SlideShare a Scribd company logo
DevSecOps 101
Narudom Roongsiriwong, CISSP
OWASP Meeting 3/2018
April 26, 2018
WhoAmI
● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● Head of IT Security, Kiatnakin Bank PLC (KKP)
● Consultant for OWASP Thailand Chapter
● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter
● Committee Member of Thailand Banking Sector CERT (TB-CERT)
● Technical Team Member, National Digital Identity Platform project
● Contact: narudom@owasp.org
““Software is eating the world!!!”Software is eating the world!!!”
Marc Andreessen, co-founder and general partner of the ventureMarc Andreessen, co-founder and general partner of the venture
capital firm Andreessen-Horowitz, also Netscape co-coundercapital firm Andreessen-Horowitz, also Netscape co-counder
Source: The Wall Street Journal, August 20, 2011Source: The Wall Street Journal, August 20, 2011
https://www.wsj.com/articles/SB10001424053111903480904576512250915629460https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
SoftwareSoftware generates valuegenerates value
when deployed for use and running,when deployed for use and running,
notnot when we write it.when we write it.
Time
Analysis
Design
Coding
Testing
20% done
(100% usable!)
Agile Process
Analysis
Design
Coding
Testing
Do we have half
a solution yet?
Traditional Process
Agile = Early Value
Time
What Is DevOps?
Dev
Integration
Ops
Communication
Collaboration
“It’s a movement of people
who think it’s change in the IT
Industry - time to stop wasting
money, time to start delivering
great software, and building
systems that scale and last”
Patrick DeBois, the "founder"
of the DevOps movement.
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
DevOps Is ...
●
An approach based on agile and lean principles in which business
owners, development, operations, and quality assurance team
collaborate to deliver software in a continuous stable manner
●
An environment that promotes cross practicality, shared business
tasks and belief
●
A movement that improves IT service delivery agility
●
A culture that promotes better working relationship within the
company
●
A set of practices that provides rapid, reliable software delivery
DevOps
Continuous Delivery
Continuous Integrtion
AgileDevelopment Collaboration
Plan Code Build Test ReleaseDeployOperate
Without Automation, There Is No DevOps
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
DevOps Is Eating the World!!!
●
Imagine solving the world’s
problems faster by collaborating
and taking responsibility.
●
In connection with Cloud
Computing, DevOps is the
cultural enabler needed to scale
creativity and innovation.
●
With the goal of solving
customer problems faster, no
wonder DevOps is taking over.
Over Past 10 Years
Cloud Is Eating the World!!!
●
Public Cloud adoption is
accelerating at a rapid pace…
●
Software defined
environments allow scale to
happen and more decisions to
be made daily…
●
More people can experiment,
learn and fail at a rapid pace to
solve for customer demand….
●
Creativity is the next frontier…
Is Security Blocking the World?
“This is the end of security as we know it…
and isn’t it a good thing!”
-Josh Corman
@petecheslock
The Urgency of Dev with Integrated Security
●
Development without integrated
security and compliance will fail;
– progressive orgs have prioritized
security due to uptime and
compliance concerns
– accelerating the need for agility
and a curated OSS-dev portfolio.
●
Security-led development will be
a priority for 90% of orgs by
2020.
IDC FutureScape: Worldwide Developer and DevOps 2018 Predictions, November, 2, 2017
What is DevSecOps?
DevSecOps is the answer to integrating these various challenges into a
coherent and effective approach to software delivery. It is a new method
that helps identify security issues early in the development process rather
than after a product is released.
IS IS NOT
A Mindset and Holistic Approach A One-Size-Fits-All Approach
A Collection of Processes & Tools A Single Tool or Method
A Means of Security & Compliance
Integrated to Software
Just a means of adding Security into
Continuous Delivery
A Community Driven Effort Invented by Vendors
A Strategy Driven by Learning and
Experiments
A Strategy Driven by Perfection and
Compliance
Plan
Code
Build
Test
Release
Deploy
Operate
Monitor
DevSecOps: Integrate Security Into DevOps
Policies
Threat Model
Static Analysis
Code Review
Penetration
Testing
Compliance
Validation
Log
Audit
Threat
Intelligence
Monitor
Detect
Response
Recover
The Main Course
● Vulnerability (VA) Scans and
Assessments
● Threat Modeling
● Secure Code Reviews (Static
Code Analysis)
● Penetration Tests (PenTests)
● This applies to both Custom
Apps and COTS
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
The Gravy
● Educating Developers on
Secure Coding
● Practices with workshops,
talks, lessons
● Secure Coding Standards
● Responsible/Coordinated
Disclosure
● Secure code library and
other reference materials,
creating custom tools
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
The Dessert
● Bug Bounty Programs
● Capture The Flag (CTF)
contests
● Red Team Exercises
Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
Best Practices
Successful security programs involve three intersecting parts:
people, processes, and technologies.
People
People are the starting point of the DevSecOps implementation.
Through ensuring proper training and restructuring of teams
