Anowar Hossain, profile picture
Uploaded byAnowar Hossain
257 views

DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

The document discusses the transition from DevOps to DevSecOps, emphasizing the importance of integrating security throughout the software development lifecycle. It highlights challenges in DevOps, such as inadequate security practices and delayed delivery, while outlining a DevSecOps methodology that includes tools and practices for enhanced security. Key benefits of adopting DevSecOps include faster delivery, improved security posture, and compliance.

Embed presentation

DevOps to DevSecOps : Enhancing Software Security Throughout The Development Lifecycle
ANOWAR HOSSAIN Lead Engineer & Solutions Architect Brain Station 23 • AWS Certified Solutions Architect • Lead Backend Developer • DevOps/DevSecOps Enthusiast • Buidling blocks with Python, Go & Terraform for serverless and microservice architecture • Highly concerned about Scaling and Security 2
Agenda 3 DevOps in Action Challenges of DevOps DevSecOps in Action DevSecOps Methodology DevSecOps Pipeline
DevOps • A set of practices • Integrating development and IT operations • The goal of DevOps: • Release Quickly • Improving collaboration and communication • Delivering high-quality software faster and efficiently. 4
DevOps in Action 5
What we missed? 6
Security Testing 7
When we do the Security Test? 8
We do last minute Security... 9
Impact? 10 • Back and forth • Incomplete • Rush • Disrupt business operations • Limited scope
11 What other Challenges?
• Inadequate access control • Lack of security testing • Lack of infrastructure-related security practices • Insufficient security monitoring • Third-party vulnerabilities • Increased testing and remediation costs • Delayed delivery 12 Challenges of DevOps
DevSecOps in Action 13
DevSecOps • Development, security, and operations • Integration of security into the SDLC • Continuous delivery and deployment of secure software 14
DevSecOps Strive for "Secure by Default" 15 • Integrate Security via tools • Create Security as Code culture • Implement automated process Security
DevOps to DevSecOps • Integration of security tasks with DevOps • Shifting Security to the "Left" • Prioritizing Security from Design Phase 16
Benefits Key benefits of DevSecOps: • Faster delivery • Improved security posture • Reduced costs • Increase traceability • Compliance 17
Methodology Tools we use mostly • Secret Scanning & Management • Static Analysis Security Testing(SAST) • Dynamic Analysis Security Testing(DAST) • Interactive Application Security Testing (IAST) • Software Composition Analysis (SCA) • Security in Infrastructure as Code • Vulnerability Management • Alert and Monitoring in Security 18
Secret Scanning & Management Integrate security into the development process • Access Security Hardening • Secret Management • Adopting Role-Based Access Control • Ensuring Private Cloud Security • Container Security Scanning Tools: • GitHub Secrets • AWS Secret Manager • Azure key vault • Hashicorp vault 19
SAST 20 Static analysis software testing • White box testing using automated tools • Reviewing code • Need manual oversight Tools: • Sonarqube • Gitlab SAST Tools • Jit.io
DAST 21 • White box testing using automated tools • Can send variety of requests to web application • Do not require access to source code • Interact with application and find vulnerabilities Tools: • Detectify • Acunetix • BurpSuite • MetaSploit Dynamic analysis software testing
IAST 22 • Real-time analysis of the threats in the build and in runtime • Also Helps the developer fix these issues while it scans the source code when running. • Tools: • Bandit by Jit.io • Invicti Interactive analysis software testing
SCA 23 • Manage and secure open source and third- party software components • Assist organizations in understanding • Dependency scanning • Vulnerability scanning • License compliance analysis • Reporting • Tools: • Black Duck • WhiteSource Software Composition Analysis
Security in Infrastructure as Code(IAC) 24 IAC allows - • To document and version of infra • To perform audit on the infra Tools: • Terraform • Ansible • Chef • Puppet
Vulnerability Management 25 • A central Dashboard is required to normalized data • Integrated to bug tracking system • Tools: • Grafana • Detectify • Defect Joho
Alert and monitoring 26 • Detect, Mitigation and Maintain Continuous Security • What and Where we need to improve • Tools: • Grafana • Prometheus • Kibana
Who will ensure the security? 27
DevOps Pipeline 28
DevOps Pipeline 29
DevOps Pipeline 30
DevSecOps Pipeline 31
Q&A?
THANK YOU 33
SOCIAL MEDIA LINKS 34 • Website: anowar.dev • Email: anowar.cst@gmail.com • https://www.linkedin.com/in/anowarcst • https://www.facebook.com/Anowar.cst

More Related Content

PPTX
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
The What, Why, and How of DevSecOps
byCprime
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
byDevOps.com
 
PDF
DevSecOps | DevOps Sec
byRubal Jain
 
PDF
Security champions v1.0
byDinis Cruz
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
DevOps to DevSecOps Journey..
bySiddharth Joshi
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
DevSecOps
byJoel Divekar
 
The What, Why, and How of DevSecOps
byCprime
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
byDevOps.com
 
