and have decreased their lead times for changes to production. The industry continues to accelerate, and teams see meaningful benefits from doing so. Elite Performers are the Enterprises who meet the following metrics: 1. Deployment frequency – On Demand (multiple deploys/day) 2. Lead time for Changes – less than one hour 3. Time to restore service – less than on hour 4. Change failure rate – 0%-15% DORA 2021 Accelerate State of DevOps report The drivers for this rapid agility are not surprising – accelerated digital economy, creation or migration to modern cloud native applications, cloud-centricity, hybrid cloud operations, hyper automation, and the list goes on. Why “Sec” in DevOps is Becoming More Important The Peter Parker Principle of Spider Man fame states – “With great power comes great responsibility”. As software releases become better and faster, there is a greater responsibility to make them secure and resilient. The Accelerate State of DevOps report also confirms that you must consider a critical fifth metric – Reliability” to the previous four metrics called out in the report section above. It represents the degree to which a team can keep promises and assertions about the software they operate. A key tenet of Reliability is the Security Reliability. That’s the “Sec” in DevSecOps. It’s the ability of an Enterprise to enhance and protect their security posture. The 2020 SolarWinds Orion IT management software attack or 2019 malicious Asus update and several such high incidents are often traced back to a compromised software supply chain. Software Supply Chain is the collective term used to describe the stages of software lifecycle from source to deployment, with all the tooling included. As Enterprises become more cloud native, microservices based, they tend to
  • 3. include more of dependencies from open source and vendor projects, thus increasing the attack vector. It would not be a stretch to state that - “Software supply chain is the new food chain” A disturbance in the food chain disturbs the entire life ecosystem. An attack on anyone’s software supply chain impacts the entire digital ecosystem. Each one of us are impacted in more ways than we can begin to imagine, since were all a part of this connected ecosystem. Supply chain attacks often work by breaking the code-signing process. It is crucial that a code signing solution would be agile and evolve with the ever-growing enterprise needs. A robust solution would be one that constantly adds support for: 1. New artifacts 2. New CI/CD tools – on-prem or on the cloud 3. New cryptographic algorithms such as post quantum crypto 4. New functionalities such as scan-before-sign How Can your Organisation Achieve True DevSecOps True DevSecOps was initially seen as the mirage, an illusion that did not exist! However, with the Business demanding faster, cheaper and secure releases coupled with the maturing of toolsets and an evolving culture, this mirage seems to be becoming a reality for more and more Enterprises. Here are six practical steps that you can take to accelerate your journey towards true DevSecOps: 1. Define your north star 2. Audit your security posture 3. Know thy pipelines 4. Security enables velocity 5. Identify gaps & iterate 6. Security is everyone's responsibility
  • 4. 1. Define your north star Like they say - knowing where to go is half the getting there! Not every Enterprises needs to be FAANG replica (Facebook, Amazon, Apple, Netflix, Google), nor should they be. Maybe the business is not such, maybe the requirement is not such, maybe the Enterprise is just not ready yet. Analysing the successful implementations of true DevSecOps and creating your own version, your own north star is the most critical step. And often times, it takes external expertise to create this. They will probably be able to identify your blind spots and create the relevant custom implementation . 2. Audit your security Don’t forget the “Sec” in DevSecOps! Have special focus on security, including auditing each step and tool of your Software Supply Chain. Audit the use and application of cryptographic solutions, including unified key management and protection. And do this for “ALL” Products/Services in Production. In one of my assignments for a South African insurer, we found two Windows NT boxes in load balanced UPS’s, serving a couple of DCOM components, live in Production. The guys who had built these components had retired last year! Take special care of such delicacies! 3. Know thy pipelines The software supply chain pipeline are typically created to ship code. However, that’s only the partial deliverable for the Enterprise. The pipelines should be starting from the infrastructure later (obsoleting the earlier, fragmented legacy cryptographic infrastructure), extending to config, code, database and security. That’s a well-defined pipeline – “Everything as code (XaaC)” 4. Security enables velocity The traditional view is that “waiting” for security reviews through the software lifecycle slows it down. This is not the case with modern tooling, which can be integrated right from Developer’s IDE, to CI systems to Release Cycles. Code signing is another critical element to thwart attempts to distribute malicious software. Security is not a blocker to velocity, it’s an enabler by giving you confidence that what you’re shipping is safe. 5. Identify gaps and iterate DevSecOps embodiments continuous improvement, as you would have realised. You start with where you are and push for automation and security. And keep pushing the envelope to further levels of maturity. It’s a continuous process of identifying the gaps and iterating with the solutions. 6. Security is everyone’s responsibility Gone are the days when security checks were done by a team as part of Pre Release checklist. Today, that “checklist” has shifted left into the Developers IDE, the QA Analyst’s repertoire of tools, into the DBA’s daily diligence and into the DevOps Engineers implementation pattern. Cryptography is used in authentication, encryption of data in many different scenarios (in databases, on storage, as virtual machines), for signing on
  • 5. business transactions to ensure integrity, for signing on code to prevent the propagation of malware, to protect new digital assets (like crypto assets), and much more. Security is indeed everyone’s responsibility – that’s the only way it “gets done”. Benefits of Adopting True DevSecOps The promise of adopting a true DevSecOps —is that the real integration of security, development and operations is beginning to be well understood. One important offshoot of true DevSecOps, other than the obvious time-to-market, defect reduction etc is the anticipation of significant risk reduction. It is well understood that DevSecOps has helped organizations become more responsive to employee and customer needs by delivering software faster. With cyberattacks escalating dramatically, the risks and consequences associated with flawed code and faulty infrastructure configurations have grown severe. ZeroNorth surveyed over 250 security professionals, engineers, developers and other IT pros from organizations involved in application development and found that security vulnerabilities and flaws which were detected and addressed earlier in the development processes correlated with enhanced user experience and better protection of Enterprise and users from attacks. With the growing trend towards migrating to cloud and its resulting intricate, heterogenous infrastructures, cybersecurity, hence cryptographic practice, is a key attribute of organizational success as is speed and agility and should be addressed and prioritized accordingly. Author: Savinder Puri is the Global Head of Agile, DevSecOps and Cloud platform solutions at Zensar Technologies. With 20+ years of experience helping Enterprises across industry verticals strategize and drive successful DevSecOps transformations and leverage cutting edge technologies, Savinder is a recognized figure in the DevOps space and has been speaking at leading industry events worldwide. He is Global Ambassador of the DevOps Institute and the Continuous Delivery Foundation (CDF). He has been recognized as one of "10 most dynamic leaders to watch in 2021" by Business Sight. Commented [MA1]: Commented [MA2R1]: this sentence and paragraph just dont make sense...