security will become a frame of mind rather than a hindrance.
Processes
DevSecOps aims to align and implement processes common to
an enterprise to facilitate cooperation and achieve more secure
development processes as a whole.
Technology
Technologies enable people to execute DevSecOps processes,
which aim to reduce the enterprise attack surface and enable
effective management of the technical security debt.
DevSecOps makes everyone responsible for security.
People: What Type of Skills Are Required?
Dev Sec Ops Dev Sec Ops Dev Sec Ops
Developer Sys Admin Security Engineer
competency
needed skill; functional
People: Security Champions
Ensure that security is not a
blocker on active development
or reviews
Be empowered to make
decisions
Work with AppSec team on
mitigations strategies
Help with QA and Testing
Write Tests (from Unit Tests to
Integration tests)
Help with development of CI
(Continuous Integration)
environments
Keep track of and stay up to date
on modern security attacks and
defenses
Introduce body of knowledge
from organizations such as
OWASP (Top 10, Application
Security Verification Standard,
Testing Guide etc.)
Processes
●
Version control, metadata, and orchestration
●
Integration of processes
●
Security tooling in CI/CD
●
Compliance
●
Security Architecture
●
Incident Management
●
Red Teams and Bug Bounties
●
Threat Intelligence
Technologies
●
Automation and Configuration Management
●
Secure coding practices/Security as Code
●
Host Hardening
●
CI/CD for Patching
●
Application-level Auditing and Scanning
●
Automated Vulnerability Management Scanning
●
Automated Compliance Scan
●
Managing Secrets
How Hard Could It Be?
Source
Code
CI Server Artifacts MonitoringDeployTest & Scan
DevOps Code - Creating Value & Availability
DevSecOps Code - Creating Trust & Confidence
Credit: Shannon Leitz (@devsecops)
Automation and Configuration Management: Ansible
Application Level Auditing and Scanning:
OWASP Dependency Check
● Project stated December 2011 (first published in 2012)
● Performs Software Composition Analysis
– Reports known vulnerabilities for Java & .NET components
– Experimental analyzers for Python, Ruby, PHP (composer), and Node.js
● Easy solution to the OWASP 2017 Top 10
– A9 Using components with known vulnerabilities
● Works as:
– Command-line utility
– Ant Task
– Gradle Plugin
– Jenkins Plugin
– Maven Plugin
– SonarQube Plugin
Automated Vulnerability Scanning: OpenVAS
● A framework of several services and tools offering a
comprehensive and powerful vulnerability scanning and
vulnerability management solution.
● All OpenVAS products are Free Software
● Most components are licensed under the GNU General Public
License (GNU GPL)
Automated Vulnerability Scanning: OpenVAS CLI
Automated Vulnerability Scanning:: OWASP ZAP
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
OWASP ZAP Functionality
● Man-in-the-middle Proxy
● Traditional and AJAX spiders
● Automated scanner
● Passive scanner
● Fuzzer
● Dynamic SSL certificates
● Support for a wide range of scripting languages
● Plug-n-Hack support
● Authentication and session support
● Powerful REST based API
● Integrated and growing marketplace of add-ons
Automation: OWASP ZAP CLI Quick Scan
./zap.sh -cmd -quickurl 
http://example.com/ -quickprogress
Spidering
Active scanning
[====================] 100%
Attack complete
<?xml version="1.0"?><OWASPZAPReport version="2.5.0"
generated="Tue, 4 Oct 2016 09:31:53">
<site name="http://example.com" ...
OWASP ZAP API
● RESTish – ok, only uses GET requests
http(s)://zap/<format>/<component>/<operation>/
<op name>[/?<params>]
● Maps closely to the UI / code
● Theres a basic web UI for it
● And clients in various languages:
– Java, Python, Node JS, .Net, PHP, Go …
OWASP ZAP Python API
● Install from pypi:
pip install python-owasp-zap-v2.4
● In your script:
from zapv2 import ZAPv2
zap = ZAPv2()
zap = ZAPv2(proxies={
'http': 'http://localhost:8080',
'https': 'http://localhost:8080'})
zap.urlopen(target)
https://pypi.python.org/pypi/python-owasp-zap-v2.4
Managing Secrets: HSM
● Cryptographic Computing Hardware Module
● Protected Key Store
● Well-Defined Interface Protocol
● Hard to Compromise
Hardware Security Module
Managing Secrets: Conjur
● A foundational secrets management service for DevOps
environments, a core security capability for any environment
● An authentication, authorization and audit service for people,
code and machines that runs independently of other DevOps
platforms and tools to provide separation of concerns and duties
and fine-grained access control
● A suite of open source integrations with leading CI/CD tools
(Ansible, Puppet, Cloud Foundry) based on an Experience-Driven
Design (XDD) development process.
● An architecture that is optimized for containerized environments
● Flexible, programmable tool (Rest API, CLI)
Conclusion
● DevSecOps addresses the need for pro-active, customer-
focused security rather than reacts to data breaches or other
cyberattacks.
● The benefits are cost reduction, speed of delivery, speed of
recovery, compliance at scale, and threat hunting.
● DevSecOps provides the ability to detect and fix security
issues earlier in the development process thus reducing
greatly the cost associated with identifying and fixing them.
● Shifting security to the left through the use of people,
processes and technology will help to achieve this goal.
DevSecOps 101

