SlideShare a Scribd company logo

Dev secops indonesia-devsecops as a service-Amien Harisen

Download as PPTX, PDF
N
Nadira Bajrei

DevSecOps is gaining popularity to recent years, thanks to the rapid expansion and adoptions of DevOps. The traditional penetration testing is considered a blocker in a rapid CI/CD deployment. So integrating security in a seamless manner is considered an important upgrade to the DevOps environment. However, the traditional DevSecOps require huge amount of time, money and effort to implement. Traditional and DevSecOps principle is a culture that depends on teamwork between, the Dev ,Sec, and Ops team, which in real life situation its pretty difficult to realize. This talk is about how to minimize the whole effort to implement DevSecOps in the current DevOps environment.

Technology
1 of 13
DevSecOpsIndonesia Integrating SEC to DevOps, with less time, money and energy DevSecOps as a Service
ABOUT ME Amien Harisen – CEO & Founder of Tjakrabirawa Teknologi Indonesia 10+ yrs experience DevSecOps enthusiast Cybersecurity enthusiast MMR Hunter Put your photo here DevSecOpsIndonesia
DevSecOpsIndonesia What is DevSecOps & Why ? What is DevSecOps? Basically, DevSecOps is DevOps with security built-in, right from the start. It means building security into requirements, into design, into code, and into deployment, logging, and monitoring — in short, into your entire DevOps supply chain. Why DevSecOps? DevsecOps practices helps to stay competitive and helps us develop and deploy securely from day one. This proactive approach helps mitigate security issues and keeps things in “order” —instead of firefighting
DevSecOpsIndonesia How to Implement DevSecOps ;TLDR version Shift Left Mantra Shifting the focus of security to the left in the development cycle essentially means that identifying vulnerabilities should be an integral part of the development process from the beginning.. Shared Responsibility If it’s a shared responsibility, then it requires a shared knowledge of what and how to watch and implement. To be able to move left in the cycle with this shared knowledge, pipeline phases and gates need to be incorporated. There are many variations? Passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures, to generate Lorem Ipsum which looks reasonable. The generated Lorem Ipsum is therefore always free from repetition, injected humour, or non-characteristic words etc
DevSecOpsIndonesia How to Implement DevSecOps ;Sumo Logic Approach DevSecOps is a complex system requiring the right combination of expertise and partnerships Stress Security at Every Level • Also known as ‘left-shifting security’ for how it moves accountability in the continuous delivery pipeline, this approach empowers individual team members to address potential vulnerabilities before code passes to the next stage. If a delivered project is a package of individual pieces, incorporating security at every level is the equivalent of “bubble wrapping” each item before bundling them for shipment, resulting in safer delivery. Perform a Thorough Security Needs Assessment • Combining internal resources and expert partners where needed, develop a complete picture of operating conditions and vulnerabilities. Equipped with current audits and reports outlining strengths and weaknesses, stakeholders can build the approach that meets their specific challenges. Make Security Changes at the Code Level • Older delivery pipelines often addresses network vulnerabilities with third-party programs, protective information management policies, and other reactive measures. Build a DevSecOps approach that builds protective security armor into the code itself, and you’ll see the need for a reactive patchwork of measures to protect entire applications can be reduced or eliminated. Automate Whenever Possible • One of the most time-consuming aspects of dated delivery models was testing and correcting code before shifting it rightward down the pipeline. DevSecOps leverages tools to automate most of this process, performing it almost instantaneously so delivery isn’t bogged in the human testing that would be required to ensure the same level of security. Use Dashboards and Alerts for Continuous Monitoring • There are too many interactions taking places in a DevSecOps environment to decipher without a unified approach for monitoring and fine tuning operations. By developing desired baseline and alert levels, IT teams can interact in real-time and automate common responses to conditions or threats.
DevSecOpsIndonesia How to Implement DevSecOps ;Synopsis Approach Finding your way to DevSecOps • Embracing a DevSecOps practice requires key cultural and practical changes to integrate security into all stages of the SDLC, including the following: • Integrating security into defect tracking and postmortems • Integrating security controls into shared source code repositories and services • Integrating security into your deployment pipeline • Ensuring the security of the application • Ensuring the security of the software supply chain Automate your critical processes • Finding the right tools for your environment is an important step—you need tools that fit into your CI/CD workflows and run automatically. Not only that, but you need these tools to notify the right people when there’s an issue, educate them about it, and provide guidance on how to remediate it. And you can’t do that just once—you must test early in the development life cycle (often referred to as “shifting left”), during integration and testing, and on through installation, deployment, and maintenance. There’s no way to ensure the ongoing security of an application after it’s in production; you must continue to test in production and remediate any new security issues. Empower your teams • Security tools and automation alone can’t secure your applications. Invest in your teams and empower them to build a true DevSecOps culture by making software security training a priority and ensuring that the training is relevant to your employees’ roles and projects. Perhaps most important—remember that DevOps isn’t a title change. It’s a true change to the culture at your company. It takes time, training, tools, and the desire to embrace the culture of DevOps. Integrating security into the daily work of your DevOps teams may be time-consuming, but it’s time well spent. Your development, operations, and security teams will work together collaboratively to improve the quality and security of the software you deliver, leading to faster software delivery and, ultimately, happier customers.
DevSecOpsIndonesia “DEVSECOPS ITS NOT MEANT TO ELIMINATE MANUAL PENTEST REQUIREMENT “ – Pentest Vendor
DevSecOpsIndonesia DevSecOps Challenge • Dev / Ops / Sec Ratio 100 / 10 / 1 • Expensive Capital Expenditure Train the developers (for how many hours) Train the operations (for how many hours) Hire security champions (for how many hours) Hardware & Software purchasing (at what scale) • Time consuming In x time is when the number of y DevOps teams aware and can shared the security responsibility. Not every company share the same culture, thus the same DevSecOps approach cannot cannot be applied to the all company.
DevSecOpsIndonesia Proposed Solution – DevSecOps as a Service
DevSecOpsIndonesia DevSecOps as a Service Benefit • Segregation of Responsibility Put the DevOps team to focus on the production and the Security team within the pipeline. • Converting from Capital Expenditure to Operational Expenditure DevSecOps can be more accessible by larger and diverse company with all kind of size. • LESS Time consuming Apply the DevSecOps adoption self assessment (or hire a DevSecOps consultant) e.g https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html • Freedom of Implementation Method Internal implementation / External Implementation
DevSecOpsIndonesia Sample of Implementation
DevSecOpsIndonesia Question & Answers
DevSecOpsIndonesia “Agile can be fragile if you not handle it well”