DevSecOps | DevOps Sec
byRubal Jain
 
Security champions v1.0
byDinis Cruz
 
Introduction to DevSecOps
byabhimanyubhogwan
 

What's hot

PDF
2019 DevSecOps Reference Architectures
bySonatype
 
PDF
DevSecOps
bySpv Reddy
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
DevSecOps Implementation Journey
byDevOps Indonesia
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Security Process in DevSecOps
byOpsta
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PPTX
OWASP Top 10 Proactive Controls
byKaty Anton
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
byDevOps.com
 
PPTX
DevSecOps : an Introduction
byPrashanth B. P.
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PPTX
DevSecOps reference architectures 2018
bySonatype
 
PPTX
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Cyber kill chain
byAnkita Ganguly
 
PDF
The State of DevSecOps
byDevOps Indonesia
 
PDF
Introducing Vault
byRamit Surana
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
2019 DevSecOps Reference Architectures
bySonatype
 
DevSecOps
bySpv Reddy
 
Introduction to DevSecOps
bySetu Parimi
 
DevSecOps Implementation Journey
byDevOps Indonesia
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Security Process in DevSecOps
byOpsta
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Demystifying DevSecOps
byArchana Joshi
 
Api security-testing
byn|u - The Open Security Community
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
OWASP Top 10 Proactive Controls
byKaty Anton
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
byDevOps.com
 
DevSecOps : an Introduction
byPrashanth B. P.
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
DevSecOps reference architectures 2018
bySonatype
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
byRobert Grupe, CSSLP CISSP PE PMP
 
Cyber kill chain
byAnkita Ganguly
 
The State of DevSecOps
byDevOps Indonesia
 
Introducing Vault
byRamit Surana
 
API Security Fundamentals
byJosé Haro Peralta
 

Similar to DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

PPTX
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PPTX
The DevSecOps Advantage: A Comprehensive Guide
byDev Software
 
PPTX
Ahmed Abugharbia - Securing Cloud DevOps Cycle.pptx
byAWS Chicago
 
PDF
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
PPTX
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
PDF
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
PPTX
Streamlining Your Security with These Essential DevSecOps Tools
byDev Software
 
PDF
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
PPTX
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
byellan12
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PDF
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
PDF
4 approaches to integrate dev secops in development cycle
byEnov8
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PDF
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
PPTX
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
PDF
Security at the Speed of Software Development
byDevOps.com
 
DevSecOps Best Practices-Safeguarding Your Digital Landscape
bystevecooper930744
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
The DevSecOps Advantage: A Comprehensive Guide
byDev Software
 
Ahmed Abugharbia - Securing Cloud DevOps Cycle.pptx
byAWS Chicago
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
byDicodingEvent
 
Succeeding-Marriage-Cybersecurity-DevOps final
byrkadayam
 
DevSecOps: Essential Tooling to Enable Continuous Security(25m ADDO)
byRich Mills
 
Streamlining Your Security with These Essential DevSecOps Tools
byDev Software
 
Building a DevSecOps Pipeline Around Your Spring Boot Application
byVMware Tanzu
 
AddingtheSecToDevOpsBSides (1).pptx for Bsides Nairobi 22 with Joylynn Kirui
byellan12
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
How to Get Started with DevSecOps
byCYBRIC
 
AppSec How-To: Achieving Security in DevOps
byCheckmarx
 
4 approaches to integrate dev secops in development cycle
byEnov8
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
Building Security Into Your Cloud IT Practices
byMighty Guides, Inc.
 
State of DevSecOps - GTACS 2019
byStefan Streichsbier
 
Security at the Speed of Software Development
byDevOps.com
 

Recently uploaded

PPTX
traffic safety section seven (Traffic Control and Management) of Act
byazeRakeshSunariMagar
 
PPTX
Basic Volume Mass Relationship and unit weight as function of volumetric wate...
byMahmoodKhalid11
 
PPTX
Unit 1_Importance of modelling(Object oriented concepts).pptx
byVidyaranichougule
 
PPTX
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
PPTX
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
PDF
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
PDF
Computer Graphics Fundamentals (v0p1) - DannyJiang
byDanny Jiang
 
PPTX
Day 3 Module 5_Optical fiber Network (operation and management).pptx
bySachayaG
 
PPTX
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
PDF
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
PPTX
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
PDF
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
PDF
Computer Network Lab Manual ssit -kavya r.pdf or Computer Network Lab Manual ...
bykavya R
 
PDF
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
PPTX
A professional presentation on Cosmos Bank Heist
byssuser7f0075
 
PPTX
Fitting Infiltration Models to Infiltration using Excel (1).pptx
byTomNickoRivera1
 
PPTX
operating_systems.pptx m,nm,nm,n,nm,n,nm,nikl
bykirthigaaiml
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PPT
Oracle Advanced subquery and types of subquery
bytejaswinikulkarni549
 
PDF
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
traffic safety section seven (Traffic Control and Management) of Act
byazeRakeshSunariMagar
 
Basic Volume Mass Relationship and unit weight as function of volumetric wate...
byMahmoodKhalid11
 
Unit 1_Importance of modelling(Object oriented concepts).pptx
byVidyaranichougule
 
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
Computer Graphics Fundamentals (v0p1) - DannyJiang
byDanny Jiang
 