More Related Content

What's hot

DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
NotSoSecure Global Services
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
Mohammed A. Imran
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
CYBRIC
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
Mohammed A. Imran
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
Knoldus Inc.
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
Opsta
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Joel Divekar
 

What's hot (20)

DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps: Security With DevOps
DevSecOps: Security With DevOpsDevSecOps: Security With DevOps
DevSecOps: Security With DevOps
 
Scaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for EnterpriseScaling DevSecOps Culture for Enterprise
Scaling DevSecOps Culture for Enterprise
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 

Similar to DevSecOps 101

Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
Najib Radzuan
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
Enov8
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Amazon Web Services
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
Black Duck by Synopsys
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
Enov8
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
kunwaratul hax0r
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
Ulf Mattsson
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
Enov8
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
Dev Software
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
Vishwas N
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
rkadayam
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
Enov8
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment  (1).pdf_Best practices towards a well-polished DevSecOps environment  (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
Enov8
 

Similar to DevSecOps 101 (20)

Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?Why Security Engineer Need Shift-Left to DevSecOps?
Why Security Engineer Need Shift-Left to DevSecOps?
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
How To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps WorkflowHow To Implement DevSecOps In Your Existing DevOps Workflow
How To Implement DevSecOps In Your Existing DevOps Workflow
 
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
Unleash Team Productivity with Real-Time Operations (DEV203-S) - AWS re:Inven...
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
Enterprise Devsecops
Enterprise DevsecopsEnterprise Devsecops
Enterprise Devsecops
 
Introduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP AhmedabadIntroduction to DevSecOps OWASP Ahmedabad
Introduction to DevSecOps OWASP Ahmedabad
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
All About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdfAll About Intelligent Orchestration :The Future of DevSecOps.pdf
All About Intelligent Orchestration :The Future of DevSecOps.pdf
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018Outpost24 webinar - application security in a dev ops world-08-2018
Outpost24 webinar - application security in a dev ops world-08-2018
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?Why You Should Implement DevSecOps Approach?
Why You Should Implement DevSecOps Approach?
 