Recommended

The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 

Recommended

The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOpsStefan Streichsbier
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019State of DevSecOps - DevSecOpsDays 2019
State of DevSecOps - DevSecOpsDays 2019Stefan Streichsbier
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
A journey from dev ops to devsecops
A journey from dev ops to devsecopsA journey from dev ops to devsecops
A journey from dev ops to devsecopsVeritis Group, Inc
 
DevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementDevOps and DevSecOps, Incident Management
DevOps and DevSecOps, Incident ManagementShriniKulkarni
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureDevOps Indonesia
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019Stefan Streichsbier
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsabhimanyubhogwan
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 

More Related Content

What's hot

State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019Stefan Streichsbier
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessMohammed A. Imran
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyDerek E. Weeks
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsMichael Man
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveColin Domoney
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introductionStefan Streichsbier
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoDJamesHarmison
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceTej Luthra
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftAmazon Web Services
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 

What's hot (20)

State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019State of DevSecOps - DevOpsDays Jakarta 2019
State of DevSecOps - DevOpsDays Jakarta 2019
 
State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019State of DevSecOps - GTACS 2019
State of DevSecOps - GTACS 2019
 
Strengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or lessStrengthen and Scale Security for a dollar or less
Strengthen and Scale Security for a dollar or less
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
DevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOpsDevSecOps The Evolution of DevOps
DevSecOps The Evolution of DevOps
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
DevSecOps for the DoD
DevSecOps for the DoDDevSecOps for the DoD
DevSecOps for the DoD
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF LoftDevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
DevSecOps, An Organizational Primer - AWS Security Week at the SF Loft
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 

Similar to Dev secops indonesia-devsecops as a service-Amien Harisen

Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfMobibizIndia1
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.Techugo
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.Techugo
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdfTechugo
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineEnov8
 
Why is The IT industry moving towards a DevSecOps approach?
Why is The IT industry moving towards a DevSecOps approach?Why is The IT industry moving towards a DevSecOps approach?
Why is The IT industry moving towards a DevSecOps approach?Enov8
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise DevsecopsEnov8
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfTechugo
 
DevSecOps - offpage blog final draft - 03.docx
DevSecOps - offpage blog final draft - 03.docxDevSecOps - offpage blog final draft - 03.docx
DevSecOps - offpage blog final draft - 03.docxSun Technologies
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDev Software
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxDev Software
 
understanding devops security - DevSecOps
understanding devops security - DevSecOpsunderstanding devops security - DevSecOps
understanding devops security - DevSecOpsAnshulkichara3
 