Day 3 Module 5_Optical fiber Network (operation and management).pptx
bySachayaG
 
Batch-1(End Semester) Student Of Shree Durga Tech. PPT.pptx
byrashesw1122s
 
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
NS unit wise unit wise 1 -5 so prepare,.
bykumaransudhan1512
 
Computer Network Lab Manual ssit -kavya r.pdf or Computer Network Lab Manual ...
bykavya R
 
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
A professional presentation on Cosmos Bank Heist
byssuser7f0075
 
Fitting Infiltration Models to Infiltration using Excel (1).pptx
byTomNickoRivera1
 
operating_systems.pptx m,nm,nm,n,nm,n,nm,nikl
bykirthigaaiml
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
Oracle Advanced subquery and types of subquery
bytejaswinikulkarni549
 
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 

DevOps to DevSecOps: Enhancing Software Security Throughout The Development Lifecycle

  • 1.
    DevOps to DevSecOps : EnhancingSoftware Security Throughout The Development Lifecycle
  • 2.
    ANOWAR HOSSAIN Lead Engineer &Solutions Architect Brain Station 23 • AWS Certified Solutions Architect • Lead Backend Developer • DevOps/DevSecOps Enthusiast • Buidling blocks with Python, Go & Terraform for serverless and microservice architecture • Highly concerned about Scaling and Security 2
  • 3.
    Agenda 3 DevOps in Action Challengesof DevOps DevSecOps in Action DevSecOps Methodology DevSecOps Pipeline
  • 4.
    DevOps • A setof practices • Integrating development and IT operations • The goal of DevOps: • Release Quickly • Improving collaboration and communication • Delivering high-quality software faster and efficiently. 4
  • 5.
  • 6.
  • 7.
  • 8.
    When we do theSecurity Test? 8
  • 9.
  • 10.
    Impact? 10 • Back andforth • Incomplete • Rush • Disrupt business operations • Limited scope
  • 11.
  • 12.
    • Inadequate accesscontrol • Lack of security testing • Lack of infrastructure-related security practices • Insufficient security monitoring • Third-party vulnerabilities • Increased testing and remediation costs • Delayed delivery 12 Challenges of DevOps
  • 13.
  • 14.
    DevSecOps • Development, security,and operations • Integration of security into the SDLC • Continuous delivery and deployment of secure software 14
  • 15.
    DevSecOps Strive for "Secureby Default" 15 • Integrate Security via tools • Create Security as Code culture • Implement automated process Security
  • 16.
    DevOps to DevSecOps • Integrationof security tasks with DevOps • Shifting Security to the "Left" • Prioritizing Security from Design Phase 16
  • 17.
    Benefits Key benefits ofDevSecOps: • Faster delivery • Improved security posture • Reduced costs • Increase traceability • Compliance 17
  • 18.
    Methodology Tools we usemostly • Secret Scanning & Management • Static Analysis Security Testing(SAST) • Dynamic Analysis Security Testing(DAST) • Interactive Application Security Testing (IAST) • Software Composition Analysis (SCA) • Security in Infrastructure as Code • Vulnerability Management • Alert and Monitoring in Security 18
  • 19.
    Secret Scanning & Management Integratesecurity into the development process • Access Security Hardening • Secret Management • Adopting Role-Based Access Control • Ensuring Private Cloud Security • Container Security Scanning Tools: • GitHub Secrets • AWS Secret Manager • Azure key vault • Hashicorp vault 19
  • 20.
    SAST 20 Static analysis softwaretesting • White box testing using automated tools • Reviewing code • Need manual oversight Tools: • Sonarqube • Gitlab SAST Tools • Jit.io
  • 21.
    DAST 21 • White boxtesting using automated tools • Can send variety of requests to web application • Do not require access to source code • Interact with application and find vulnerabilities Tools: • Detectify • Acunetix • BurpSuite • MetaSploit Dynamic analysis software testing
  • 22.
    IAST 22 • Real-time analysisof the threats in the build and in runtime • Also Helps the developer fix these issues while it scans the source code when running. • Tools: • Bandit by Jit.io • Invicti Interactive analysis software testing
  • 23.
    SCA 23 • Manage andsecure open source and third- party software components • Assist organizations in understanding • Dependency scanning • Vulnerability scanning • License compliance analysis • Reporting • Tools: • Black Duck • WhiteSource Software Composition Analysis
  • 24.
    Security in Infrastructureas Code(IAC) 24 IAC allows - • To document and version of infra • To perform audit on the infra Tools: • Terraform • Ansible • Chef • Puppet
  • 25.
    Vulnerability Management 25 • Acentral Dashboard is required to normalized data • Integrated to bug tracking system • Tools: • Grafana • Detectify • Defect Joho
  • 26.
    Alert and monitoring 26 •Detect, Mitigation and Maintain Continuous Security • What and Where we need to improve • Tools: • Grafana • Prometheus • Kibana
  • 27.
    Who will ensure thesecurity? 27
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
    SOCIAL MEDIA LINKS 34 • Website:anowar.dev • Email: anowar.cst@gmail.com • https://www.linkedin.com/in/anowarcst • https://www.facebook.com/Anowar.cst