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment  (1).pdf_Best practices towards a well-polished DevSecOps environment  (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
 

More from Narudom Roongsiriwong, CISSP

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
Narudom Roongsiriwong, CISSP
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
Narudom Roongsiriwong, CISSP
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software Development
Narudom Roongsiriwong, CISSP
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
Narudom Roongsiriwong, CISSP
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
Narudom Roongsiriwong, CISSP
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
Narudom Roongsiriwong, CISSP
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
Narudom Roongsiriwong, CISSP
 
IoT Security
IoT SecurityIoT Security
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
Narudom Roongsiriwong, CISSP
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
Narudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
Narudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 

More from Narudom Roongsiriwong, CISSP (20)

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software Development
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 

Recently uploaded

bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Deliverybangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
SimonedeGijt
 
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
jealousviolet
 
Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)
andrehoraa
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
AsifKarimJim
 
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
revolutionary575
 
Authentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptxAuthentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptx
DEMONDUOS
 
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
aslasdfmkhan4750
 
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
Srinivas Dukka
 
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdfA Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
kalichargn70th171
 
BATber53 AWS Modernize your applications with purpose-built AWS databases
BATber53 AWS Modernize your applications with purpose-built AWS databasesBATber53 AWS Modernize your applications with purpose-built AWS databases
BATber53 AWS Modernize your applications with purpose-built AWS databases
BATbern
 
React Native vs Flutter - SSTech System
React Native vs Flutter  - SSTech SystemReact Native vs Flutter  - SSTech System
React Native vs Flutter - SSTech System
SSTech System
 
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
87tomato
 
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
bhumivarma35300
 
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical SystemsInflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
Inflectra
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
3610stuck
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
Task Tracker
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
ashiklo9823
 
Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
jhkdigitalmarketing
 
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech
 

Recently uploaded (20)

bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Deliverybangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
 
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
VVIP Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And No1 i...
 
Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)Predicting Test Results without Execution (FSE 2024)
Predicting Test Results without Execution (FSE 2024)
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
 
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
 
Authentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptxAuthentication Review-June -2024 AP & TS.pptx
Authentication Review-June -2024 AP & TS.pptx
 
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
Independent Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class H...
 
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
AWS DevOps-Tutorial CHANAKYA SRIYAN DUKKA.
 
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdfA Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
A Step-by-Step Guide to Selecting the Right Automated Software Testing Tools.pdf
 
BATber53 AWS Modernize your applications with purpose-built AWS databases
BATber53 AWS Modernize your applications with purpose-built AWS databasesBATber53 AWS Modernize your applications with purpose-built AWS databases
BATber53 AWS Modernize your applications with purpose-built AWS databases
 
React Native vs Flutter - SSTech System
React Native vs Flutter  - SSTech SystemReact Native vs Flutter  - SSTech System
React Native vs Flutter - SSTech System
 
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
 
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
 
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical SystemsInflectraCON 360: Risk-Based Testing for Mission Critical Systems
InflectraCON 360: Risk-Based Testing for Mission Critical Systems
 
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
Mumbai Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service A...
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
 
Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
 
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.
 