What is the role of DevSecOps in securing software development.pptx
What is the role of DevSecOps in securing software development.pptxWhat is the role of DevSecOps in securing software development.pptx
What is the role of DevSecOps in securing software development.pptxShantanuApurva1
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software DevelopmentDevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software DevelopmentDev Software
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}Ajeet Singh
 

Similar to Dev secops indonesia-devsecops as a service-Amien Harisen (20)

Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdfResolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
Resolving the Security Bottleneck Why DevSecOps is Better compared to DevOps.pdf
 
DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.DevOps and Devsecops- Everything you need to know.
DevOps and Devsecops- Everything you need to know.
 
DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.DevOps and Devsecops- What are the Differences.
DevOps and Devsecops- What are the Differences.
 
DevOps and Devsecops.pdf
DevOps and Devsecops.pdfDevOps and Devsecops.pdf
DevOps and Devsecops.pdf
 
DevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps PipelineDevSecOps Implement Making Security Central to Your DevOps Pipeline
DevSecOps Implement Making Security Central to Your DevOps Pipeline
 
Why is The IT industry moving towards a DevSecOps approach?
Why is The IT industry moving towards a DevSecOps approach?Why is The IT industry moving towards a DevSecOps approach?
Why is The IT industry moving towards a DevSecOps approach?
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
DevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdfDevOps and Devsecops What are the Differences.pdf
DevOps and Devsecops What are the Differences.pdf
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
DevSecOps - offpage blog final draft - 03.docx
DevSecOps - offpage blog final draft - 03.docxDevSecOps - offpage blog final draft - 03.docx
DevSecOps - offpage blog final draft - 03.docx
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and Delivery
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
 
understanding devops security - DevSecOps
understanding devops security - DevSecOpsunderstanding devops security - DevSecOps
understanding devops security - DevSecOps
 
What is the role of DevSecOps in securing software development.pptx
What is the role of DevSecOps in securing software development.pptxWhat is the role of DevSecOps in securing software development.pptx
What is the role of DevSecOps in securing software development.pptx
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Devops
DevopsDevops
Devops
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software DevelopmentDevOps vs DevSecOps: How to Balance Speed and Security in Software Development
DevOps vs DevSecOps: How to Balance Speed and Security in Software Development
 
DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}DevSecOps: Integrating Security Into DevOps! {Business Security}
DevSecOps: Integrating Security Into DevOps! {Business Security}
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Dev secops indonesia-devsecops as a service-Amien Harisen

