DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment.
However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize.
This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.
2. ABOUT ME
Amien Harisen – CEO & Founder of Tjakrabirawa Teknologi Indonesia
10+ yrs experience
DevSecOps enthusiast
Cybersecurity enthusiast
MMR Hunter
Put your photo here
DevSecOpsIndonesia
3. DevSecOpsIndonesia
What is DevSecOps & Why ?
What is DevSecOps?
Basically, DevSecOps is DevOps with security built-in, right from the start. It means building security into requirements, into design, into code, and into
deployment, logging, and monitoring — in short, into your entire DevOps supply chain.
Why DevSecOps?
DevsecOps practices helps to stay competitive and helps us develop and deploy securely from day one. This proactive approach helps mitigate
security issues and keeps things in “order” —instead of firefighting
4. DevSecOpsIndonesia
How to Implement DevSecOps ;TLDR version
Shift Left Mantra
Shifting the focus of security to the left in the development cycle essentially means that identifying vulnerabilities should be an integral part of the
development process from the beginning..
Shared Responsibility
If it’s a shared responsibility, then it requires a shared knowledge of what and how to watch and implement. To be able to move left in the cycle with this
shared knowledge, pipeline phases and gates need to be incorporated.
There are many variations?
Passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look
even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle
of text. All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the
Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures, to generate Lorem Ipsum which looks
reasonable. The generated Lorem Ipsum is therefore always free from repetition, injected humour, or non-characteristic words etc
5. DevSecOpsIndonesia
How to Implement DevSecOps ;Sumo Logic Approach
DevSecOps is a complex system requiring the right combination of expertise and partnerships
Stress Security at Every Level
• Also known as ‘left-shifting security’ for how it
moves accountability in the continuous delivery
pipeline, this approach empowers individual team
members to address potential vulnerabilities
before code passes to the next stage. If a delivered
project is a package of individual pieces,
incorporating security at every level is the
equivalent of “bubble wrapping” each item before
bundling them for shipment, resulting in safer
delivery.
Perform a Thorough Security Needs
Assessment
• Combining internal resources and expert partners
where needed, develop a complete picture of
operating conditions and vulnerabilities. Equipped
with current audits and reports outlining strengths
and weaknesses, stakeholders can build the
approach that meets their specific challenges.
Make Security Changes at the Code
Level
• Older delivery pipelines often addresses network
vulnerabilities with third-party programs,
protective information management policies, and
other reactive measures. Build a DevSecOps
approach that builds protective security armor
into the code itself, and you’ll see the need for a
reactive patchwork of measures to protect entire
applications can be reduced or eliminated.
Automate Whenever Possible
• One of the most time-consuming aspects of dated
delivery models was testing and correcting code
before shifting it rightward down the pipeline.
DevSecOps leverages tools to automate most of
this process, performing it almost instantaneously
so delivery isn’t bogged in the human testing that
would be required to ensure the same level of
security.
Use Dashboards and Alerts for
Continuous Monitoring
• There are too many interactions taking places in a
DevSecOps environment to decipher without a
unified approach for monitoring and fine tuning
operations. By developing desired baseline and
alert levels, IT teams can interact in real-time and
automate common responses to conditions or
threats.
6. DevSecOpsIndonesia
How to Implement DevSecOps ;Synopsis Approach
Finding your way to DevSecOps
• Embracing a DevSecOps practice requires key cultural
and practical changes to integrate security into all
stages of the SDLC, including the following:
• Integrating security into defect tracking and
postmortems
• Integrating security controls into shared source
code repositories and services
• Integrating security into your deployment pipeline
• Ensuring the security of the application
• Ensuring the security of the software supply chain
Automate your critical processes
• Finding the right tools for your environment is an
important step—you need tools that fit into your
CI/CD workflows and run automatically. Not only that,
but you need these tools to notify the right people
when there’s an issue, educate them about it, and
provide guidance on how to remediate it. And you
can’t do that just once—you must test early in the
development life cycle (often referred to as “shifting
left”), during integration and testing, and on through
installation, deployment, and maintenance. There’s
no way to ensure the ongoing security of an
application after it’s in production; you must continue
to test in production and remediate any new security
issues.
Empower your teams
• Security tools and automation alone can’t secure your
applications. Invest in your teams and empower them
to build a true DevSecOps culture by making software
security training a priority and ensuring that the
training is relevant to your employees’ roles and
projects. Perhaps most important—remember that
DevOps isn’t a title change. It’s a true change to the
culture at your company. It takes time, training, tools,
and the desire to embrace the culture of DevOps.
Integrating security into the daily work of your
DevOps teams may be time-consuming, but it’s time
well spent. Your development, operations, and
security teams will work together collaboratively to
improve the quality and security of the software you
deliver, leading to faster software delivery and,
ultimately, happier customers.
8. DevSecOpsIndonesia
DevSecOps Challenge
• Dev / Ops / Sec Ratio
100 / 10 / 1
• Expensive Capital Expenditure
Train the developers (for how many hours)
Train the operations (for how many hours)
Hire security champions (for how many hours)
Hardware & Software purchasing (at what scale)
• Time consuming
In x time is when the number of y DevOps teams aware and can shared the security responsibility.
Not every company share the same culture, thus the same DevSecOps approach cannot cannot be applied to the all company.
10. DevSecOpsIndonesia
DevSecOps as a Service Benefit
• Segregation of Responsibility
Put the DevOps team to focus on the production and the Security team within the pipeline.
• Converting from Capital Expenditure to Operational Expenditure
DevSecOps can be more accessible by larger and diverse company with all kind of size.
• LESS Time consuming
Apply the DevSecOps adoption self assessment (or hire a DevSecOps consultant)
e.g https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html
• Freedom of Implementation Method
Internal implementation / External Implementation