DevSecOps 101

  • 1. DevSecOps 101 Narudom Roongsiriwong, CISSP OWASP Meeting 3/2018 April 26, 2018
  • 2. WhoAmI ● Lazy Blogger – Japan, Security, FOSS, Politics, Christian – http://narudomr.blogspot.com ● Information Security since 1995 ● Web Application Development since 1998 ● Head of IT Security, Kiatnakin Bank PLC (KKP) ● Consultant for OWASP Thailand Chapter ● Committee Member of Cloud Security Alliance (CSA), Thailand Chapter ● Committee Member of Thailand Banking Sector CERT (TB-CERT) ● Technical Team Member, National Digital Identity Platform project ● Contact: narudom@owasp.org
  • 3. ““Software is eating the world!!!”Software is eating the world!!!” Marc Andreessen, co-founder and general partner of the ventureMarc Andreessen, co-founder and general partner of the venture capital firm Andreessen-Horowitz, also Netscape co-coundercapital firm Andreessen-Horowitz, also Netscape co-counder Source: The Wall Street Journal, August 20, 2011Source: The Wall Street Journal, August 20, 2011 https://www.wsj.com/articles/SB10001424053111903480904576512250915629460https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
  • 4. SoftwareSoftware generates valuegenerates value when deployed for use and running,when deployed for use and running, notnot when we write it.when we write it.
  • 5. Time Analysis Design Coding Testing 20% done (100% usable!) Agile Process Analysis Design Coding Testing Do we have half a solution yet? Traditional Process Agile = Early Value Time
  • 6. What Is DevOps? Dev Integration Ops Communication Collaboration “It’s a movement of people who think it’s change in the IT Industry - time to stop wasting money, time to start delivering great software, and building systems that scale and last” Patrick DeBois, the "founder" of the DevOps movement. Plan Code Build Test Release Deploy Operate Monitor
  • 7. DevOps Is ... ● An approach based on agile and lean principles in which business owners, development, operations, and quality assurance team collaborate to deliver software in a continuous stable manner ● An environment that promotes cross practicality, shared business tasks and belief ● A movement that improves IT service delivery agility ● A culture that promotes better working relationship within the company ● A set of practices that provides rapid, reliable software delivery
  • 8. DevOps Continuous Delivery Continuous Integrtion AgileDevelopment Collaboration Plan Code Build Test ReleaseDeployOperate Without Automation, There Is No DevOps Plan Code Build Test Release Deploy Operate Monitor
  • 9. DevOps Is Eating the World!!! ● Imagine solving the world’s problems faster by collaborating and taking responsibility. ● In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation. ● With the goal of solving customer problems faster, no wonder DevOps is taking over. Over Past 10 Years
  • 10. Cloud Is Eating the World!!! ● Public Cloud adoption is accelerating at a rapid pace… ● Software defined environments allow scale to happen and more decisions to be made daily… ● More people can experiment, learn and fail at a rapid pace to solve for customer demand…. ● Creativity is the next frontier…
  • 11. Is Security Blocking the World? “This is the end of security as we know it… and isn’t it a good thing!” -Josh Corman @petecheslock
  • 12. The Urgency of Dev with Integrated Security ● Development without integrated security and compliance will fail; – progressive orgs have prioritized security due to uptime and compliance concerns – accelerating the need for agility and a curated OSS-dev portfolio. ● Security-led development will be a priority for 90% of orgs by 2020. IDC FutureScape: Worldwide Developer and DevOps 2018 Predictions, November, 2, 2017
  • 13. What is DevSecOps? DevSecOps is the answer to integrating these various challenges into a coherent and effective approach to software delivery. It is a new method that helps identify security issues early in the development process rather than after a product is released. IS IS NOT A Mindset and Holistic Approach A One-Size-Fits-All Approach A Collection of Processes & Tools A Single Tool or Method A Means of Security & Compliance Integrated to Software Just a means of adding Security into Continuous Delivery A Community Driven Effort Invented by Vendors A Strategy Driven by Learning and Experiments A Strategy Driven by Perfection and Compliance
  • 14. Plan Code Build Test Release Deploy Operate Monitor DevSecOps: Integrate Security Into DevOps Policies Threat Model Static Analysis Code Review Penetration Testing Compliance Validation Log Audit Threat Intelligence Monitor Detect Response Recover
  • 15. The Main Course ● Vulnerability (VA) Scans and Assessments ● Threat Modeling ● Secure Code Reviews (Static Code Analysis) ● Penetration Tests (PenTests) ● This applies to both Custom Apps and COTS Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
  • 16. The Gravy ● Educating Developers on Secure Coding ● Practices with workshops, talks, lessons ● Secure Coding Standards ● Responsible/Coordinated Disclosure ● Secure code library and other reference materials, creating custom tools Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
  • 17. The Dessert ● Bug Bounty Programs ● Capture The Flag (CTF) contests ● Red Team Exercises Pushing Left, Like a Boss, Tanya Janca, DevSecCon 2018 Singapore