  • 1. DevSecOpsIndonesia Integrating SEC to DevOps, with less time, money and energy DevSecOps as a Service
  • 2. ABOUT ME Amien Harisen – CEO & Founder of Tjakrabirawa Teknologi Indonesia 10+ yrs experience DevSecOps enthusiast Cybersecurity enthusiast MMR Hunter Put your photo here DevSecOpsIndonesia
  • 3. DevSecOpsIndonesia What is DevSecOps & Why ? What is DevSecOps? Basically, DevSecOps is DevOps with security built-in, right from the start. It means building security into requirements, into design, into code, and into deployment, logging, and monitoring — in short, into your entire DevOps supply chain. Why DevSecOps? DevsecOps practices helps to stay competitive and helps us develop and deploy securely from day one. This proactive approach helps mitigate security issues and keeps things in “order” —instead of firefighting
  • 4. DevSecOpsIndonesia How to Implement DevSecOps ;TLDR version Shift Left Mantra Shifting the focus of security to the left in the development cycle essentially means that identifying vulnerabilities should be an integral part of the development process from the beginning.. Shared Responsibility If it’s a shared responsibility, then it requires a shared knowledge of what and how to watch and implement. To be able to move left in the cycle with this shared knowledge, pipeline phases and gates need to be incorporated. There are many variations? Passages of Lorem Ipsum available, but the majority have suffered alteration in some form, by injected humour, or randomised words which don't look even slightly believable. If you are going to use a passage of Lorem Ipsum, you need to be sure there isn't anything embarrassing hidden in the middle of text. All the Lorem Ipsum generators on the Internet tend to repeat predefined chunks as necessary, making this the first true generator on the Internet. It uses a dictionary of over 200 Latin words, combined with a handful of model sentence structures, to generate Lorem Ipsum which looks reasonable. The generated Lorem Ipsum is therefore always free from repetition, injected humour, or non-characteristic words etc
  • 5. DevSecOpsIndonesia How to Implement DevSecOps ;Sumo Logic Approach DevSecOps is a complex system requiring the right combination of expertise and partnerships Stress Security at Every Level • Also known as ‘left-shifting security’ for how it moves accountability in the continuous delivery pipeline, this approach empowers individual team members to address potential vulnerabilities before code passes to the next stage. If a delivered project is a package of individual pieces, incorporating security at every level is the equivalent of “bubble wrapping” each item before bundling them for shipment, resulting in safer delivery. Perform a Thorough Security Needs Assessment • Combining internal resources and expert partners where needed, develop a complete picture of operating conditions and vulnerabilities. Equipped with current audits and reports outlining strengths and weaknesses, stakeholders can build the approach that meets their specific challenges. Make Security Changes at the Code Level • Older delivery pipelines often addresses network vulnerabilities with third-party programs, protective information management policies, and other reactive measures. Build a DevSecOps approach that builds protective security armor into the code itself, and you’ll see the need for a reactive patchwork of measures to protect entire applications can be reduced or eliminated. Automate Whenever Possible • One of the most time-consuming aspects of dated delivery models was testing and correcting code before shifting it rightward down the pipeline. DevSecOps leverages tools to automate most of this process, performing it almost instantaneously so delivery isn’t bogged in the human testing that would be required to ensure the same level of security. Use Dashboards and Alerts for Continuous Monitoring • There are too many interactions taking places in a DevSecOps environment to decipher without a unified approach for monitoring and fine tuning operations. By developing desired baseline and alert levels, IT teams can interact in real-time and automate common responses to conditions or threats.
  • 6. DevSecOpsIndonesia How to Implement DevSecOps ;Synopsis Approach Finding your way to DevSecOps • Embracing a DevSecOps practice requires key cultural and practical changes to integrate security into all stages of the SDLC, including the following: • Integrating security into defect tracking and postmortems • Integrating security controls into shared source code repositories and services • Integrating security into your deployment pipeline • Ensuring the security of the application • Ensuring the security of the software supply chain Automate your critical processes • Finding the right tools for your environment is an important step—you need tools that fit into your CI/CD workflows and run automatically. Not only that, but you need these tools to notify the right people when there’s an issue, educate them about it, and provide guidance on how to remediate it. And you can’t do that just once—you must test early in the development life cycle (often referred to as “shifting left”), during integration and testing, and on through installation, deployment, and maintenance. There’s no way to ensure the ongoing security of an application after it’s in production; you must continue to test in production and remediate any new security issues. Empower your teams • Security tools and automation alone can’t secure your applications. Invest in your teams and empower them to build a true DevSecOps culture by making software security training a priority and ensuring that the training is relevant to your employees’ roles and projects. Perhaps most important—remember that DevOps isn’t a title change. It’s a true change to the culture at your company. It takes time, training, tools, and the desire to embrace the culture of DevOps. Integrating security into the daily work of your DevOps teams may be time-consuming, but it’s time well spent. Your development, operations, and security teams will work together collaboratively to improve the quality and security of the software you deliver, leading to faster software delivery and, ultimately, happier customers.
  • 7. DevSecOpsIndonesia “DEVSECOPS ITS NOT MEANT TO ELIMINATE MANUAL PENTEST REQUIREMENT “ – Pentest Vendor
  • 8. DevSecOpsIndonesia DevSecOps Challenge • Dev / Ops / Sec Ratio 100 / 10 / 1 • Expensive Capital Expenditure Train the developers (for how many hours) Train the operations (for how many hours) Hire security champions (for how many hours) Hardware & Software purchasing (at what scale) • Time consuming In x time is when the number of y DevOps teams aware and can shared the security responsibility. Not every company share the same culture, thus the same DevSecOps approach cannot cannot be applied to the all company.
  • 10. DevSecOpsIndonesia DevSecOps as a Service Benefit • Segregation of Responsibility Put the DevOps team to focus on the production and the Security team within the pipeline. • Converting from Capital Expenditure to Operational Expenditure DevSecOps can be more accessible by larger and diverse company with all kind of size. • LESS Time consuming Apply the DevSecOps adoption self assessment (or hire a DevSecOps consultant) e.g https://www.christian-schneider.net/SecurityDevOpsMaturityModel.html • Freedom of Implementation Method Internal implementation / External Implementation
  • 13. DevSecOpsIndonesia “Agile can be fragile if you not handle it well”