  • 18. Best Practices Successful security programs involve three intersecting parts: people, processes, and technologies. People People are the starting point of the DevSecOps implementation. Through ensuring proper training and restructuring of teams security will become a frame of mind rather than a hindrance. Processes DevSecOps aims to align and implement processes common to an enterprise to facilitate cooperation and achieve more secure development processes as a whole. Technology Technologies enable people to execute DevSecOps processes, which aim to reduce the enterprise attack surface and enable effective management of the technical security debt.
  • 19. DevSecOps makes everyone responsible for security.
  • 20. People: What Type of Skills Are Required? Dev Sec Ops Dev Sec Ops Dev Sec Ops Developer Sys Admin Security Engineer competency needed skill; functional
  • 21. People: Security Champions Ensure that security is not a blocker on active development or reviews Be empowered to make decisions Work with AppSec team on mitigations strategies Help with QA and Testing Write Tests (from Unit Tests to Integration tests) Help with development of CI (Continuous Integration) environments Keep track of and stay up to date on modern security attacks and defenses Introduce body of knowledge from organizations such as OWASP (Top 10, Application Security Verification Standard, Testing Guide etc.)
  • 22. Processes ● Version control, metadata, and orchestration ● Integration of processes ● Security tooling in CI/CD ● Compliance ● Security Architecture ● Incident Management ● Red Teams and Bug Bounties ● Threat Intelligence
  • 23. Technologies ● Automation and Configuration Management ● Secure coding practices/Security as Code ● Host Hardening ● CI/CD for Patching ● Application-level Auditing and Scanning ● Automated Vulnerability Management Scanning ● Automated Compliance Scan ● Managing Secrets
  • 24. How Hard Could It Be? Source Code CI Server Artifacts MonitoringDeployTest & Scan DevOps Code - Creating Value & Availability DevSecOps Code - Creating Trust & Confidence Credit: Shannon Leitz (@devsecops)
  • 25. Automation and Configuration Management: Ansible
  • 26. Application Level Auditing and Scanning: OWASP Dependency Check ● Project stated December 2011 (first published in 2012) ● Performs Software Composition Analysis – Reports known vulnerabilities for Java & .NET components – Experimental analyzers for Python, Ruby, PHP (composer), and Node.js ● Easy solution to the OWASP 2017 Top 10 – A9 Using components with known vulnerabilities ● Works as: – Command-line utility – Ant Task – Gradle Plugin – Jenkins Plugin – Maven Plugin – SonarQube Plugin
  • 27. Automated Vulnerability Scanning: OpenVAS ● A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. ● All OpenVAS products are Free Software ● Most components are licensed under the GNU General Public License (GNU GPL)
  • 29. Automated Vulnerability Scanning:: OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  • 30. OWASP ZAP Functionality ● Man-in-the-middle Proxy ● Traditional and AJAX spiders ● Automated scanner ● Passive scanner ● Fuzzer ● Dynamic SSL certificates ● Support for a wide range of scripting languages ● Plug-n-Hack support ● Authentication and session support ● Powerful REST based API ● Integrated and growing marketplace of add-ons
  • 31. Automation: OWASP ZAP CLI Quick Scan ./zap.sh -cmd -quickurl http://example.com/ -quickprogress Spidering Active scanning [====================] 100% Attack complete <?xml version="1.0"?><OWASPZAPReport version="2.5.0" generated="Tue, 4 Oct 2016 09:31:53"> <site name="http://example.com" ...
  • 32. OWASP ZAP API ● RESTish – ok, only uses GET requests http(s)://zap/<format>/<component>/<operation>/ <op name>[/?<params>] ● Maps closely to the UI / code ● Theres a basic web UI for it ● And clients in various languages: – Java, Python, Node JS, .Net, PHP, Go …
  • 33. OWASP ZAP Python API ● Install from pypi: pip install python-owasp-zap-v2.4 ● In your script: from zapv2 import ZAPv2 zap = ZAPv2() zap = ZAPv2(proxies={ 'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}) zap.urlopen(target) https://pypi.python.org/pypi/python-owasp-zap-v2.4
  • 34. Managing Secrets: HSM ● Cryptographic Computing Hardware Module ● Protected Key Store ● Well-Defined Interface Protocol ● Hard to Compromise Hardware Security Module
  • 35. Managing Secrets: Conjur ● A foundational secrets management service for DevOps environments, a core security capability for any environment ● An authentication, authorization and audit service for people, code and machines that runs independently of other DevOps platforms and tools to provide separation of concerns and duties and fine-grained access control ● A suite of open source integrations with leading CI/CD tools (Ansible, Puppet, Cloud Foundry) based on an Experience-Driven Design (XDD) development process. ● An architecture that is optimized for containerized environments ● Flexible, programmable tool (Rest API, CLI)
  • 36. Conclusion ● DevSecOps addresses the need for pro-active, customer- focused security rather than reacts to data breaches or other cyberattacks. ● The benefits are cost reduction, speed of delivery, speed of recovery, compliance at scale, and threat hunting. ● DevSecOps provides the ability to detect and fix security issues earlier in the development process thus reducing greatly the cost associated with identifying and fixing them. ● Shifting security to the left through the use of people, processes and technology will help to achieve this goal.